Menu
▾
▴
Re: [Assp-test] Submission with Postfix & ASSP
|
From: James B. <jl...@bo...> - 2018-12-17 04:05:34
|
> On 17 Dec 2018, at 1:12 pm, Daniel Miller <dm...@am... <mailto:dm...@am...>> wrote: > Couple things I notice: > > In ASSP - you have set: > > listenPort:=25 > smtpDestination:=127.0.0.1:10026 > listenPortSSL:= > smtpDestinationSSL:=127.0.0.1:126 > listenPort2:= > smtpAuthServer:=SSL:127.0.0.1:126 > relayHost:=127.0.0.1:10026 > relayPort:=127.0.0.1:10025 > So - ASSP is globally listening on port 25, and will forward any connection to 10026. In the clear. > > You have an override for explicit SSL connections to port 126. > > And an authenticated connection target of 10026 - exclusively SSL. However - you don't declare listenPort2. So ASSP isn't explicitly listening for authentication and, unless I'm quite wrong (which is always a strong possibility), the smtpAuthServer setting won't be used. > > ASSP is listening for connections from Postfix on 10025 and will forward those connections back to port 10026. > > So - my initial ASSP summary: > > ASSP listens openly on port 25, will forward clear connections to 10026 and SSL connections to 126. However - the SSL connection to Postfix is not "forced". Also the communication from & back to Postfix for relay is not forced SSL either. > > Next...Postfix: > > > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_sasl_auth_enable=yes > 127.0.0.1:126 inet n - n - - smtpd > -o syslog_name=assptls > -o smtpd_tls_wrappermode=yes > -o smtpd_proxy_filter= > -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/> > 465 inet n - n - 20 smtpd > -o smtpd_proxy_filter=127.0.0.1:10025 > -o smtpd_client_connection_count_limit=100 > > Postfix is listening for authentication on port 10026 - without requiring SSL (though it will support STARTTLS). > > Postfix is listening for "forced" SSL connections on port 126. > > And listening on port 465 where it will forward to port 10025. Again without requiring SSL. > > So... > > I'm guessing your Mail.app is using STARTTLS - it connects to Postfix on port 465, which accepts the connection, forwards to ASSP on 10025, which returns to Postfix at 10026 - at which time Postfix checks for authentication - and then it continues on its way. > > Thunderbird is probably trying to do "forced" SSL - which isn't being listened for. > > My initial recommendations: > > * Move the "-o smtpd_sasl_auth_enable=yes" to your port 465 stanza. This is where the authentication should be. > > * Add (don't move) the "-o smtpd_tls_wrappermode=yes" to the port 465 stanza. This will enable "forced" SSL. > > * Change ASSP's "smtpDestinationSSL" to "SSL:127.0.0.1:126" (note the prefix of "SSL:") > > * The smtpAuthServer setting should be cleared so it's not confusing. > > The new flow - port 25 continues as it was. Which means both cleartext and STARTTLS support (but NOT "forced" SSL). Port 465 is now a dedicated SSL listener which requires authentication before it passes Postfix - which then forwards to ASSP via port 10025. ASSP will forward that via port 10026. > > I think after you do that...things might be a little better, although now your Mail.app may need to be adjusted! There may be something else we need to adjust in Postfix but this should be close. > > A purist might insist on adding SSL to ports 10025 & 10026 - but let's leave that for later when everything else is working if you really want it. Fantastic - thanks Daniel. Much better. Flow seems to all be working now. Getting an ‘unsupported 8BITMIME’ error, but at least things are moving as they should: Postfix: 2018-12-17 14:07:43.307573+1100 0x23afe Activity 0x13c80 7456 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:07:43.308955+1100 0x23afe Activity 0x13c81 7456 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:07:43.309674+1100 0x23afe Activity 0x13c82 7456 0 smtpd: (libsystem_info.dylib) Retrieve Group by Name 2018-12-17 14:07:43.324655+1100 0x23afe Info 0x0 7456 0 smtpd: initializing the server-side TLS engine 2018-12-17 14:07:43.329393+1100 0x23afe Activity 0x13c83 7456 0 smtpd: (libsystem_info.dylib) Resolve user group list 2018-12-17 14:07:43.331755+1100 0x23afe Info 0x0 7456 0 smtpd: connect from localhost[127.0.0.1] 2018-12-17 14:07:43.331802+1100 0x23afe Info 0x0 7456 0 smtpd: setting up TLS connection from localhost[127.0.0.1] 2018-12-17 14:07:43.331900+1100 0x23afe Info 0x0 7456 0 smtpd: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" 2018-12-17 14:07:43.332153+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:before SSL initialization 2018-12-17 14:07:43.332228+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:before SSL initialization 2018-12-17 14:07:43.332382+1100 0x23afe Info 0x0 7456 0 smtpd: localhost[127.0.0.1]: Decrypting session ticket, key expiration: 1545017636 2018-12-17 14:07:43.332484+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS read client hello 2018-12-17 14:07:43.332554+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS write server hello 2018-12-17 14:07:43.332651+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS write change cipher spec 2018-12-17 14:07:43.332755+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS write finished 2018-12-17 14:07:43.332931+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS write finished 2018-12-17 14:07:43.332973+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS read change cipher spec 2018-12-17 14:07:43.333053+1100 0x23afe Info 0x0 7456 0 smtpd: SSL_accept:SSLv3/TLS read finished 2018-12-17 14:07:43.333108+1100 0x23afe Info 0x0 7456 0 smtpd: localhost[127.0.0.1]: Reusing old session (RFC 5077 session ticket) 2018-12-17 14:07:43.333147+1100 0x23afe Info 0x0 7456 0 smtpd: Anonymous TLS connection established from localhost[127.0.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) 2018-12-17 14:07:50.159699+1100 0x23b42 Default 0x0 7459 0 trivial-rewrite: warning: database /usr/local/etc/postfix/transport.db is older than source file /usr/local/etc/postfix/transport 2018-12-17 14:07:50.238231+1100 0x23afe Activity 0x13c84 7456 0 smtpd: (libsystem_info.dylib) Retrieve service by name 2018-12-17 14:07:50.303206+1100 0x23b45 Activity 0x13d20 7460 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:07:50.303759+1100 0x23b45 Activity 0x13d21 7460 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:07:50.304287+1100 0x23b45 Activity 0x13d22 7460 0 smtpd: (libsystem_info.dylib) Retrieve Group by Name 2018-12-17 14:07:50.306555+1100 0x23b45 Info 0x0 7460 0 smtpd: initializing the server-side TLS engine 2018-12-17 14:07:50.308883+1100 0x23b45 Activity 0x13d23 7460 0 smtpd: (libsystem_info.dylib) Resolve user group list 2018-12-17 14:07:50.310888+1100 0x23b45 Info 0x0 7460 0 smtpd: connect from localhost[127.0.0.1] 2018-12-17 14:07:50.665219+1100 0x23afe Default 0x0 7456 0 smtpd: warning: proxy 127.0.0.1:10025 rejected "MAIL FROM:<jl...@bo... <mailto:jl...@bo...>> BODY=8BITMIME SIZE=1632": "502 MAIL FROM BODY=8BITMIME not supported" 2018-12-17 14:07:50.696493+1100 0x23b45 Info 0x0 7460 0 smtpd: disconnect from localhost[127.0.0.1] ehlo=1 quit=1 commands=2 2018-12-17 14:09:31.803134+1100 0x23afe Info 0x0 7456 0 smtpd: lost connection after RCPT from localhost[127.0.0.1] 2018-12-17 14:09:31.803280+1100 0x23afe Info 0x0 7456 0 smtpd: disconnect from localhost[127.0.0.1] ehlo=1 auth=1 mail=1 rcpt=0/1 commands=3/4 ASSP: Dec-17-18 14:07:50 [Worker_1] Info: try to connect to server at 127.0.0.1:10026 Dec-17-18 14:07:50 [Worker_1] Info: connected to server at 127.0.0.1:10026 Dec-17-18 14:07:50 [Worker_1] Connected: session:7FCD7D357A88 127.0.0.1:50567 > 127.0.0.1:10025 > 127.0.0.1:50569 > 127.0.0.1:10026 , 21-22 Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 info: injected '250-STARTTLS' offer in to EHLO reply Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 info: send '250-STARTTLS' - injected for 127.0.0.1 Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 info: removed '250-STARTTLS' - it was already injected Dec-17-18 14:07:50 [Worker_1] [unsupported_8BITMIME] 127.0.0.1 MAIL FROM BODY=8BITMIME not allowed Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 info: no (more) data readable from 127.0.0.1 (connection closed by peer) - last command was 'QUIT' Dec-17-18 14:07:50 [Worker_1] 127.0.0.1 disconnected: session:7FCD7D357A88 127.0.0.1 - command list was 'EHLO,MAIL FROM,QUIT' - used 4 SocketCalls - processing time 0 seconds Outlook says: "Authentication failed because Outlook doesn't support any of the available authentication methods.” Nothing in ASSP log. Mail.app: 2018-12-17 14:17:55.732061+1100 0x25f42 Activity 0x14490 7548 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:17:55.733971+1100 0x25f42 Activity 0x14491 7548 0 smtpd: (libsystem_info.dylib) Retrieve User by Name 2018-12-17 14:17:55.734962+1100 0x25f42 Activity 0x14492 7548 0 smtpd: (libsystem_info.dylib) Retrieve Group by Name 2018-12-17 14:17:55.742827+1100 0x25f42 Info 0x0 7548 0 smtpd: initializing the server-side TLS engine 2018-12-17 14:17:55.752790+1100 0x25f42 Activity 0x14493 7548 0 smtpd: (libsystem_info.dylib) Resolve user group list 2018-12-17 14:17:55.756158+1100 0x25f42 Info 0x0 7548 0 smtpd: connect from localhost[127.0.0.1] 2018-12-17 14:17:55.756223+1100 0x25f42 Info 0x0 7548 0 smtpd: setting up TLS connection from localhost[127.0.0.1] 2018-12-17 14:17:55.756444+1100 0x25f42 Info 0x0 7548 0 smtpd: localhost[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" 2018-12-17 14:17:55.756876+1100 0x25f42 Info 0x0 7548 0 smtpd: SSL_accept:before SSL initialization 2018-12-17 14:19:18.302683+1100 0x2555b Info 0x0 7501 0 smtpd: disconnect from localhost[127.0.0.1] ehlo=1 quit=1 commands=2 Nothing in ASSP log. So close! James > On 17 Dec 2018, at 1:12 pm, Daniel Miller <dm...@am... <mailto:dm...@am...>> wrote: > > Couple things I notice: > > In ASSP - you have set: > > listenPort:=25 > smtpDestination:=127.0.0.1:10026 > listenPortSSL:= > smtpDestinationSSL:=127.0.0.1:126 > listenPort2:= > smtpAuthServer:=SSL:127.0.0.1:126 > relayHost:=127.0.0.1:10026 > relayPort:=127.0.0.1:10025 > So - ASSP is globally listening on port 25, and will forward any connection to 10026. In the clear. > > You have an override for explicit SSL connections to port 126. > > And an authenticated connection target of 10026 - exclusively SSL. However - you don't declare listenPort2. So ASSP isn't explicitly listening for authentication and, unless I'm quite wrong (which is always a strong possibility), the smtpAuthServer setting won't be used. > > ASSP is listening for connections from Postfix on 10025 and will forward those connections back to port 10026. > > So - my initial ASSP summary: > > ASSP listens openly on port 25, will forward clear connections to 10026 and SSL connections to 126. However - the SSL connection to Postfix is not "forced". Also the communication from & back to Postfix for relay is not forced SSL either. > > Next...Postfix: > > > 127.0.0.1:10026 inet n - n - - smtpd > -o smtpd_sasl_auth_enable=yes > 127.0.0.1:126 inet n - n - - smtpd > -o syslog_name=assptls > -o smtpd_tls_wrappermode=yes > -o smtpd_proxy_filter= > -o myhostname=mail.bordo.com.au <http://mail.bordo.com.au/> > 465 inet n - n - 20 smtpd > -o smtpd_proxy_filter=127.0.0.1:10025 > -o smtpd_client_connection_count_limit=100 > > Postfix is listening for authentication on port 10026 - without requiring SSL (though it will support STARTTLS). > > Postfix is listening for "forced" SSL connections on port 126. > > And listening on port 465 where it will forward to port 10025. Again without requiring SSL. > > So... > > I'm guessing your Mail.app is using STARTTLS - it connects to Postfix on port 465, which accepts the connection, forwards to ASSP on 10025, which returns to Postfix at 10026 - at which time Postfix checks for authentication - and then it continues on its way. > > Thunderbird is probably trying to do "forced" SSL - which isn't being listened for. > > My initial recommendations: > > * Move the "-o smtpd_sasl_auth_enable=yes" to your port 465 stanza. This is where the authentication should be. > > * Add (don't move) the "-o smtpd_tls_wrappermode=yes" to the port 465 stanza. This will enable "forced" SSL. > > * Change ASSP's "smtpDestinationSSL" to "SSL:127.0.0.1:126" (note the prefix of "SSL:") > > * The smtpAuthServer setting should be cleared so it's not confusing. > > The new flow - port 25 continues as it was. Which means both cleartext and STARTTLS support (but NOT "forced" SSL). Port 465 is now a dedicated SSL listener which requires authentication before it passes Postfix - which then forwards to ASSP via port 10025. ASSP will forward that via port 10026. > > I think after you do that...things might be a little better, although now your Mail.app may need to be adjusted! There may be something else we need to adjust in Postfix but this should be close. > > A purist might insist on adding SSL to ports 10025 & 10026 - but let's leave that for later when everything else is working if you really want it. > > > Daniel > > On 12/14/2018 8:28 AM, Daniel Miller via Assp-test wrote: >> Ok - so you have Postfix listening. There's a few different choices available to have Postfix forward to ASSP. I would recommend using Postfix's before-queue content filter method. >> >> The entries you've setup in master.cf already are for mail that has been processed by ASSP and now needs delivery. Again - before proceeding further you need to verify things work - clients can connect and authenticate and send via your existing ASSP/Postfix/Dovecot chain. >> >> Now in master.cf: >> >> 465 inet n - n - 20 smtpd >> -o smtpd_proxy_filter <http://www.postfix.org/postconf.5.html#smtpd_proxy_filter>=127.0.0.1:10025 >> -o smtpd_client_connection_count_limit <http://www.postfix.org/postconf.5.html#smtpd_client_connection_count_limit>=10 >> Note the above address/port are arbitrary - pick what you want though the localhost address is appropriate given your setup. The "smtpd_client_connection_count_limit" may be adjusted as needed. It is also up to you whether or not to have additional validation checks in this Postfix listener (you should - let Postfix block out whatever it can before it touches ASSP otherwise there's not much point in this approach). >> >> The "smtpd_proxy_filter" tells Postfix to forward mail to another server for processing prior to delivery. So ASSP needs to be listening for that connection. You can use the primary listeners listenPort, listenPort2, and listenPortSSL but probably a better choice is to configure ASSP with: >> >> relayPort=127.0.0.1:10025 >> That matches the setting in master.cf above - and that should do it. To make it SSL - for the master.cf entry above for 465 add >> >> -o smtpd_tls_wrappermode=yes >> and in ASSP make it >> >> relayPort=SSL:127.0.0.1:10025 >> Daniel >> >> On 12/13/2018 7:13 PM, James Brown wrote: >>>> On 13 Dec 2018, at 5:39 am, Daniel Miller <dm...@am... <mailto:dm...@am...>> wrote: >>>> >>>> The "lsof -i" is a lower-case i (just confirming if it got auto-corrected by email spellcheck). >>>> >>>> If "lsof" (or other tools) can't confirm an open port we've got other problems. Need to get that part first. What is expected: >>>> >>>> # lsof -i :126 >>>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>>> master 1260 root 104u IPv4 33860 0t0 TCP localhost.localdomain:126 (LISTEN) >>>> >>>> Daniel >>> Yes, Daniel, it was auto-correct in my email. >>> >>> The reason I got nothing returned is because I did not run in sudo mode. Now I get: >>> >>> $ sudo lsof -i :10026 >>> Password: >>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> master 89692 root 85u IPv4 0x1117b83fdbb9d20b 0t0 TCP localhost:10026 (LISTEN) >>> >>> $ sudo lsof -i :126 >>> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME >>> perl 32559 root 25u IPv4 0x1117b83fd26de50b 0t0 TCP localhost:49213->localhost:nxedit (CLOSE_WAIT) >>> master 89692 root 88u IPv4 0x1117b83fdbb9e50b 0t0 TCP localhost:nxedit (LISTEN) >>> >>> James. >> >> >> >> _______________________________________________ >> Assp-test mailing list >> Ass...@li... <mailto:Ass...@li...> >> https://lists.sourceforge.net/lists/listinfo/assp-test <https://lists.sourceforge.net/lists/listinfo/assp-test> >> |
