Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
250-AUTH LOGIN PLAIN not advertised. Why?
1,009 views
Skip to first unread message
Mufit Eribol
Nov 22, 2015, 2:45:02 PM11/22/15
to
Hello,
I have been running postfix at a small company for years without any
problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
telnetting to port 25. It may be due to a change in the upgraded
packages or a misconfiguration by me. Probably, I "fixed" something
which is not broken.
I can send and receive mail system on ports 465 and 993 using SSL/TLS
without any issue (seemingly). I am not sure if missing "250-AUTH LOGIN
PLAIN" is a problem.If I telnet to 465 (or 993) I get no response.
Please find below conf details of the system.
I would appreciate any help.
Mufit Eribol
[root@server ~]# telnet mail.xxxxx.com 25
Trying xxx.xxx.xxx.xxx...
Connected to mail.xxxxx.com.
Escape character is '^]'.
220 mail.xxxxx.com ESMTP Postfix
ehlo yyyyy.com
250-mail.xxxxx.com
250-PIPELINING
250-SIZE 50000000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
Packages on CentOS 7 system:
postfix-2.10.1-6.el7.x86_64
cyrus-sasl-2.1.26-17.el7.x86_64
cyrus-sasl-devel-2.1.26-17.el7.x86_64
cyrus-imapd-2.4.17-8.el7_1.x86_64
cyrus-sasl-plain-2.1.26-17.el7.x86_64
cyrus-sasl-lib-2.1.26-17.el7.x86_64
cyrus-imapd-devel-2.4.17-8.el7_1.x86_64
cyrus-imapd-utils-2.4.17-8.el7_1.x86_64
cyrus-sasl-md5-2.1.26-17.el7.x86_64
[root@mail ~]# cat /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
[root@mail ~]# ps ax|grep saslauthd
577 ? Ss 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
578 ? S 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
579 ? S 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
580 ? S 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
581 ? S 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
[root@mail ~]# cat /etc/sysconfig/saslauthd
SOCKETDIR=/run/saslauthd
MECH=pam
FLAGS=
[root@mail ~]# cat /etc/pam.d/smtp (imap is the same)
auth sufficient pam_mysql.so user=mail passwd=abcd host=127.0.0.1
db=mail table=accountuser usercolumn=username passwdcolumn=password
crypt=3 logtable=log logmsgcolumn=msg logusercolumn=user
loghostcolumn=host logpidcolumn=pid logtimecolumn=time sqllog=yes
account required pam_mysql.so user=mail passwd=abcd host=127.0.0.1
db=mail table=accountuser usercolumn=username passwdcolumn=password
crypt=3 logtable=log logmsgcolumn=msg logusercolumn=user
loghostcolumn=host logpidcolumn=pid logtimecolumn=time
[root@mail ~]# postconf -n
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 300
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
$virtual_alias_maps
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 50000000
milter_default_action = accept
milter_protocol = 2
mydestination = xxxxx.com, $myhostname, localhost.$mydomain, localhost,
mysql:/etc/postfix/mysql-mydestination.cf
mydomain = xxxxx.com
myhostname = mail.xxxxx.com
mynetworks = 10.0.0.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
policy_time_limit = 3600s
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 0
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/client_access, reject_non_fqdn_sender,
reject_unknown_sender_domain, permit_mynetworks,
permit_sasl_authenticated, permit
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_access,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
warn_if_reject reject_unknown_helo_hostname, permit
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_recipient_access
hash:/etc/postfix/recipient_access, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unauth_destination,
permit_dnswl_client list.dnswl.org, reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net,
check_policy_service unix:private/policy check_policy_service
unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
[root@mail ~]# cat master.cf
smtp inet n - n - - smtpd
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients=
-o smtpd_milters=
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl
/usr/libexec/postfix/postfix-policyd-spf-perl
[root@mail ~]# cat /etc/cyrus.conf
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
# imap cmd="imapd" listen="imap" prefork=5
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=1
imapslocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imaps" prefork=0
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
sievelocal cmd="timsieved -C /etc/imapd-local.conf"
listen="127.0.0.1:sieve" prefork=0
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntps cmd="nntpd -s" listen="nntps" prefork=1
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
delprune cmd="cyr_expire -E 3" at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0400
}
[root@mail ~]# cat /etc/imapd.conf:
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
#admins: cyrus
allowanonymouslogin: no
allowplaintext: no
#tls_require_cert: 1
sasl_minimum_layer: 128
servername: mail.xxxxx.com
autocreatequota: 200000
maxmessagesize: 0
reject8bit: 0
munge8bit: 0
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sieve_allowplaintext: 1
sendmail: /usr/sbin/sendmail
#hashimapspool: true
#unixhierarchysep: yes
#autocreateinboxfolders: Sent | Drafts | Trash | Spam
#autocreate_sieve_script: /var/lib/imap/sieve/global/spam
#autocreate_sieve_compiledscript: /var/lib/imap/sieve/global/spam.bc
#generate_compiled_sieve_script: yes
tls_cert_file: /etc/pki/tls/certs/xxxxx.com.crt
tls_key_file: /etc/pki/tls/private/xxxxx.com.key
tls_ca_file: /etc/pki/tls/certs/xxxxx.com.crt
#defaultdomain: mail
[root@mail ~]# cat /etc/imapd-local.conf:
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
allowanonymouslogin: no
allowplaintext: yes
servername: mail.xxxxx.com
autocreatequota: 1000000
maxmessagesize: 0
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sendmail: /usr/sbin/sendmail
I have been running postfix at a small company for years without any
problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
telnetting to port 25. It may be due to a change in the upgraded
packages or a misconfiguration by me. Probably, I "fixed" something
which is not broken.
I can send and receive mail system on ports 465 and 993 using SSL/TLS
without any issue (seemingly). I am not sure if missing "250-AUTH LOGIN
PLAIN" is a problem.If I telnet to 465 (or 993) I get no response.
Please find below conf details of the system.
I would appreciate any help.
Mufit Eribol
[root@server ~]# telnet mail.xxxxx.com 25
Trying xxx.xxx.xxx.xxx...
Connected to mail.xxxxx.com.
Escape character is '^]'.
220 mail.xxxxx.com ESMTP Postfix
ehlo yyyyy.com
250-mail.xxxxx.com
250-PIPELINING
250-SIZE 50000000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
Packages on CentOS 7 system:
postfix-2.10.1-6.el7.x86_64
cyrus-sasl-2.1.26-17.el7.x86_64
cyrus-sasl-devel-2.1.26-17.el7.x86_64
cyrus-imapd-2.4.17-8.el7_1.x86_64
cyrus-sasl-plain-2.1.26-17.el7.x86_64
cyrus-sasl-lib-2.1.26-17.el7.x86_64
cyrus-imapd-devel-2.4.17-8.el7_1.x86_64
cyrus-imapd-utils-2.4.17-8.el7_1.x86_64
cyrus-sasl-md5-2.1.26-17.el7.x86_64
[root@mail ~]# cat /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
[root@mail ~]# ps ax|grep saslauthd
577 ? Ss 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
578 ? S 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
579 ? S 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
580 ? S 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
581 ? S 0:00 /usr/sbin/saslauthd -m /run/saslauthd -a pam
[root@mail ~]# cat /etc/sysconfig/saslauthd
SOCKETDIR=/run/saslauthd
MECH=pam
FLAGS=
[root@mail ~]# cat /etc/pam.d/smtp (imap is the same)
auth sufficient pam_mysql.so user=mail passwd=abcd host=127.0.0.1
db=mail table=accountuser usercolumn=username passwdcolumn=password
crypt=3 logtable=log logmsgcolumn=msg logusercolumn=user
loghostcolumn=host logpidcolumn=pid logtimecolumn=time sqllog=yes
account required pam_mysql.so user=mail passwd=abcd host=127.0.0.1
db=mail table=accountuser usercolumn=username passwdcolumn=password
crypt=3 logtable=log logmsgcolumn=msg logusercolumn=user
loghostcolumn=host logpidcolumn=pid logtimecolumn=time
[root@mail ~]# postconf -n
alias_maps = $alias_database
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
local_destination_concurrency_limit = 5
local_destination_recipient_limit = 300
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
$virtual_alias_maps
mail_owner = postfix
mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 50000000
milter_default_action = accept
milter_protocol = 2
mydestination = xxxxx.com, $myhostname, localhost.$mydomain, localhost,
mysql:/etc/postfix/mysql-mydestination.cf
mydomain = xxxxx.com
myhostname = mail.xxxxx.com
mynetworks = 10.0.0.0/24, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
policy_time_limit = 3600s
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 0
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0
smtpd_client_restrictions = check_client_access
hash:/etc/postfix/client_access, reject_non_fqdn_sender,
reject_unknown_sender_domain, permit_mynetworks,
permit_sasl_authenticated, permit
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_access,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname,
warn_if_reject reject_unknown_helo_hostname, permit
smtpd_milters = inet:127.0.0.1:8891
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_recipient_access
hash:/etc/postfix/recipient_access, reject_non_fqdn_recipient,
reject_unknown_recipient_domain, reject_unauth_destination,
permit_dnswl_client list.dnswl.org, reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net,
check_policy_service unix:private/policy check_policy_service
unix:postgrey/socket, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
[root@mail ~]# cat master.cf
smtp inet n - n - - smtpd
smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters,no_address_mappings
-o local_header_rewrite_clients=
-o smtpd_milters=
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl
/usr/libexec/postfix/postfix-policyd-spf-perl
[root@mail ~]# cat /etc/cyrus.conf
START {
# do not delete this entry!
recover cmd="ctl_cyrusdb -r"
# this is only necessary if using idled for IMAP IDLE
idled cmd="idled"
}
# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
# add or remove based on preferences
# imap cmd="imapd" listen="imap" prefork=5
imaplocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imap" prefork=0
imaps cmd="imapd -s" listen="imaps" prefork=1
imapslocal cmd="imapd -C /etc/imapd-local.conf"
listen="127.0.0.1:imaps" prefork=0
# pop3 cmd="pop3d" listen="pop3" prefork=3
# pop3s cmd="pop3d -s" listen="pop3s" prefork=1
sieve cmd="timsieved" listen="sieve" prefork=0
sievelocal cmd="timsieved -C /etc/imapd-local.conf"
listen="127.0.0.1:sieve" prefork=0
# nntp cmd="nntpd" listen="nntp" prefork=3
# nntps cmd="nntpd -s" listen="nntps" prefork=1
# at least one LMTP is required for delivery
# lmtp cmd="lmtpd" listen="lmtp" prefork=0
lmtpunix cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=0
# this is only necessary if using notifications
# notify cmd="notifyd" listen="/var/lib/imap/socket/notify"
proto="udp" prefork=1
}
EVENTS {
# this is required
checkpoint cmd="ctl_cyrusdb -c" period=30
# this is only necessary if using duplicate delivery suppression,
# Sieve or NNTP
delprune cmd="cyr_expire -E 3" at=0400
# this is only necessary if caching TLS sessions
tlsprune cmd="tls_prune" at=0400
}
[root@mail ~]# cat /etc/imapd.conf:
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
#admins: cyrus
allowanonymouslogin: no
allowplaintext: no
#tls_require_cert: 1
sasl_minimum_layer: 128
servername: mail.xxxxx.com
autocreatequota: 200000
maxmessagesize: 0
reject8bit: 0
munge8bit: 0
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sieve_allowplaintext: 1
sendmail: /usr/sbin/sendmail
#hashimapspool: true
#unixhierarchysep: yes
#autocreateinboxfolders: Sent | Drafts | Trash | Spam
#autocreate_sieve_script: /var/lib/imap/sieve/global/spam
#autocreate_sieve_compiledscript: /var/lib/imap/sieve/global/spam.bc
#generate_compiled_sieve_script: yes
tls_cert_file: /etc/pki/tls/certs/xxxxx.com.crt
tls_key_file: /etc/pki/tls/private/xxxxx.com.key
tls_ca_file: /etc/pki/tls/certs/xxxxx.com.crt
#defaultdomain: mail
[root@mail ~]# cat /etc/imapd-local.conf:
postmaster: postmaster
configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
allowanonymouslogin: no
allowplaintext: yes
servername: mail.xxxxx.com
autocreatequota: 1000000
maxmessagesize: 0
reject8bit: no
quotawarn: 90
timeout: 30
poptimeout: 10
dracinterval: 0
drachost: localhost
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN
sievedir: /var/lib/imap/sieve
sieve_maxscriptsize: 32
sieve_maxscripts: 5
sendmail: /usr/sbin/sendmail
Patrick Ben Koetter
Nov 22, 2015, 3:45:21 PM11/22/15
to
* Mufit Eribol <h...@onart.com.tr>:
sounds sane - not so shure on the runpath /run/saslauthd tough.
Have you had a look at the log? Any errors or warnings? Are you running
SELinux enabled? What's the output of the getenforce command?
p@rick
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
> Hello,
>
> I have been running postfix at a small company for years without any
> problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
> telnetting to port 25. It may be due to a change in the upgraded
> packages or a misconfiguration by me. Probably, I "fixed" something
> which is not broken.
>
> I can send and receive mail system on ports 465 and 993 using
> SSL/TLS without any issue (seemingly). I am not sure if missing
> "250-AUTH LOGIN PLAIN" is a problem.If I telnet to 465 (or 993) I
> get no response.
>
> Please find below conf details of the system.
Great job on the list of configuration items. At first glance your setup
>
> I have been running postfix at a small company for years without any
> problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
> telnetting to port 25. It may be due to a change in the upgraded
> packages or a misconfiguration by me. Probably, I "fixed" something
> which is not broken.
>
> I can send and receive mail system on ports 465 and 993 using
> SSL/TLS without any issue (seemingly). I am not sure if missing
> "250-AUTH LOGIN PLAIN" is a problem.If I telnet to 465 (or 993) I
> get no response.
>
> Please find below conf details of the system.
sounds sane - not so shure on the runpath /run/saslauthd tough.
Have you had a look at the log? Any errors or warnings? Are you running
SELinux enabled? What's the output of the getenforce command?
p@rick
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Mufit Eribol
Nov 22, 2015, 5:10:56 PM11/22/15
to
On 22.11.2015 22:44, Patrick Ben Koetter wrote:
> * Mufit Eribol <h...@onart.com.tr>:
>> Hello,
>>
>> I have been running postfix at a small company for years without any
>> problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
>> telnetting to port 25. It may be due to a change in the upgraded
>> packages or a misconfiguration by me. Probably, I "fixed" something
>> which is not broken.
>>
>> I can send and receive mail system on ports 465 and 993 using
>> SSL/TLS without any issue (seemingly). I am not sure if missing
>> "250-AUTH LOGIN PLAIN" is a problem.If I telnet to 465 (or 993) I
>> get no response.
>>
>> Please find below conf details of the system.
> Great job on the list of configuration items. At first glance your setup
> sounds sane - not so shure on the runpath /run/saslauthd tough.
>
>
> Have you had a look at the log? Any errors or warnings? Are you running
> SELinux enabled? What's the output of the getenforce command?
>
> p@rick
mux, mux.accept and saslauthd.pid are in /var/saslauthd directory.
SELinux is disabled. getenforce returns Disabled. There is nothing
suspicious in maillog. No warning, no errors at all. It is as clean as
it gets.
I can connect from an external server and send mail to a local recipient
on port 25. I think it should not work this way.
By the way Patrick, I learned Postfix from you to a great deal. Thanks
for your contribution to the community.
Mufit
Viktor Dukhovni
Nov 22, 2015, 5:16:25 PM11/22/15
to
On Sun, Nov 22, 2015 at 09:43:46PM +0200, Mufit Eribol wrote:
> I have been running postfix at a small company for years without any
> problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
> telnetting to port 25. It may be due to a change in the upgraded packages or
> a misconfiguration by me. Probably, I "fixed" something which is not broken.
Nothing is wrong, look below:
> I have been running postfix at a small company for years without any
> problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
> telnetting to port 25. It may be due to a change in the upgraded packages or
> a misconfiguration by me. Probably, I "fixed" something which is not broken.
$ posttls-finger onart.com.tr
posttls-finger: Connected to mail.randec.com[85.96.178.205]:25
posttls-finger: < 220 mail.onart.com.tr ESMTP Postfix
posttls-finger: > EHLO amnesiac.invalid
posttls-finger: < 250-mail.onart.com.tr
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 50000000
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 DSN
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: mail.randec.com[85.96.178.205]:25 CommonName mail.onart.com.tr
posttls-finger: certificate verification failed for mail.randec.com[85.96.178.205]:25: self-signed certificate
posttls-finger: mail.randec.com[85.96.178.205]:25: subject_CN=mail.onart.com.tr, issuer_CN=mail.onart.com.tr, fingerprint=AB:0F:61:4C:9C:FB:22:DF:9F:61:55:60:61:B5:6A:B1:C7:03:44:4D, pkey_fingerprint=E7:65:0A:4E:AF:A7:8E:85:CC:D9:8F:8F:6C:00:32:48:1B:F1:16:3A
posttls-finger: Untrusted TLS connection established to mail.randec.com[85.96.178.205]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
posttls-finger: > EHLO amnesiac.invalid
posttls-finger: < 250-mail.onart.com.tr
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 50000000
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH PLAIN LOGIN
posttls-finger: < 250-AUTH=PLAIN LOGIN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 DSN
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
> I can send and receive mail system on ports 465 and 993 using SSL/TLS
> without any issue (seemingly). I am not sure if missing "250-AUTH LOGIN
> PLAIN" is a problem.If I telnet to 465 (or 993) I get no response.
--
Viktor.
Mufit Eribol
Nov 22, 2015, 5:17:51 PM11/22/15
to
On 23.11.2015 00:10, Mufit Eribol wrote:
>
>
> On 22.11.2015 22:44, Patrick Ben Koetter wrote:
>> * Mufit Eribol <h...@onart.com.tr>:
>>> Hello,
>>>
>>> I have been running postfix at a small company for years without any
>>> problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
>>> telnetting to port 25. It may be due to a change in the upgraded
>>> packages or a misconfiguration by me. Probably, I "fixed" something
>>> which is not broken.
>>>
>>> problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
>>> telnetting to port 25. It may be due to a change in the upgraded
>>> packages or a misconfiguration by me. Probably, I "fixed" something
>>> which is not broken.
>>>
>>> I can send and receive mail system on ports 465 and 993 using
>>> SSL/TLS without any issue (seemingly). I am not sure if missing
>>> "250-AUTH LOGIN PLAIN" is a problem.If I telnet to 465 (or 993) I
>>> get no response.
>>>
>>> SSL/TLS without any issue (seemingly). I am not sure if missing
>>> "250-AUTH LOGIN PLAIN" is a problem.If I telnet to 465 (or 993) I
>>> get no response.
>>>
>>> Please find below conf details of the system.
>> Great job on the list of configuration items. At first glance your setup
>> sounds sane - not so shure on the runpath /run/saslauthd tough.
>>
>>
>> Have you had a look at the log? Any errors or warnings? Are you running
>> SELinux enabled? What's the output of the getenforce command?
>>
>> p@rick
> Thank you for trying to help me out.
>
> mux, mux.accept and saslauthd.pid are in /var/saslauthd directory.
> SELinux is disabled. getenforce returns Disabled. There is nothing
> suspicious in maillog. No warning, no errors at all. It is as clean as
> it gets.
>
> I can connect from an external server and send mail to a local
> recipient on port 25. I think it should not work this way.
>
> By the way Patrick, I learned Postfix from you to a great deal. Thanks
> for your contribution to the community.
>
> Mufit
>
Sorry! The above should read /run/saslauthd (not /var/saslauthd). My
>> Great job on the list of configuration items. At first glance your setup
>> sounds sane - not so shure on the runpath /run/saslauthd tough.
>>
>>
>> Have you had a look at the log? Any errors or warnings? Are you running
>> SELinux enabled? What's the output of the getenforce command?
>>
>> p@rick
> Thank you for trying to help me out.
>
> mux, mux.accept and saslauthd.pid are in /var/saslauthd directory.
> SELinux is disabled. getenforce returns Disabled. There is nothing
> suspicious in maillog. No warning, no errors at all. It is as clean as
> it gets.
>
> I can connect from an external server and send mail to a local
> recipient on port 25. I think it should not work this way.
>
> By the way Patrick, I learned Postfix from you to a great deal. Thanks
> for your contribution to the community.
>
> Mufit
>
typo. Apologies.
Mufit Eribol
Nov 23, 2015, 1:59:01 AM11/23/15
to
On 23.11.2015 00:16, Viktor Dukhovni wrote:
> On Sun, Nov 22, 2015 at 09:43:46PM +0200, Mufit Eribol wrote:
>
>> I have been running postfix at a small company for years without any
>> problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
>> telnetting to port 25. It may be due to a change in the upgraded packages or
>> a misconfiguration by me. Probably, I "fixed" something which is not broken.
>> problem. For some reason, now I cannot get 250-AUTH LOGIN PLAIN when
>> telnetting to port 25. It may be due to a change in the upgraded packages or
>> a misconfiguration by me. Probably, I "fixed" something which is not broken.
>> I can send and receive mail system on ports 465 and 993 using SSL/TLS
>> without any issue (seemingly). I am not sure if missing "250-AUTH LOGIN
>> PLAIN" is a problem.If I telnet to 465 (or 993) I get no response.
>> without any issue (seemingly). I am not sure if missing "250-AUTH LOGIN
>> PLAIN" is a problem.If I telnet to 465 (or 993) I get no response.
> Of course not, those ports require an initial SSL/TLS handshake.
>
Viktor, thank you for your check.I am relieved.
>
I realized that the related switch is
smtpd_tls_auth_only = yes
If it is changed to "no", then "AUTH PLAIN LOGIN" is also advertised.
Mufit
Bill Cole
Nov 23, 2015, 2:05:04 PM11/23/15
to
On 23 Nov 2015, at 1:58, Mufit Eribol wrote:
> Viktor, thank you for your check.I am relieved.
>
> I realized that the related switch is
>
> smtpd_tls_auth_only = yes
>
> If it is changed to "no", then "AUTH PLAIN LOGIN" is also advertised.
You should understand what that does, since it is potentially very
> Viktor, thank you for your check.I am relieved.
>
> I realized that the related switch is
>
> smtpd_tls_auth_only = yes
>
> If it is changed to "no", then "AUTH PLAIN LOGIN" is also advertised.
dangerous. If anyone actually *USES* a plaintext authentication
mechanism (PLAIN or LOGIN) without the protection of TLS encryption,
their authentication credentials are vulnerable to simple network
sniffing attacks anywhere in the path between the server and the client.
A high-quality SMTP client won't ever attempt plaintext authentication
outside of TLS, but there are a lot of people using shoddy clients that
might do so, IF the capability is advertised. Put more simply:
NOT advertising "AUTH PLAIN LOGIN" on unencrypted SMTP sessions is a
security feature of Postfix (and some other MTAs) and is NOT indicative
of a problem of any sort.
Patrick Ben Koetter
Nov 23, 2015, 2:19:21 PM11/23/15
to
* Mufit Eribol <h...@onart.com.tr>:
you posted originally.
p@rick
> Viktor, thank you for your check.I am relieved.
>
> I realized that the related switch is
>
> smtpd_tls_auth_only = yes
>
> If it is changed to "no", then "AUTH PLAIN LOGIN" is also advertised.
Uhmm, for the record, this setting wasn't on the postfix configuration list
>
> I realized that the related switch is
>
> smtpd_tls_auth_only = yes
>
> If it is changed to "no", then "AUTH PLAIN LOGIN" is also advertised.
you posted originally.
p@rick
emr...@gmail.com
Jun 26, 2016, 12:38:52 AM6/26/16
to
I am having similar problem, but the debug output from debug peer list (and openssl client debugger) shows that even after correct starttls, ehlo still returns a list without AUTH mechanism
0 new messages