Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

Question/help for postfixadmin/postfix account creation problem

zepouletto
2014-06-13
2014-07-17
  • zepouletto
    zepouletto
    2014-06-13

    Hi everybody,

    I have a server running postfix/courier (TLS/SSL/SASL) + Amavis/Spamassassin/ClamAV. It has always worked fine.
    To simplify administration I decided to install postfixadmin, nice product !
    But I encounter a problem when creating new users. In fact it creates the user in database, but directory is not created... Which means that client can not log on this new account.

    Log:
    imapd: Connection, ip=[::ffff:X.X.X.X]
    imapd: chdir mydomain.com/testuser/: No such file or directory
    imapd: testuser@mydomain.com: No such file or directory

    I have set the debug mode and regarding logs and tests I can understand following:
    When using postfixadmin to create a user, it is firstly added to database, and then a mail is sent.
    This mail triggers the server to create the directory.

    Log:
    postfix/smtpd[5297]: connect from localhost[127.0.0.1]
    postfix/smtpd[5297]: smtp_stream_setup: maxtime=300 enable_deadline=0
    postfix/smtpd[5297]: match_hostname: localhost ~? 127.0.0.0/8
    postfix/smtpd[5297]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 220 mail.mydomain.com ESMTP Postfix (Debian/GNU)
    postfix/smtpd[5297]: watchdog_pat: 0x7fd4c12b26d0
    postfix/smtpd[5297]: < localhost[127.0.0.1]: EHLO 192.168.1.102
    postfix/smtpd[5297]: match_list_match: localhost: no match
    postfix/smtpd[5297]: match_list_match: 127.0.0.1: no match
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 250-mail.mydomain.com
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 250-PIPELINING
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 250-SIZE 15360000
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 250-VRFY
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 250-ETRN
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 250-STARTTLS
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 250-ENHANCEDSTATUSCODES
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 250-8BITMIME
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 250 DSN
    postfix/smtpd[5297]: watchdog_pat: 0x7fd4c12b26d0
    postfix/smtpd[5297]: < localhost[127.0.0.1]: MAIL FROM:admin@mydomain.com
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 530 5.7.0 Must issue a STARTTLS command first
    postfix/smtpd[5297]: watchdog_pat: 0x7fd4c12b26d0
    postfix/smtpd[5297]: < localhost[127.0.0.1]: RCPT TO:testuser@mydomain.com
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 530 5.7.0 Must issue a STARTTLS command first
    postfix/smtpd[5297]: watchdog_pat: 0x7fd4c12b26d0
    postfix/smtpd[5297]: < localhost[127.0.0.1]: DATA
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 530 5.7.0 Must issue a STARTTLS command first
    postfix/smtpd[5297]: watchdog_pat: 0x7fd4c12b26d0
    postfix/smtpd[5297]: < localhost[127.0.0.1]: To: testuser@mydomain.com
    postfix/smtpd[5297]: warning: non-SMTP command from localhost[127.0.0.1]: To: testuser@mydomain.com
    postfix/smtpd[5297]: > localhost[127.0.0.1]: 221 2.7.0 Error: I can break rules, too. Goodbye.
    postfix/smtpd[5297]: match_hostname: localhost ~? 127.0.0.0/8
    postfix/smtpd[5297]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8
    postfix/smtpd[5297]: disconnect from localhost[127.0.0.1]

    Am I right ?

    If yes, I found out the error, but have no idea about what to do.
    During creating new user process, the mail sending goes wrong. Which is normal because the php postfixadmin script seems not to support STARTTLS service, and server is set to only accept TLS and SSL connections.

    When I send an email myself (from another server) to this account it is also created, but not a nice solution.

    I can imagine two solutions but have no idea about how to do.
    1) Add StartTLS to postfixadmin (too much work because not implemented).
    2) Disable TLS on locahost only (as all services are on the same server)

    Hereunder you will find the configuration and log files.
    If anyone has an idea about what I can do to fix this little but anoying problem, it would be great.

    main.cf ------------
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    readme_directory = no

    # TLS parameters

    #smtpd_tls_mandatory_protocols = SSLv3, TLSv1
    #smtpd_tls_mandatory_ciphers = medium, high

    smtpd_tls_auth_only = yes
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_security_level = encrypt
    smtpd_tls_cert_file = /etc/ssl/mail/mydomain.com.crt
    smtpd_tls_key_file = /etc/ssl/mail/mydomain.com.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # Maximum mail size (set to 15M)
    # !! BEWARE - This has to be always lower than virtual_mailbox_limit !!!
    message_size_limit = 15360000

    # Masimum mailbox size (1024000000 is 100MB)
    mailbox_size_limit = 102400000

    #15360000

    # Server global settings
    myhostname = mail.mydomain.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = localhost.localdomain, localhost
    relayhost =
    #mynetworks = 127.0.0.0/8
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    inet_protocols = ipv4

    # Mysql support
    virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /home/mailbox
    virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
    virtual_mailbox_limit = 102400000
    virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
    virtual_minimum_uid = 5000
    virtual_transport = virtual
    virtual_uid_maps = static:5000

    # Quota support
    #virtual_create_maildirsize = yes
    #virtual_mailbox_extended = yes
    #virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
    #virtual_mailbox_limit_override = yes
    #virtual_maildir_limit_message = Sorry, mailbox full, try again later.
    #virtual_overquota_bounce = yes

    # Relay support
    #relay_domains = mysql:/etc/postfix/mysql_relay_domains_maps.cf

    # SASL support
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_non_fqdn_hostname,
    reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_unauth_destination,
    reject_unauth_pipelining,
    reject_invalid_hostname,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client bl.spamcop.net,
    reject_rbl_client sbl-xbl.spamhaus.org
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_exceptions_networks = 127.0.0.1/8
    broken_sasl_auth_clients = yes
    smtpd_sasl_type = cyrus
    cyrus_sasl_config_path = /etc/postfix/sasl

    # Amavis support
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings

    master.cf ------------
    smtp inet n - - - - smtpd
    -o smtpd_enforce_tls=yes
    -o content_filter=spamassassin

    smtps inet n - - - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    -o content_filter=spamassassin

    pickup fifo n - - 60 1 pickup
    cleanup unix n - - - 0 cleanup
    qmgr fifo n - n 300 1 qmgr
    #qmgr fifo n - n 300 1 oqmgr
    tlsmgr unix - - - 1000? 1 tlsmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    trace unix - - - - 0 bounce
    verify unix - - - - 1 verify
    flush unix n - - 1000? 0 flush
    proxymap unix - - n - - proxymap
    proxywrite unix - - n - 1 proxymap
    smtp unix - - - - - smtp
    relay unix - - - - - smtp
    showq unix n - - - - showq
    error unix - - - - - error
    retry unix - - - - - error
    discard unix - - - - - discard
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - - - - lmtp
    anvil unix - - - - 1 anvil
    scache unix - - - - 1 scache

    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail unix - n n - - pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
    flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix - n n - 2 pipe
    flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman unix - n n - - pipe
    flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
    ${nexthop} ${user}

    amavis unix - - y - 2 smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes

    # For injecting mail from the filter back to postfix
    127.0.0.1:10025 inet n - - - - smtpd
    -o smtpd_tls_security_level=none
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=127.0.0.0/8
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
    -o smtp_bind_address=127.0.0.1

    # Spamassassin anti-spam filter
    spamassassin unix - n n - - pipe
    user=spamd argv=/usr/bin/spamc -f -e
    /usr/sbin/sendmail -oi -f ${sender} ${recipient}

    Thanks a lot :)

     
    Last edit: zepouletto 2014-06-13
  • Simon Hobson
    Simon Hobson
    2014-06-14

    I think you've answered your own question there - simply permit non-TLS connections on localhost.
    I suppose you could also alter PFA to drop the message in the queue rather than use an SMTP connection - as most other programs do when sending mail.

     
  • I agree with Simon - except a little detail: Instead of altering PostfixAdmin, using a $CONF['mailbox_postcreation_script'] script might be easier ;-)

     
  • zepouletto
    zepouletto
    2014-06-16

    Thank you for having confirmed the presumptions...

    Well now my question is how can I allow non-TLS connections from localhost (I have tried several settings in master.cf but without succes) ?

    If I can avoid other programs having access directly to queue, it would be better.

    The $CONF['mailbox_postcreation_script'] seems to may encounter problems if php is runned in safe mode, as this server will be online soon, I may secure apache2 at best possible level and patch kernel, so I'm not sure that this is optimum solution.

    Thank you Christian & Simon

     
    Last edit: zepouletto 2014-06-16
  • zepouletto
    zepouletto
    2014-06-19

    Hi,

    Does anyone have an idea about how to disable postfix-TLS on localhost only ?
    I have tried multiple different settings but no one disables TLs ONLY on localhost...

    Any idea is welcome,
    Thanks

     
  • Simon Hobson
    Simon Hobson
    2014-06-19

    I suspect you might need a separate instance of Postfix. So an extra line in master.cf invoking smtpd with a few parameter tweaks. The main instance listens on your 'real' network interfaces, the extra one listens on localhost.

    With your current setup, does 'echo "Some text" | mail -s "Test message" recipient@somedomain.com" work ? If so, then you might consider using the mailbox creation script to just call this.

     
    • Esben Madsen
      Esben Madsen
      2014-07-15

      A couple of things to consider in case you didn't find the solution...

      1. you have a bunch of overlapping and deprecated tls-configs... eg.
        smtpd_use_tls is deprecated - for postfix 2.3 or newer, you should use
        smtpd_tls_security_level
        http://www.postfix.org/postconf.5.html#smtpd_tls_security_level instead
      2. Are you sure you want to force TLS on an SMTP?unless this is an
        internal mailserver that goes against protocol and will make you unable to
        receive a lot of mail... as the postfix doc says on encrypt:
        "According to RFC
        2487 http://tools.ietf.org/html/rfc2487 this MUST NOT be applied in
        case of a publicly-referenced SMTP server. Instead, this option should be
        used only on dedicated servers"
      3. I can't remember what postfixadmin actually does, but the postfix doc
        also specifically states that "when invoked via "sendmail -bs", Postfix
        will never offer STARTTLS due to insufficient privileges to access the
        server private key. This is intended behavior."
      4. If your box has ipv6, remember to add the ipv6 localhost masks to
        mynetworks / smtpd_sasl_exceptions_networks (separate multiple networks by
        space) - that could also be a blocking issue...
      5. [::ffff:127.0.0.0]/104 [::1]/128

      personally I have

      smtpd_tls_security_level = may

      in my main.cf and postfixadmin works like a charm... the relevant parts of
      your master.cf seems similar to mine...

      Best

      Esben

      On 19 June 2014 15:09, Simon Hobson simonhobson@users.sf.net wrote:

      I suspect you might need a separate instance of Postfix. So an extra line
      in master.cf invoking smtpd with a few parameter tweaks. The main
      instance listens on your 'real' network interfaces, the extra one listens
      on localhost.

      With your current setup, does 'echo "Some text" | mail -s "Test message"
      recipient@somedomain.com" work ? If so, then you might consider using the
      mailbox creation script to just call this.


      Question/help for postfixadmin/postfix account creation problem
      https://sourceforge.net/p/postfixadmin/discussion/676076/thread/7c1d17c9/?limit=25#d6a2


      Sent from sourceforge.net because you indicated interest in
      https://sourceforge.net/p/postfixadmin/discussion/676076/

      To unsubscribe from further messages, please visit
      https://sourceforge.net/auth/subscriptions/

       
      Attachments
  • zepouletto
    zepouletto
    2014-07-17

    Hi Simon & Esben,

    I finaly made it work...
    You are right, some other (external) servers do not support TLS, therefore I changed the settings to allow TLS or SSL, but no other way of logging (TLS is now an option).
    As I noticed that my problem also came from authenticating on the server (with SASL)n I changed a few things:

    I removed line "smtpd_use_tls" as it was overrided by "smtpd_tls_security_level".
    Changed TLS level to smtpd_tls_security_level = may
    Declared the local networks: mynetworks = 172.16.1.0/24, 127.0.0.0/8
    Set smtpd_sasl_exceptions_networks = $mynetworks
    and set smtpd_sasl_local_domain = $myhostname

    I used variables to avoid confusions when declaring hosts or domains.
    Now I can send emails from postfixadmin and so the accounts are created correctly :)

    Thank you !