SMTP User Authentication

Z

zolthar

Member
Proxmox Subscriber
Dec 27, 2020
108
16
23
44
Hi Stoiko, Im sure you can probably answer this in 1 line?

I am testing something that PMG doesnt approve, however its my test appliance and I wanted to see its possibilities as I wouldnt mind sending our emails through a PMG than MailGun - however that needs to connect to a mailserver with user credentials.

So my steps so far are

/etc/pmg/templates/main.cf.in
Code: 
# Set Password DB
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

# Set default security level http://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_tls_security_level = encrypt

# Set RECEIVE connector
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
#smtpd_sasl_security_options = noanonymous, noplaintext
#smtpd_sasl_tls_security_options = noanonymous

# Set SEND connector
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options = noanonymous, noplaintext
#smtp_sasl_tls_security_options = noanonymous


Then for the password file:
Code: 
postmap /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
chmod 0600 /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd


/etc/postfix/sasl_passwd
Code: 
# Per-sender authentication; see also /etc/postfix/sender_relay.
user1@example.com               username1:password1
#user2@example.net               username2:password2

When I try to connect, I get the following error:

Code: 
ehlo validrelaydomain.com.au
250-splaam.domain.com.au
250-PIPELINING
250-SIZE 52430000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
AUTH LOGIN
dXNlcm5hbWUx
cGFzc3dvcmQx
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
535 5.7.8 Error: authentication failed: authentication failure

One thing I noticed was that 250-STARTTLS was missing when using openssl connection although all the SSL chain appears correct and valid. However when using Telnet, 250-STARTTLS does show correctly.

I must have done/misunderstood something simple wrong and any help would be much appreciated.
 
Last edited:
Here are the logs that I can report on:

Code: 
Jan 26 14:07:48 splaam postfix/smtpd[1820]: connect from ip6-localhost[127.0.0.1]
Jan 26 14:07:48 splaam postfix/smtpd[1820]: Anonymous TLS connection established from ip6-localhost[127.0.0.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Jan 26 14:07:55 splaam postfix/smtpd[1820]: warning: ip6-localhost[127.0.0.1]: SASL LOGIN authentication failed: authentication failure
Jan 26 14:07:59 splaam postfix/smtpd[1820]: lost connection after AUTH from ip6-localhost[127.0.0.1]
Jan 26 14:07:59 splaam postfix/smtpd[1820]: disconnect from ip6-localhost[127.0.0.1] ehlo=2 starttls=1 auth=0/1 commands=3/4


postconf -n
Code: 
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
best_mx_transport = local
biff = no
command_directory = /usr/sbin
compatibility_level = 2
content_filter = scan:127.0.0.1:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
default_destination_concurrency_limit = 40
delay_warning_time = 4h
lmtp_destination_concurrency_limit = 20
lmtp_tls_CAfile = $smtp_tls_CAfile
lmtp_tls_loglevel = $smtp_tls_loglevel
lmtp_tls_policy_maps = $smtp_tls_policy_maps
lmtp_tls_security_level = $smtp_tls_security_level
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_tls_session_cache
mail_name = Proxmox
mailbox_size_limit = 104860000
message_size_limit = 52430000
mydestination = localhost, $myhostname
mydomain = domain.com.au
myhostname = splaam.domain.com.au
mynetworks = 127.0.0.0/8 [::1]/128 [removed]
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
recipient_delimiter = +
relay_destination_concurrency_limit = 20
relay_domains = hash:/etc/pmg/domains
smtp_destination_concurrency_limit = 20
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_policy_maps = hash:/etc/pmg/tls_policy
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_banner = $myhostname Mail Gateway
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_non_fqdn_recipient check_recipient_access regexp:/etc/postfix/rcptaccess
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender check_client_access cidr:/etc/postfix/clientaccess check_sender_access regexp:/etc/postfix/senderaccess check_recipient_access regexp:/etc/postfix/rcptaccess
smtpd_tls_cert_file = /etc/pmg/pmg-tls.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
transport_maps = hash:/etc/pmg/transport
unverified_recipient_reject_reason = Recipient address lookup failed
virtual_destination_concurrency_limit = 20
 
OK... took this brick 8 hours to realise that saslauthd was not installed - so I installed it and modified /etc/default/saslauthd
Code: 
start=yes

Now I have moved onto the following problem:
Code: 
250-PIPELINING
250-SIZE 52430000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-AUTH=DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

AUTH LOGIN
dXNlcm5hbWUx
cGFzc3dvcmQx
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
454 4.7.0 Temporary authentication failure: generic failure
 
Last edited:
zolthar said:
One thing I noticed was that 250-STARTTLS was missing when using openssl connection although all the SSL chain appears correct and valid. However when using Telnet, 250-STARTTLS does show correctly.
Click to expand...
yes - that's expected - if you connect via `openssl s_client ... -starttls smtp` then openssl starts a connection, sends an HELO/EHLO command, and afterwards issues the STARTTLS command, and presents you with the SMTP prompt in the tls-encrypted session
telnet/netcat don't do that initial EHLO command - thus you see the STARTTLS as capability ...
(once you started a TLS session it makes no sense to start one inside again)

zolthar said:
OK... took this brick 8 hours to realise that saslauthd was not installed - so I installed it and modified /etc/default/saslauthd
Click to expand...
glad you found the issue!

zolthar said:
Now I have moved onto the following problem:
Click to expand...
if it is a temporary problem maybe you ran into some kind of rate-limit based on wrong authentication?

else - what does the postfix log say regarding the errors?
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back