Postfix: SMTP, use port 587 rather than 465
I also followed Flurdy's tutorial and had a similar problem: I could only send mail through port 25 (smtpd), but not through 587 (submission). I found out the problem to be exactly that, according to his instructions, port 25 was configured to run in chroot but 587 was not - it seems to be an error in the tutorial. Check out this part of flurdy's instructions:
By default only the normal smtp service is enabled, which is fine. But I prefer to enable submission (port 587), so that clients can use it, and I can restrict them to TLS only. Also enabled smtps service (port 465), for some compatebility with some older clients (outlook express etc).
Right below this text you can find this line, stating the daemon for the submission port will not use chroot:
submission inet n - n - - smtpd
I know this because my original /etc/postfix/master.cf file had comments showing this legend:
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
Right below the option list for the submission port lies the following line, which configures smtps (port 465):
smtps inet n - - - - smtpd
From this you can see it is using the default (I guess the - sign means it will use the default, which is to use chroot).
Ok, then, when you look at the SASL authentication section, where it says:
Change how SASLAUTHD is run:
you can see the OPTIONS variable contains the following path:
# Switch this to be under postfix's spool
# And add -r so that the realm(domain) is part of the username
OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd"
Again, with help from my originally commented /etc/default/saslauthd file, I noted this clear explanation:
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd"
Since my OPTIONS variable was clearly specifying the chroot case, I just changed my submission configuration at /etc/postfix/master.cf to also use chroot. After restarting the server - just to make sure all the services were properly restarted - it worked out like a charm, now I can send email either through port 25 or 587.
Hope it also helps you out! I also lost quite some time to see this...
Related videos on Youtube
18 : 24
02 : 53
17 : 45
11 : 18
08 : 37
Wairowe
Updated on September 18, 2022Comments
-
Wairowe almost 2 years
I have set up a mail server on AWS EC2 using the instructions from Flurdy: http://flurdy.com/docs/postfix/ it has mostly gone well.
My issue is that I would prefer to use SMTP port 587 with TLS rather than 465 with SSL. I believe this is a relevant requirement as port 465 is considered not future proof.
The instructions on the Flurdy site are designed to allow both, however I can not get 587 to work! 465 with SSL works a charm.
I should also mention that this build uses sasl with MySQL and I think this is why I have not found much help when I Google the errors. I believe the error lies somewhere in the SASL / PAM arena, but I have had no luck.
Here are some of the log outputs:
MAIL.LOG
postfix/smtpd[11328]: connect from MY.ISP.PROVIDER[MY.IP.0.0] postfix/smtpd[11328]: Anonymous TLS connection established from MY.ISP.PROVIDER[MY.IP.0.0]: TLSv1.2 with cipher AES128-SHA256 (128/128 bits) postfix/smtpd[11328]: warning: SASL authentication failure: client response doesn't match what we generated (tried bogus) postfix/smtpd[11328]: warning: MY.ISP.PROVIDER[MY.IP.0.0]: SASL DIGEST-MD5 authentication failed: authentication failure postfix/smtpd[11328]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory postfix/smtpd[11328]: warning: MY.ISP.PROVIDER[MY.IP.0.0]: SASL LOGIN authentication failed: generic failure postfix/smtpd[11328]: lost connection after AUTH from MY.ISP.PROVIDER[MY.IP.0.0] postfix/smtpd[11328]: disconnect from MY.ISP.PROVIDER[MY.IP.0.0]*My master.cf
submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymousThere is also other conf such as AMAVIS, but I suspect this is all ok.
The SQL log shows all the connections and queries working correctly.
I have used TELNET for testing and it simply closes the connection when I attempt the auth with port 587. If I open port 25 on my server then I can do complete a successful AUTH LOGIN.
Here is the difference in EHLO response with 25 (when open) and 587. I noticed 587 does not include AUTH. Is this the problem??
$ telnet my.mailserver.com 587 Trying MY.IP.0.0... Connected to my.mailserver.com. Escape character is '^]'. 220 MY-EC2-SERVER-NAME.localdomain ESMTP Postfix EHLO my.mailserver.com 250-MY-EC2-SERVER-NAME.localdomain 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN $ telnet my.mailserver.com 25 Trying MY.IP.0.0... Connected to my.mailserver.com. Escape character is '^]'. 220 MY-EC2-SERVER-NAME.localdomain ESMTP Postfix EHLO my.mailserver.com 250-MY-EC2-SERVER-NAME.localdomain 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSNI have restarted the services postfix and saslauthd a number of times. I have also double checked the passwords and usernames in the DB. I have been over the instructions and checked for misconfiguration and spelling mistakes, although this is likely what it will be in the end :-)
The server is UBUNTU 13.10
Please let me know if I can supply any further info to help debugging.
All thoughts welcome!
-
Arya S. over 10 yearsThis kind of question would get better exposure on ServerVault. But while we are at it I think AUTH is available after TLS has established. Might want to Google how STARTTLS works..
-
