MESSAGE
| DATE | 2022-02-07 |
| FROM | Ruben Safir
|
| SUBJECT | Subject: [Hangout - NYLXS] sasl dovecot postfix certificates
|
So, I rebuilt my entire mailserver and still have issues. When I built
dovecot and postfix using the instructions on the postfix docs, it left
me with some problems and oddities. The instructions were from:
http://www.postfix.org/SASL_README.html
and the sister dovecot docs
https://doc.dovecot.org/configuration_manual/howto/postfix_and_dovecot_sasl/
When I finished, instead of postfix listening on port 587, dovecot was
sitting on the submition port, and postfix refused to relay on submition
through dovecot. I pulled dovecot off of 587 and turned on stmpd
settings in master.cf but not I need to assign the certs to the postfix
settings. So I am kind of lost. If postfix is sitting on 587 then it
needs to to the cryptography which seems to be skipped over int he
documentation - all it says is
Encrypted SMTP session (TLS)
A separate parameter controls Postfix SASL mechanism policy during a
TLS-encrypted SMTP session. The default is to copy the settings from the
unencrypted session:
/etc/postfix/main.cf:
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
A more sophisticated policy allows plaintext mechanisms, but only over a
TLS-encrypted connection:
/etc/postfix/main.cf:
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
To offer SASL authentication only after a TLS-encrypted session has been
established specify this:
/etc/postfix/main.cf:
smtpd_tls_auth_only = yes
- Nothing about certificates or keys.
So now I am wondering if I am even doing this correctly. The server
looks like this:
flatbush:[ruben]:~$ nmap mail2.boroparkmd.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-06 23:59 EST
Nmap scan report for mail2.somewehre.com xxxxxxxxxx
Host is up (0.00066s latency).
rDNS record for xxxxxx somewhere.com
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
587/tcp open submission
995/tcp open pop3s
nmap -A -T4 mail2.somewhere.com
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-07 00:00 EST
Nmap scan report for mail2.somewhere.com (xxxxxxx)
Host is up (0.0012s latency).
rDNS record for xxxxxx xxxxxxxxxxxxxxxxxx
Not shown: 995 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.8 (protocol 2.0)
| ssh-hostkey:
| 256 c6:ec:e5:8c:38:e4:6a:07:f1:08:d5:74:44:e8:4d:1c (ECDSA)
|_ 256 77:18:a6:71:9a:30:bc:3c:8e:38:d5:3a:47:c3:6c:54 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: mail2.boroparkmd.com, PIPELINING, SIZE 10240000, VRFY,
ETRN, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: SASL STLS CAPA RESP-CODES PIPELINING TOP
AUTH-RESP-CODE UIDL
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject:
commonName=*.somewhere.com/organizationName=Dovecot/stateOrProvinceName=NY/countryName=US
| Not valid before: 2022-02-06T18:03:59
|_Not valid after: 2122-01-13T18:03:59
587/tcp open smtp Postfix smtpd
|_smtp-commands: mail2.somewhere.com, PIPELINING, SIZE 10240000, VRFY,
ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
995/tcp open pop3s?
|_pop3-capabilities: SASL(PLAIN LOGIN) USER CAPA RESP-CODES PIPELINING
TOP AUTH-RESP-CODE UIDL
| ssl-cert: Subject:
commonName=*.somewhere.com/organizationName=Dovecot/stateOrProvinceName=NY/countryName=US
| Not valid before: 2022-02-06T18:03:59
|_Not valid after: 2122-01-13T18:03:59
|_ssl-date: TLS randomness does not represent time
Service Info: Host: mail2.somewhere.com
mail2:[root]:/etc/postfix# postconf -M smtp smtpd smtps submission
postconf: warning: unmatched request: "smtpd"
postconf: warning: unmatched request: "smtps"
smtp inet n - n - - smtpd
submission inet n - n - - smtpd -o
syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o
smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o
smtpd_relay_restrictions=permit_sasl_authenticated,reject
smtp unix - - n - - smtp
mail2:[root]:/etc# postconf -nf
alias_database = $alias_maps
alias_maps = hash:/etc/postfix/aliases
command_directory = /usr/bin
compatibility_level = 3.6
daemon_directory = /usr/lib/postfix/bin
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = $myhostname, omain1, domain2, domain2,
$mydomain
mydomain = somewhere.com
myhostname = mail2.somewhere.com
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /etc/postfix
sendmail_path = /usr/bin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_relay_restrictions = permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
unknown_local_recipient_reject_code = 550
mail2:[root]:/etc# postconf -Mf
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o syslog_name=postfix/$service_name
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
postlog unix-dgram n - n - 1 postlogd
mail2:[root]:/etc/dovecot# sudo lsof |grep "/var/spool/postfix/private/"
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs
Output information may be incomplete.
dovecot 32426 root 47u unix
0x000000004c9ffc7c 0t0 364590 /var/spool/postfix/private/auth
type=STREAM (LISTEN)
I don't see postfix attached to that named socket
So - now when I try to send email out it is dropping because it is
missing the certificate - but that wasn't in the postifx docs. That
made me wonder if I am going the wrong way on this.
Obviously it is complaining it can't find the certificate file when I
try to send it out on 587 submition through thunderbird
==> /var/log/everything.log <==
Feb 7 00:44:25 mail2 postfix/submission/smtpd[1351]: warning: No server
certs available. TLS won't be enabled
--
So many immigrant groups have swept through our town
that Brooklyn, like Atlantis, reaches mythological
proportions in the mind of the world - RI Safir 1998
http://www.mrbrklyn.com
DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002
http://www.nylxs.com - Leadership Development in Free Software
http://www.brooklyn-living.com
Being so tracked is for FARM ANIMALS and extermination camps,
but incompatible with living as a free human being. -RI Safir 2013
_______________________________________________
Hangout mailing list
Hangout-at-nylxs.com
http://lists.mrbrklyn.com/mailman/listinfo/hangout
|
|
