Lee H. Marzke on 12 Feb 2018 05:00:06 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Help with Postfix SASL auth to smarthost on RedHat distro


FYI,

OK SMTP auth over tls is working now.  

Turns out gmail relay still fails, and it forces you to allow "less secure apps" in your account settings before this works.
So I've switched to my other smarthost and that is working as well.

This is an example of why software code reviews can be so helpful,  when you carefully explain or walk through the
code with others,  the error that you couldn't see before just jump out.



Lee



----- Original Message -----
> From: "Lee H. Marzke" <lee@marzke.net>
> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
> Sent: Sunday, February 11, 2018 10:45:22 PM
> Subject: Re: [PLUG] Help with Postfix SASL auth to smarthost on RedHat distro

> Wow, just typing this message out helped me find the likely error already.
> 
>> -rw------- 1 root root 111   Feb 11 18:37 sasl_paswd
>> -rw------- 1 root root 12288 Feb 11 19:42 sasl_paswd.db
> 
> Looks like passwd is missing an 's' both places.  How did I miss that.
> 
> I'll let everyone know if that fixes it.
> 
> Lee
> 
> ----- Original Message -----
>> From: "Lee H. Marzke" <lee@marzke.net>
>> To: "Philadelphia Linux User's Group Discussion List"
>> <plug@lists.phillylinux.org>
>> Sent: Sunday, February 11, 2018 10:36:36 PM
>> Subject: [PLUG] Help with Postfix SASL auth to smarthost on RedHat distro
> 
>> I'm having trouble with Postfix SMTP authentication to a smarthost on a new
>> install of RH 7.3
>> 
>> This is actually the latest FreePBX SNG7 OS based on RH 7.3 but shouldn't
>> matter.
>> https://en.wikipedia.org/wiki/FreePBX_Distro
>> 
>> I have Postfix SMTP auth over TLS  working on an old Ubuntu release, but for
>> some reason the Red Hat distro is giving me permission issues
>> with nearly the same setup.   Any clues where I should look next ?
>> 
>> Basically SASL authentication strings are in the file   /etc/postfix/sasl_passwd
>> containing two smart hosts:
>> 
>> [smtp.gmail.com]:587      username:password
>> [smtp.smarthost2.net]:587 username:password
>> 
>> and has permissions:
>> 
>> -rw------- 1 root root 111   Feb 11 18:37 sasl_paswd
>> -rw------- 1 root root 12288 Feb 11 19:42 sasl_paswd.db
>> 
>> the hash is updated/created with:
>> sudo postmap hash:/etc/postfix/sasl_passwd
>> 
>> Notes with CentOS claim that postfix reads the .db map file as root, then drops
>> permissions on startup.
>> 
>> However,  when I send email,  I keep getting errors where postfix can't read the
>> sasl_passwd.db file.
>> 
>> Feb 11 22:12:42 freepbx postfix/smtp[11208]: Trusted TLS connection established
>> to smtp.gmail.com[209.85.232.108]:587: TLSv1.2 with cipher
>> ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
>> Feb 11 22:12:42 freepbx postfix/smtp[11208]: warning:
>> hash:/etc/postfix/sasl_passwd is unavailable. open database
>> /etc/postfix/sasl_passwd.db: No such file or directory
>> Feb 11 22:12:42 freepbx postfix/smtp[11208]: warning:
>> hash:/etc/postfix/sasl_passwd lookup error for "smtp.gmail.com"
>> Feb 11 22:12:42 freepbx postfix/smtp[11208]: warning: 89DF211780BB:
>> smtp_sasl_passwd lookup error
>> Feb 11 22:12:42 freepbx postfix/smtp[11208]: 89DF211780BB: local data error
>> while talking to smtp.gmail.com[209.85.232.108]
>> 
>> Now I know the file is there.   And I've tried changing permissions to allow
>> postfix group read, and other combination
>> but they always fail the same way.
>> 
>> 
>> The relevant sections of main.cf are:
>> 
>> #Setup TLS, using default self-signed certs
>> 
>> smtp_tls_security_level = may
>> smtp_tls_loglevel = 1
>> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.trust.crt
>> smtp_tls_cert_file = /etc/pki/tls/certs/localhost.crt
>> smtp_tls_key_file = /etc/pki/tls/private/localhost.key
>> 
>> # Use smarthost
>> #relayhost = [smtp.protectedservice.net]:587
>> relayhost = [smtp.gmail.com]:587
>> 
>> # Setup SASL over TLS for smart host ( Gmail require TLS,  others may not )
>> 
>> smtp_use_tls = yes
>> smtp_sasl_auth_enable = yes
>> broken_sasl_auth_clients = yes
>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>> smtp_sasl_security_options = noanonymous
>> smtp_sasl_tls_security_options = noanonymous
>> smtp_sasl_type = cyrus
>> smtp_tls_security_level = encrypt
>> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
>> 
>> ###DEBUG
>> #debug_peer_list=smtp.gmail.com
>> #debug_peer_level=3
>> 
>> 
>> The policy map  tls_policy contains:       (but this isn't causing issues so
>> far)
>> 
>> [smtp.gmail.com]:587 encrypt
>> [smtp.othersmarhost.net]:587 encrypt
>> 
>> 
>> Regards,
>> 
>> 
>> Lee
>> 
>> --
>> "Between subtle shading and the absence of light lies the nuance of iqlusion..."
>> - Kryptos
>> 
>> Lee Marzke,  lee@marzke.net     http://marzke.net/lee/
>> IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM
>> 
>> ___________________________________________________________________________
>> Philadelphia Linux Users Group         --        http://www.phillylinux.org
>> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
>> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
> 
> --
> "Between subtle shading and the absence of light lies the nuance of iqlusion..."
> - Kryptos
> 
> Lee Marzke, lee@marzke.net http://marzke.net/lee/
> IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM
> +1 800-393-5217 office
> +1 484-348-2230 fax
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

-- 
"Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos 

Lee Marzke, lee@marzke.net http://marzke.net/lee/ 
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM 
+1 800-393-5217 office 
+1 484-348-2230 fax
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug