SASL Authentication - lost connection after EHLO - pstanbra - 09-02-2012 06:08 AM
I'm experiencing issues with sending out mail.
Sending out mail through outlook works fine.
I've a debian box with OTRS installed set up to send mail via SMTP.
Before anyone says "well it must be OTRS" - I've double checked the username and password for SMTP and it is the same.
Also the issue is happening on another system.
When I send an email , I look at the log and see a disconnect after EHLO.
Quote:Sep 1 18:54:20 web1 postfix/smtpd[15916]: lost connection after EHLO from blabla.cable.virginmedia.com[my ip]
Sep 1 18:54:20 web1 postfix/smtpd[15916]: disconnect from blabla.croy.cable.virginmedia.com[my ip]
If I turn on Level2 logging , I see this:
Quote:Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabla.virginmedia.com[MYIP]: 220 mail.myhostname ESMTP myhostnameMail Server
Sep 1 18:54:20 web1 postfix/smtpd[15916]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
Sep 1 18:54:20 web1 postfix/smtpd[15916]: name_mask: noanonymous
Sep 1 18:54:20 web1 postfix/smtpd[15916]: watchdog_pat: 0xb7d0efa0
Sep 1 18:54:20 web1 postfix/smtpd[15916]: < bla.virginmedia.com[MYip]: EHLO myhostname.co.uk
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > bla.virginmedia.com[MYip]: 250-mail.myhostname
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-PIPELINING
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-SIZE
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-VRFY
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-ETRN
Sep 1 18:54:20 web1 postfix/smtpd[15916]: >blabLA.virginmedia.com[MYip]: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_list_match: blabLA.cable.virginmedia.com: no match
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_list_match: myIP: no match
Sep 1 18:54:20 web1 postfix/smtpd[15916]: >blabLA.virginmedia.com[MYip]: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-ENHANCEDSTATUSCODES
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-8BITMIME
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLAvirginmedia.com[MYip]: 250 DSN
Sep 1 18:54:20 web1 postfix/smtpd[15916]: watchdog_pat: 0xb7d0efa0
Sep 1 18:54:20 web1 postfix/smtpd[15916]: smtp_get: EOF
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_hostname: bla.virginmedia.com ~? 127.0.0.1/32
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_hostaddr: myip ~? 127.0.0.1/32
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_hostname: blabla.cable.virginmedia.com ~? myip/32
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_hostaddr: myip2 ~? myIP/32
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_list_match: blabla.cable.virginmedia.com: no match
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_list_match: myip: no match
Sep 1 18:54:20 web1 postfix/smtpd[15916]: send attr request = disconnect
Sep 1 18:54:20 web1 postfix/smtpd[15916]: send attr ident = smtp:myIP
Sep 1 18:54:20 web1 postfix/smtpd[15916]: private/anvil: wanted attribute: status
Sep 1 18:54:20 web1 postfix/smtpd[15916]: input attribute name: status
Sep 1 18:54:20 web1 postfix/smtpd[15916]: input attribute value: 0
Sep 1 18:54:20 web1 postfix/smtpd[15916]: private/anvil: wanted attribute: (list terminator)
Sep 1 18:54:20 web1 postfix/smtpd[15916]: input attribute name: (end)
Sep 1 18:54:20 web1 postfix/smtpd[15916]: lost connection after EHLO from blabla1.croy.cable.virginmedia.com[my ip]
Sep 1 18:54:20 w
HELP - I'm going round in circles..PLeaseeee!
Also - on my sending (debian box) (OTRS) it reports
SMTP authentication failed:
RE: SASL Authentication - lost connection after EHLO - pstanbra - 09-02-2012 08:07 AM
update:
If I add my current IP to my networks and then do not use username and password for authentication, I can send an email so it looks like it's to do with the ispcp main.cf of postfix.
Any ideas?
Code:
# Postfix directory settings; These are critical for normal Postfix MTA functionallity
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
# Some common configuration parameters
inet_interfaces = all
#mynetworks_style = host
mynetworks = myIP(allows me to relay without authentication), 127.0.0.0/8
myhostname = mail.myhostname
mydomain = mail.muhostname.local
myorigin = $myhostname
smtpd_banner = $myhostname ESMTP Mail Server
setgid_group = postdrop
# Receiving messages parameters
mydestination = $myhostname, $mydomain
append_dot_mydomain = no
append_at_myorigin = yes
local_transport = local
virtual_transport = virtual
transport_maps = hash:/etc/postfix/ispcp/transport
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
# Delivering local messages parameters
mail_spool_directory = /var/mail
# Mailboxquota
# => 0 for unlimited
# => 104857600 for 100 MB
mailbox_size_limit = 0
mailbox_command = procmail -a "$EXTENSION"
# Message size limit
# => 0 for unlimited
# => 104857600 for 100 MB
message_size_limit = 0
biff = no
recipient_delimiter = +
local_destination_recipient_limit = 1
local_recipient_maps = unix:passwd.byname $alias_database
# ispCP Autoresponder parameters
ispcp-arpl_destination_recipient_limit = 1
# Delivering virtual messages parameters
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_limit = 0
virtual_mailbox_domains = hash:/etc/postfix/ispcp/domains
virtual_mailbox_maps = hash:/etc/postfix/ispcp/mailboxes
virtual_alias_maps = hash:/etc/postfix/ispcp/aliases
virtual_minimum_uid = 1001
virtual_uid_maps = static:1001
virtual_gid_maps = static:8
# SASL paramters
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_helo_required = yes
#smtpd_sasl_authenticated_header = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain,
permit_mynetworks,
permit_sasl_authenticated
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
#check_client_access hash:/etc/postfix/rbl_override,
reject_unlisted_recipient,
check_client_access hash:/etc/postfix/policyd_whitelist,
check_policy_service inet:127.0.0.1:12525,
check_policy_service inet:127.0.0.1:10023,
permit
smtpd_data_restrictions = reject_multi_recipient_bounce,
reject_unauth_pipelining
# TLS parameters; activate, if avaible/used
#smtpd_tls_security_level = may
#smtpd_tls_loglevel = 2
#smtpd_tls_cert_file = /etc/postfix/cert.pem
#smtpd_tls_key_file = /etc/postfix/privkey.pem
#smtpd_tls_auth_only = no
#smtpd_tls_received_header = yes
# AMaViS parameters; activate, if available/used
#content_filter = amavis:[127.0.0.1]:10024
# Quota support; activate, if available/used
#virtual_create_maildirsize = yes
#virtual_mailbox_extended = yes
#virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message = "The user you're trying to reach is over mailbox quota."
#virtual_overquota_bounce = yes
#debug_peer_level = 2
#debug_peer_list = virginmedia.com
Remember I can email from outlook fine.
Just found also.. If I telnet to my ispcp box and try to run AUTH LOGIN and send
encoded username and password , it still says
SASL LOGIN authentication failed: authentication failure
RE: SASL Authentication - lost connection after EHLO - joximu - 09-03-2012 06:10 AM
*maybe* otrs uses a method which postfix/sasl cannot understand - but propagate it...
try setting in /etc/postfix/sasl/smtpd.conf:
Code:
mech_list: LOGIN PLAIN
and if it works, you may add one method after another:
mech_list: DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
where only NTLM is missing to the original list...
I noticed that NTLM is propagated but was never understood...
/J
RE: SASL Authentication - lost connection after EHLO - pstanbra - 09-03-2012 06:06 PM
I don't have anything in that file, it doesn't even exist. Is that normal.
I'll create it anyway and see what happens.
Okay so i've found that it works if I use only LOGIN PLAIN. Thank-You so much!
Anything elese I add to the string stops it working.
I'm not sure what this means but that fixed it for me and I can now remove my public ip from the allowed networks.
Will this affect me logging on with SMTPLS in outlook for example?
What exactly have I just done?
Removed the option to authenticate with an MD5 password?
RE: SASL Authentication - lost connection after EHLO - joximu - 09-03-2012 09:51 PM
yep - file is nonexistend when you have a new system...
-
no SMTPS is not affected.
the only thing that may not work in the future: mail clients that which can only use e.g. cram_md5 for SMTP authentication... - but since LOGIN and PLAIN are the most basic methods (but: without security) there won't be any client which cannot send mails.
To security: you still can use TLS for the auth part - so this should work.
Normally the sasl-modules are provided with this package: libsasl2-modules
see "dpkg -L libsasl2-modules"... I don't know why some of them doen't work out of the box (ntlm in my case - the md5 things in your case...)
maybe have a look here
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/readme.php
/J
RE: SASL Authentication - lost connection after EHLO - pstanbra - 09-04-2012 02:36 AM
cool. Thanks for taking the time to help.
Have a good week.
|