1

Topic: SASL issues when using SSL

Hi!,

I'm trying to configure SMTP over SSL without not much luck. Theoritically as far as I understand it both SMTP and SMTP over SSl use SASL for authenticating against dovecot. The configuration works as expected when using SMTP with STARTTLS, but when I switch to SMTP over SSL does not work. Please check logs below when using each of the methods:

SSL:

Jan 15 11:27:40 s13 postfix/smtpd[9751]: connect from x.x.x.x
Jan 15 11:27:40 s13 postfix/smtpd[9751]: setting up TLS connection from x.x.x.x
Jan 15 11:27:41 s13 postfix/smtpd[9751]: Anonymous TLS connection established from x.x.x.x: TLSv1 with cipher AES256-SHA (256/256 bits)
Jan 15 11:27:43 s13 postfix/smtpd[9751]: warning: x.x.x.x: SASL PLAIN authentication failed:
Jan 15 11:27:45 s13 postfix/smtpd[9751]: warning: x.x.x.x: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Jan 15 11:29:34 s13 postfix/smtpd[9751]: lost connection after AUTH from x.x.x.x
Jan 15 11:29:34 s13 postfix/smtpd[9751]: disconnect from x.x.x.x

STARTTLS:

Jan 15 11:31:08 s13 postfix/smtpd[9762]: connect from x.x.x.x
Jan 15 11:31:08 s13 postfix/smtpd[9762]: setting up TLS connection from x.x.x.x
Jan 15 11:31:08 s13 postfix/smtpd[9762]: Anonymous TLS connection established from x.x.x.x: TLSv1 with cipher AES256-SHA (256/256 bits)
Jan 15 11:31:08 s13 postfix/smtpd[9762]: C92BE154102D: client=x.x.x.x, sasl_method=PLAIN, sasl_username=test@testdomain.com
Jan 15 11:31:08 s13 postfix/cleanup[9765]: C92BE154102D: message-id=<4D318583.4090502@testdomain.com>
Jan 15 11:31:09 s13 postfix/qmgr[9725]: C92BE154102D: from=<test@testdomain.com>, size=591, nrcpt=1 (queue active)
Jan 15 11:31:09 s13 postfix/smtpd[9762]: disconnect from x.x.x.x
Jan 15 11:31:09 s13 postfix/smtpd[9769]: connect from localhost[127.0.0.1]
Jan 15 11:31:09 s13 postfix/smtpd[9769]: 3D412154102F: client=localhost[127.0.0.1]
Jan 15 11:31:09 s13 postfix/cleanup[9765]: 3D412154102F: message-id=<4D318583.4090502@testdomain.com>
Jan 15 11:31:09 s13 postfix/smtpd[9769]: disconnect from localhost[127.0.0.1]
Jan 15 11:31:09 s13 postfix/qmgr[9725]: 3D412154102F: from=<test@testdomain.com>, size=1021, nrcpt=1 (queue active)
Jan 15 11:31:09 s13 amavis[1357]: (01357-03) Passed CLEAN, LOCAL [83.56.166.153] [83.56.166.153] <test@testdomain.com> -> <test2@testdomain2.com>, Message-ID: <4D318583.4090502@testdomain.com>, mail_id: 9zI9bAWvMowj, Hits: -10, size: 591, queued_as: 3D412154102F, 227 ms
Jan 15 11:31:09 s13 postfix/smtp[9766]: C92BE154102D: to=<test2@testdomain2.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.59, delays=0.36/0/0/0.23, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=01357-03, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 3D412154102F)
Jan 15 11:31:09 s13 postfix/qmgr[9725]: C92BE154102D: removed
Jan 15 11:31:10 s13 postfix/smtp[9770]: 3D412154102F: to=<test2@testdomain2.com>, relay=ASPMX4.GOOGLEMAIL.com[209.85.229.27]:25, delay=0.92, delays=0.06/0.01/0.14/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1295091077 b47si3183876wer.75)
Jan 15 11:31:10 s13 postfix/qmgr[9725]: 3D412154102F: removed

2

Re: SASL issues when using SSL

Please use STARTTLS instead.

3

Re: SASL issues when using SSL

What kind of answer is "use STARTTLS instead"? I already know I can use STARTTLS I would not be asking I could just use that.

Some of my customers require SMTP over SSL support.

Can you help me?

4

Re: SASL issues when using SSL

Try this:

- Add 'smtpd_tls_CAfile' in postfix /etc/postfix/main.cf, with same cert file as "smtpd_tls_cert_file":

smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem                                                
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem

- Restart postfix.
- Configure your client to use SSL/TLS instead of STARTTLS for testing (port 465, connection security: SSL/TLS).

5

Re: SASL issues when using SSL

Hi ZhangHuang,

I must have something wrong that I cannot find but I keep getting the same error:

Jan 17 20:08:19 s13 postfix/smtpd[27653]: connect from x.x.x.x
Jan 17 20:08:19 s13 postfix/smtpd[27653]: setting up TLS connection from x.x.x.x
Jan 17 20:08:19 s13 postfix/smtpd[27653]: Anonymous TLS connection established from x.x.x.x: TLSv1 with cipher AES256-SHA (256/256 bits)
Jan 17 20:08:21 s13 postfix/smtpd[27653]: warning: x.x.x.x: SASL PLAIN authentication failed:
Jan 17 20:08:23 s13 postfix/smtpd[27653]: warning: x.x.x.x: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Additionally, I base63 decoded the string that is sent "UGFzc3dvcmQ6" and the unencoded version is "Password:". Therefore I asume there is something wrong. As you say you have it working could you please send me a sample "main.cf" with minium configuration?

Regards,
LandM

6

Re: SASL issues when using SSL

Default config with iRedMail, add one more config as i mentioned in reply post, that's all.

Did

landm wrote:

Jan 17 20:08:19 s13 postfix/smtpd[27653]: Anonymous TLS connection established from x.x.x.x: TLSv1 with cipher AES256-SHA (256/256 bits)

You didn't enable SMTP suth? Anonymous?

7

Re: SASL issues when using SSL

Hi Zhang,

We have just discovered why it does not work. And the reason is very simple, it is a bug in iRedmail. Dovecot is looking for some content in LDAP that basically DOES NOT EXIST. So how can you possibly have this working if dovecot is looking for someting that does not exist??? Provided we are using same version of dovecot, postfix and openldap I see no way your implementation works and mines not.

I'm pretty sure nobody in the forum has SMTP over SSL working. I bet it.

.