How to send emails trough a smart relay that uses SASL and TLS
I used:
- CentOS Linux release 7.3.1611
- postfix-2.10.1-6.el7.x86_64
The setup
File: /etc/postfix/main.cf
This is the main configuration for postfix in regards to how you would like to behave.smtpd_banner = $myhostname ESMTP $mail_name biff = no append_dot_mydomain = no readme_directory = no smtpd_tls_session_cache_timeout=3600s tls_random_source=dev:/dev/urandom smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl/password smtp_use_tls = yes smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.trust.crt smtp_tls_loglevel = 1 smtp_tls_security_level = encrypt smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = ${OPTIONAL_HOSTNAME} alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $myhostname localhost.$mydomain relayhost = [${mail.RELAY}]:587 mynetworks = 127.0.0.0/8 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = localhost inet_protocols = ipv4 # comment these two when done debug_peer_list = ${mail.RELAY} debug_peer_level = 3
File: /etc/postfix/sasl/password
Write into the file the username and password that you use to authenticate.[${mail.RELAY}] ${user@domain}:${PASSWORD}Once you save the file you need to create the database, in this case it's hash
cd /etc/postfix/salsl && postmap passwordAt this point restart postfix
systemctl restart postfix
The problem
Since all that is configured is ok ... you would expect that now you can send email however ...smtp_sasl_authenticate: mail.RELAY[IPV4]:587: SASL mechanisms PLAIN LOGIN warning: SASL authentication failure: No worthy mechs found ... send attr reason = SASL authentication failed; cannot authenticate to server mail.RELAY[IPV4]: no mechanism availableThe main problem is that the username and password works fine ... you can test by using telnet
# First compute the base64 encoded string. \0 is a null terminated string printf '${user@domain}\0${user@domain}\0${PASSWORD}' | base64 # telnet to the smtp relay telnet ${mail.RELAY} EHLO ${OPTIONAL_HOSTNAME} 250-server.example.com 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-AUTH DIGEST-MD5 PLAIN CRAM-MD5 250 8BITMIME AUTH PLAIN ${COMPUTED_STRING_FROM_PRINTF} 235 Authentication successfulSo what is not working ?! Based on the errors we've seen postfix complains that there is no worthy mechs ... that may lead you to read more into the source code. Bottom line since Postfix uses Cyrus SASL library as per Postfix documentation you actually need to install cyrus-sasl-lib
yum install -y cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain # restart postfix systemctl restart postfixAt this point if you keep the debug on you will see
.... smtp_sasl_authenticate: ${mail.RELAY}[${IPV4}]:587: SASL mechanisms PLAIN LOGIN xsasl_cyrus_client_get_user: ${user@domain} xsasl_cyrus_client_get_passwd: ${PASSWORD} ... ... 235 2.7.0 Authentication successfulNote: all symbols ${} should be replace with your relevant information. The value of myhostname is optional into /etc/postfix/main.cf if not present postfix uses your hostname.
0 comments:
Post a Comment