SASL Authentication - lost connection after EHLO

[pstanbra]

I'm experiencing issues with sending out mail.
Sending out mail through outlook works fine.

I've a debian box with OTRS installed set up to send mail via SMTP.
Before anyone says "well it must be OTRS" - I've double checked the username and password for SMTP and it is the same.

Also the issue is happening on another system.


When I send an email , I look at the log and see a disconnect after EHLO.

Quote:Sep 1 18:54:20 web1 postfix/smtpd[15916]: lost connection after EHLO from blabla.cable.virginmedia.com[my ip]
Sep 1 18:54:20 web1 postfix/smtpd[15916]: disconnect from blabla.croy.cable.virginmedia.com[my ip]

If I turn on Level2 logging , I see this:

Quote:Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabla.virginmedia.com[MYIP]: 220 mail.myhostname ESMTP myhostnameMail Server
Sep 1 18:54:20 web1 postfix/smtpd[15916]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
Sep 1 18:54:20 web1 postfix/smtpd[15916]: name_mask: noanonymous
Sep 1 18:54:20 web1 postfix/smtpd[15916]: watchdog_pat: 0xb7d0efa0
Sep 1 18:54:20 web1 postfix/smtpd[15916]: < bla.virginmedia.com[MYip]: EHLO myhostname.co.uk
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > bla.virginmedia.com[MYip]: 250-mail.myhostname
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-PIPELINING
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-SIZE
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-VRFY
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-ETRN
Sep 1 18:54:20 web1 postfix/smtpd[15916]: >blabLA.virginmedia.com[MYip]: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_list_match: blabLA.cable.virginmedia.com: no match
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_list_match: myIP: no match
Sep 1 18:54:20 web1 postfix/smtpd[15916]: >blabLA.virginmedia.com[MYip]: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-ENHANCEDSTATUSCODES
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLA.virginmedia.com[MYip]: 250-8BITMIME
Sep 1 18:54:20 web1 postfix/smtpd[15916]: > blabLAvirginmedia.com[MYip]: 250 DSN
Sep 1 18:54:20 web1 postfix/smtpd[15916]: watchdog_pat: 0xb7d0efa0
Sep 1 18:54:20 web1 postfix/smtpd[15916]: smtp_get: EOF
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_hostname: bla.virginmedia.com ~? 127.0.0.1/32
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_hostaddr: myip ~? 127.0.0.1/32
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_hostname: blabla.cable.virginmedia.com ~? myip/32
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_hostaddr: myip2 ~? myIP/32
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_list_match: blabla.cable.virginmedia.com: no match
Sep 1 18:54:20 web1 postfix/smtpd[15916]: match_list_match: myip: no match
Sep 1 18:54:20 web1 postfix/smtpd[15916]: send attr request = disconnect
Sep 1 18:54:20 web1 postfix/smtpd[15916]: send attr ident = smtp:myIP
Sep 1 18:54:20 web1 postfix/smtpd[15916]: private/anvil: wanted attribute: status
Sep 1 18:54:20 web1 postfix/smtpd[15916]: input attribute name: status
Sep 1 18:54:20 web1 postfix/smtpd[15916]: input attribute value: 0
Sep 1 18:54:20 web1 postfix/smtpd[15916]: private/anvil: wanted attribute: (list terminator)
Sep 1 18:54:20 web1 postfix/smtpd[15916]: input attribute name: (end)
Sep 1 18:54:20 web1 postfix/smtpd[15916]: lost connection after EHLO from blabla1.croy.cable.virginmedia.com[my ip]
Sep 1 18:54:20 w

HELP - I'm going round in circles..PLeaseeee!


Also - on my sending (debian box) (OTRS) it reports
SMTP authentication failed:

[pstanbra]

update:
If I add my current IP to my networks and then do not use username and password for authentication, I can send an email so it looks like it's to do with the ispcp main.cf of postfix.
Any ideas?

Code:

# Postfix directory settings; These are critical for normal Postfix MTA functionallity
command_directory            = /usr/sbin
daemon_directory             = /usr/lib/postfix

# Some common configuration parameters
inet_interfaces              = all
#mynetworks_style            = host
mynetworks                   = myIP(allows me to relay without authentication), 127.0.0.0/8
myhostname                   = mail.myhostname
mydomain                     = mail.muhostname.local
myorigin                     = $myhostname

smtpd_banner                 = $myhostname ESMTP Mail Server
setgid_group                 = postdrop

# Receiving messages parameters
mydestination                = $myhostname, $mydomain
append_dot_mydomain          = no
append_at_myorigin           = yes
local_transport              = local
virtual_transport            = virtual
transport_maps               = hash:/etc/postfix/ispcp/transport
alias_maps                   = hash:/etc/aliases
alias_database               = hash:/etc/aliases

# Delivering local messages parameters
mail_spool_directory         = /var/mail

# Mailboxquota
# => 0 for unlimited
# => 104857600 for 100 MB
mailbox_size_limit           = 0
mailbox_command              = procmail -a "$EXTENSION"

# Message size limit
# => 0 for unlimited
# => 104857600 for 100 MB
message_size_limit           = 0

biff                         = no
recipient_delimiter          = +

local_destination_recipient_limit = 1
local_recipient_maps         = unix:passwd.byname $alias_database

# ispCP Autoresponder parameters
ispcp-arpl_destination_recipient_limit = 1

# Delivering virtual messages parameters
virtual_mailbox_base         = /var/mail/virtual
virtual_mailbox_limit        = 0

virtual_mailbox_domains      = hash:/etc/postfix/ispcp/domains
virtual_mailbox_maps         = hash:/etc/postfix/ispcp/mailboxes

virtual_alias_maps           = hash:/etc/postfix/ispcp/aliases

virtual_minimum_uid          = 1001
virtual_uid_maps             = static:1001
virtual_gid_maps             = static:8

# SASL paramters
smtpd_sasl_auth_enable       = yes
smtpd_sasl_security_options  = noanonymous
smtpd_sasl_local_domain      =
broken_sasl_auth_clients     = yes

smtpd_helo_required          = yes
#smtpd_sasl_authenticated_header = yes
smtpd_helo_restrictions      = permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_invalid_helo_hostname,
                               reject_non_fqdn_helo_hostname

smtpd_sender_restrictions    = reject_non_fqdn_sender,
                               reject_unknown_sender_domain,
                               permit_mynetworks,
                               permit_sasl_authenticated

smtpd_recipient_restrictions = reject_non_fqdn_recipient,
                               reject_unknown_recipient_domain,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               #check_client_access hash:/etc/postfix/rbl_override,
                               reject_unlisted_recipient,
                               check_client_access hash:/etc/postfix/policyd_whitelist,
                               check_policy_service inet:127.0.0.1:12525,
                               check_policy_service inet:127.0.0.1:10023,
                               permit

smtpd_data_restrictions      = reject_multi_recipient_bounce,
                               reject_unauth_pipelining

# TLS parameters; activate, if avaible/used
#smtpd_tls_security_level    = may
#smtpd_tls_loglevel          = 2
#smtpd_tls_cert_file         = /etc/postfix/cert.pem
#smtpd_tls_key_file          = /etc/postfix/privkey.pem
#smtpd_tls_auth_only         = no
#smtpd_tls_received_header   = yes

# AMaViS parameters; activate, if available/used
#content_filter               = amavis:[127.0.0.1]:10024

# Quota support; activate, if available/used
#virtual_create_maildirsize     = yes
#virtual_mailbox_extended       = yes
#virtual_mailbox_limit_maps     = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
#virtual_mailbox_limit_override = yes
#virtual_maildir_limit_message  = "The user you're trying to reach is over mailbox quota."
#virtual_overquota_bounce       = yes
#debug_peer_level = 2
#debug_peer_list = virginmedia.com

Remember I can email from outlook fine.
Just found also.. If I telnet to my ispcp box and try to run AUTH LOGIN and send
encoded username and password , it still says

SASL LOGIN authentication failed: authentication failure

[joximu]

*maybe* otrs uses a method which postfix/sasl cannot understand - but propagate it...

try setting in /etc/postfix/sasl/smtpd.conf:

Code:

mech_list: LOGIN PLAIN

and if it works, you may add one method after another:

mech_list: DIGEST-MD5 CRAM-MD5 LOGIN PLAIN

where only NTLM is missing to the original list...

I noticed that NTLM is propagated but was never understood...

/J

[pstanbra]

I don't have anything in that file, it doesn't even exist. Is that normal.
I'll create it anyway and see what happens.


Okay so i've found that it works if I use only LOGIN PLAIN. Thank-You so much!
Anything elese I add to the string stops it working.

I'm not sure what this means but that fixed it for me and I can now remove my public ip from the allowed networks.
Will this affect me logging on with SMTPLS in outlook for example?

What exactly have I just done?
Removed the option to authenticate with an MD5 password?

[joximu]

yep - file is nonexistend when you have a new system...

-

no SMTPS is not affected.

the only thing that may not work in the future: mail clients that which can only use e.g. cram_md5 for SMTP authentication... - but since LOGIN and PLAIN are the most basic methods (but: without security) there won't be any client which cannot send mails.

To security: you still can use TLS for the auth part - so this should work.


Normally the sasl-modules are provided with this package: libsasl2-modules

see "dpkg -L libsasl2-modules"... I don't know why some of them doen't work out of the box (ntlm in my case - the md5 things in your case...)

maybe have a look here
http://www.cyrusimap.org/docs/cyrus-sasl...readme.php

/J

[pstanbra]

cool. Thanks for taking the time to help.
Have a good week.