SMTP User Authentication

zolthar

Active Member
Dec 27, 2020
108
17
38
45
Hi Stoiko, Im sure you can probably answer this in 1 line?

I am testing something that PMG doesnt approve, however its my test appliance and I wanted to see its possibilities as I wouldnt mind sending our emails through a PMG than MailGun - however that needs to connect to a mailserver with user credentials.

So my steps so far are

/etc/pmg/templates/main.cf.in
Code:
# Set Password DB
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

# Set default security level http://www.postfix.org/postconf.5.html#smtp_tls_security_level
smtp_tls_security_level = encrypt

# Set RECEIVE connector
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
#smtpd_sasl_security_options = noanonymous, noplaintext
#smtpd_sasl_tls_security_options = noanonymous

# Set SEND connector
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options = noanonymous, noplaintext
#smtp_sasl_tls_security_options = noanonymous


Then for the password file:
Code:
postmap /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
chmod 0600 /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd


/etc/postfix/sasl_passwd
Code:
# Per-sender authentication; see also /etc/postfix/sender_relay.
user1@example.com               username1:password1
#user2@example.net               username2:password2

When I try to connect, I get the following error:

Code:
ehlo validrelaydomain.com.au
250-splaam.domain.com.au
250-PIPELINING
250-SIZE 52430000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
AUTH LOGIN
dXNlcm5hbWUx
cGFzc3dvcmQx
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
535 5.7.8 Error: authentication failed: authentication failure

One thing I noticed was that 250-STARTTLS was missing when using openssl connection although all the SSL chain appears correct and valid. However when using Telnet, 250-STARTTLS does show correctly.

I must have done/misunderstood something simple wrong and any help would be much appreciated.
 
Last edited:
Here are the logs that I can report on:

Code:
Jan 26 14:07:48 splaam postfix/smtpd[1820]: connect from ip6-localhost[127.0.0.1]
Jan 26 14:07:48 splaam postfix/smtpd[1820]: Anonymous TLS connection established from ip6-localhost[127.0.0.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Jan 26 14:07:55 splaam postfix/smtpd[1820]: warning: ip6-localhost[127.0.0.1]: SASL LOGIN authentication failed: authentication failure
Jan 26 14:07:59 splaam postfix/smtpd[1820]: lost connection after AUTH from ip6-localhost[127.0.0.1]
Jan 26 14:07:59 splaam postfix/smtpd[1820]: disconnect from ip6-localhost[127.0.0.1] ehlo=2 starttls=1 auth=0/1 commands=3/4


postconf -n
Code:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = yes
best_mx_transport = local
biff = no
command_directory = /usr/sbin
compatibility_level = 2
content_filter = scan:127.0.0.1:10024
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
default_destination_concurrency_limit = 40
delay_warning_time = 4h
lmtp_destination_concurrency_limit = 20
lmtp_tls_CAfile = $smtp_tls_CAfile
lmtp_tls_loglevel = $smtp_tls_loglevel
lmtp_tls_policy_maps = $smtp_tls_policy_maps
lmtp_tls_security_level = $smtp_tls_security_level
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_tls_session_cache
mail_name = Proxmox
mailbox_size_limit = 104860000
message_size_limit = 52430000
mydestination = localhost, $myhostname
mydomain = domain.com.au
myhostname = splaam.domain.com.au
mynetworks = 127.0.0.0/8 [::1]/128 [removed]
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
recipient_delimiter = +
relay_destination_concurrency_limit = 20
relay_domains = hash:/etc/pmg/domains
smtp_destination_concurrency_limit = 20
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_policy_maps = hash:/etc/pmg/tls_policy
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_banner = $myhostname Mail Gateway
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_non_fqdn_recipient check_recipient_access regexp:/etc/postfix/rcptaccess
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks reject_non_fqdn_sender check_client_access cidr:/etc/postfix/clientaccess check_sender_access regexp:/etc/postfix/senderaccess check_recipient_access regexp:/etc/postfix/rcptaccess
smtpd_tls_cert_file = /etc/pmg/pmg-tls.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
transport_maps = hash:/etc/pmg/transport
unverified_recipient_reject_reason = Recipient address lookup failed
virtual_destination_concurrency_limit = 20
 
OK... took this brick 8 hours to realise that saslauthd was not installed - so I installed it and modified /etc/default/saslauthd
Code:
start=yes

Now I have moved onto the following problem:
Code:
250-PIPELINING
250-SIZE 52430000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-AUTH=DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING

AUTH LOGIN
dXNlcm5hbWUx
cGFzc3dvcmQx
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
454 4.7.0 Temporary authentication failure: generic failure
 
Last edited:
One thing I noticed was that 250-STARTTLS was missing when using openssl connection although all the SSL chain appears correct and valid. However when using Telnet, 250-STARTTLS does show correctly.
yes - that's expected - if you connect via `openssl s_client ... -starttls smtp` then openssl starts a connection, sends an HELO/EHLO command, and afterwards issues the STARTTLS command, and presents you with the SMTP prompt in the tls-encrypted session
telnet/netcat don't do that initial EHLO command - thus you see the STARTTLS as capability ...
(once you started a TLS session it makes no sense to start one inside again)

OK... took this brick 8 hours to realise that saslauthd was not installed - so I installed it and modified /etc/default/saslauthd
glad you found the issue!

Now I have moved onto the following problem:
if it is a temporary problem maybe you ran into some kind of rate-limit based on wrong authentication?

else - what does the postfix log say regarding the errors?