Linux Mail Server Setup and Howto Guide

Hi there,

I've followed: http://www.linuxmail.info/post…..-centos-6/ and also http://wiki2.dovecot.org/HowTo…..ovecotSASL but when I restart postfix after setting "smtpd_sasl_auth_enable = yes" I get the following error in my maillog (and postfix borks): -

postfix/smtpd[7179]: fatal: no SASL authentication mechanisms

As you'd expect, it's not even giving out the banner: -

# telnet localhost 25    
Trying ::1…
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

When smtpd_sasl_auth_enable os set to "no", I see normal stuff (except of course, without the AUTH line): -

# telnet localhost 25
Trying ::1…
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP
ehlo me
250-mail.example.com
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

I think that where the 2 howto's above differ, is with the file permissions on /var/spool/postfix/private/auth (0666 or 0660) and I've tried both, with similar success, and in the SELINUX stuff (though I'm not sure I am running it – never liked it in the past and defilitely wouldn't have chosen to is there was an install option)…

Right now, the mailserver works, all except for not doing SASL AUTH for users to relay.  I've had to switch off the sasl auth function, just so I can get on with the rest of the implementation, but I do want it to be on and working, as it's supposed to be replacing an old VPS running CentOS 5, with Postfix and Dovecot auth).

Her are my system details: -

# uname -srv
Linux 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011

# rpm -q dovecot

dovecot-2.0-0.10.beta6.20100630.el6.x86_64

# doveconf -n
# 2.0.beta6 (3156315704ef): /etc/dovecot/dovecot.conf
# OS: Linux 2.6.32-71.el6.x86_64 x86_64 CentOS Linux release 6.0 (Final)
auth_mechanisms = plain login
mail_location = maildir:~/Maildir
passdb {
  driver = pam
}
postmaster_address = postmaster@mail.example.com
protocols = imap
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660 <– I've tried 0666 as well
    user = postfix
  }
}
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
  driver = passwd
}

# rpm -q postfix
postfix-2.6.6-2.1.el6_0.x86_64

# postconf -a
cyrus
dovecot

# postconf -n | grep sasl
smtpd_sasl_local_domain = sasl
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous    noplaintext
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = no
smtpd_client_restrictions =

    permit_mynetworks

    check_client_access hash:$config_directory/client_access

    permit_sasl_authenticated

    reject_rbl_client zen.spamhaus.org
smtpd_recipient_restrictions =

    reject_non_fqdn_recipient

    reject_unknown_recipient_domain

    check_recipient_access hash:$config_directory/recipient_access

    permit_mynetworks

    permit_sasl_authenticated

    reject_unauth_destination

    permit_auth_destination

    reject

I'm a bit stuck – please help!

Cheers,

–

ChrisP

Hi there,

Thanks for responding.  I am working with the config values I had on my previous server (which ran CentOS 5), so it's a throwback from that.  I've reset it to empty now, but that's not had any appreciable affect… 

OK. Pretend there has been a massive pause since the line above and I've fixed it.

I'll document it here for others who may pass this way.  Essentially, because this main.cf mostly came from an older system, running a different version of postfix and a different OS version too, I went through it from top to bottom and compared each setting in the file, to the output of "postconf -d <the_setting>" and if the default was an exact match to what I'd specified, or close enough for my liking, or defunkt, I deleted the line from main.cf and eventually whittled the changes from the postfix defaults to much fewer.  I also know exactly what I have specified and I know the reasons too, rather than having a very full main.cf, it's just the differences from default.

This setting: "smtpd_sasl_local_domain = sasl" was not the culprit, in fact, it doesn't seem to make any difference in the logs whatever I set it to…

It's this sneaky little innocuous gem "smtpd_sasl_security_options = noanonymous noplaintext".  The Postfix documentation (http://www.postfix.org/postcon…..ty_options) says: -

noplaintext

Disallow methods that use plaintext passwords.

I know it seems fairly self explanatory, but I overlooked it and in hindsight, it's obvious that if you are testing SASL AUTH by hand (using telnet) then you're using plain text.  I'd have needed to use something like "openssl s_client" to gain an encrypted transport, before authenticating…  I just learned how to use that, it's cool!

Try: -

% openssl s_client -host mail.example.com -port 25 -starttls smtp

Anyway, thanks for the quick response and the HowTos.

Cheers,

–

ChrisP xx