0

I'm setting up a mail server on a CentOS 7 installation on dedicated hardware and I'm running in to issues with getting Postfix to authenticate SMTP connections with Dovecot set for SASL. I've followed every guide I could find about editing the main.cf and master.cf as well as Dovecot's .conf files.

Everything else is running fine. I have set up Dovecot and that is authenticating securely without issue. SMTP works fine if I set smtpd_tls_auth_only = no but then the passwords are obviously sent in the clear.

I have run openssl s_client -connect sub.domain.com:25 -starttls smtp to check and it returns the certificate correctly and everything seems to be okay. Running ehlo sub.domain.com after that returns:

250-sub.domain.com
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

which I assume to be as expected after the TLS "handshake".

Tailing the log when I try to connect using the mail client gives me the following: See Paste

Mail in OS X tells me the following when I try to send:

Mail was unable to connect to server “sub.domain.com” using SSL on the default ports. Verify that this server supports SSL and that your account settings are correct.

I have tried connecting via all the standard ports.

Roundcube gives me an error code of 250: Authentication Failed.

EDIT: Below is the output of postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
delay_warning_time = 4
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 20480000
mydestination = localhost.$mydomain, localhost
mydomain = domain.com
myhostname = sub.domain.com
mynetworks = 127.0.0.1, xxx.xxx.xxx.xxx
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.2.2/README_FILES
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/sentora/configs/postfix/mysql-relay_domains_maps.cf
sample_directory = /usr/share/doc/postfix-2.2.2/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_loglevel = 4
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, reject_unauth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_received_header = yes
smtpd_use_tls = yes
soft_bounce = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual_alias_maps.cf, regexp:/etc/sentora/configs/postfix/virtual_regexp
virtual_gid_maps = static:12
virtual_mailbox_base = /var/sentora/vmail
virtual_mailbox_domains = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/sentora/configs/postfix/mysql-virtual_mailbox_maps.cf
virtual_minimum_uid = 996
virtual_transport = dovecot
virtual_uid_maps = static:996

and postconf -M is at: This Paste

If there are more logs or confs I need to paste in here please ask and I will gladly provide. Anything to get this damn security working! Argh!

Sera H
  • 115
  • 7
  • When asking about postfix problems, please include the output of the following command: `postconf -n` (content of main.cf) and/or `postconf -M` (content of master.cf) - although an error *"unable to connect"* might have to do with a firewall setting (or your ISP blocking port 25) – HBruijn Aug 04 '16 at 14:22
  • @HBruijn, if the ISP was blocking port 25, surely SMTP wouldn't work when I set `smtpd_tls_auth_only` to `no` as well? I've updated my post to include the two `postconf` outputs. – Sera H Aug 05 '16 at 06:26
  • I'm no postfix expert, but everything looks to me as if the clients are not requesting TLS and then authenticating. Your point about OS X mail suggests to me that the client(s) are configured to do SSL, rather than TLS escalation (`STARTTLS`), and they're not the same thing. Is it worth checking that the client(s) are configured to do `STARTTLS` not SSL? – MadHatter Aug 05 '16 at 06:40

1 Answers1

1

So, as it turns out, I was being a bit silly. I tried to connect from a network other than my work one (via my mobile provider) and the connection worked!

The error:

Mail was unable to connect to server “sub.domain.com” using SSL on the default ports. Verify that this server supports SSL and that your account settings are correct.

is displayed when you are using STARTTLS but select the SSL option in OS X Mail. Since you aren't using SSL, it fails as it should.

The problem in this instance was not a configuration error on the server or with the server's firewall but rather that the Cyberoam unit running on our network is blocking the connection for some reason. No SMTP restrictions in place on it, but there must be a misconfiguration somewhere since SMTP doesn't work for any other mail provider either except for our business mail. The solution for that is beyond the scope of this question and answer though.

So, although it seems now like it should have been my first troubleshooting step, if this is happening for you, first check your settings by trying to connect from another network, especially if you utilise Cyberoam.

Sera H
  • 115
  • 7