I have set up a mail server on AWS EC2 using the instructions from Flurdy: http://flurdy.com/docs/postfix/ it has mostly gone well.
My issue is that I would prefer to use SMTP port 587 with TLS rather than 465 with SSL. I believe this is a relevant requirement as port 465 is considered not future proof.
The instructions on the Flurdy site are designed to allow both, however I can not get 587 to work! 465 with SSL works a charm.
I should also mention that this build uses sasl with MySQL and I think this is why I have not found much help when I Google the errors. I believe the error lies somewhere in the SASL / PAM arena, but I have had no luck.
Here are some of the log outputs:
MAIL.LOG
postfix/smtpd[11328]: connect from MY.ISP.PROVIDER[MY.IP.0.0]
postfix/smtpd[11328]: Anonymous TLS connection established from MY.ISP.PROVIDER[MY.IP.0.0]: TLSv1.2 with cipher AES128-SHA256 (128/128 bits)
postfix/smtpd[11328]: warning: SASL authentication failure: client response doesn't match what we generated (tried bogus)
postfix/smtpd[11328]: warning: MY.ISP.PROVIDER[MY.IP.0.0]: SASL DIGEST-MD5 authentication failed: authentication failure
postfix/smtpd[11328]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
postfix/smtpd[11328]: warning: MY.ISP.PROVIDER[MY.IP.0.0]: SASL LOGIN authentication failed: generic failure
postfix/smtpd[11328]: lost connection after AUTH from MY.ISP.PROVIDER[MY.IP.0.0]
postfix/smtpd[11328]: disconnect from MY.ISP.PROVIDER[MY.IP.0.0]*
My master.cf
submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_security_options=noanonymous,noplaintext
-o smtpd_sasl_tls_security_options=noanonymous
There is also other conf such as AMAVIS, but I suspect this is all ok.
The SQL log shows all the connections and queries working correctly.
I have used TELNET for testing and it simply closes the connection when I attempt the auth with port 587. If I open port 25 on my server then I can do complete a successful AUTH LOGIN.
Here is the difference in EHLO response with 25 (when open) and 587. I noticed 587 does not include AUTH. Is this the problem??
$ telnet my.mailserver.com 587
Trying MY.IP.0.0...
Connected to my.mailserver.com.
Escape character is '^]'.
220 MY-EC2-SERVER-NAME.localdomain ESMTP Postfix
EHLO my.mailserver.com
250-MY-EC2-SERVER-NAME.localdomain
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
$ telnet my.mailserver.com 25
Trying MY.IP.0.0...
Connected to my.mailserver.com.
Escape character is '^]'.
220 MY-EC2-SERVER-NAME.localdomain ESMTP Postfix
EHLO my.mailserver.com
250-MY-EC2-SERVER-NAME.localdomain
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
I have restarted the services postfix and saslauthd a number of times.
I have also double checked the passwords and usernames in the DB.
I have been over the instructions and checked for misconfiguration and spelling mistakes, although this is likely what it will be in the end 🙂
The server is UBUNTU 13.10
Please let me know if I can supply any further info to help debugging.
All thoughts welcome!
Best Answer
I also followed Flurdy's tutorial and had a similar problem: I could only send mail through port 25 (smtpd), but not through 587 (submission). I found out the problem to be exactly that, according to his instructions, port 25 was configured to run in chroot but 587 was not - it seems to be an error in the tutorial. Check out this part of flurdy's instructions:
Right below this text you can find this line, stating the daemon for the submission port will not use chroot:
I know this because my original
/etc/postfix/master.cf
file had comments showing this legend:Right below the option list for the submission port lies the following line, which configures smtps (port 465):
From this you can see it is using the default (I guess the
-
sign means it will use the default, which is to use chroot).Ok, then, when you look at the SASL authentication section, where it says:
you can see the
OPTIONS
variable contains the following path:Again, with help from my originally commented
/etc/default/saslauthd
file, I noted this clear explanation:Since my
OPTIONS
variable was clearly specifying the chroot case, I just changed my submission configuration at/etc/postfix/master.cf
to also use chroot. After restarting the server - just to make sure all the services were properly restarted - it worked out like a charm, now I can send email either through port 25 or 587.Hope it also helps you out! I also lost quite some time to see this...