How to enable SMTP authentication ?

Question

How to enable SMTP authentication ?

We are wanting to use the server to deliver mail to some of our hosting clients. However SMTP (sending mails) should be only allowed when user can authenticate.

I find in server admin no way to enable SMTP authentication explicitly; I just made the following settings:

1. Mail/Settings/General: "Enable SMTP" and "Allow incoming mail" -> both checked.

2. Mail/Settings/Relays: "Accept SMTP relays only from...": 127.0.0.1/32 and our WAN-IP used for the server (without the "/32").

3. Mail/Settings/Advanced/Authentication: All options checked for SMTP (IMAP and POP too, by the way).

I still see many entries in the SMTP log; the mail queue is empty now however.

Are my settings made to enable SMTP authentication done correctly or have I missed anything ?

What is exactly the purpose of "Mail/Settings/General: Enable incoming mail" ? I found no reference to this in documentation.

Thank you 🙂

Mac OS X (10.4.8)

Posted on Oct 27, 2006 9:19 AM

Reply

Answer 1

UptimeJeff

Level 4

3,479 points

Oct 27, 2006 2:04 PM in response to tobias Eichner

In Advanced/Authentication, you did enable SMTP Authentication by checking the different methods.

Have you tried it? It should work just fine.

If you have users on the internet who need to relay, you may want to enable an alternate SMTP port for mail submission (relaying). This can be done by uncommenting the submission line in /etc/postfix/master.cf and restarting mail service. This will enable port 587, which gets around ISPs who block port 25.

Jeff

Reply

Answer 2

Oct 27, 2006 2:51 PM in response to UptimeJeff

In Advanced/Authentication, you did enable SMTP Authentication by checking
the different methods.

Yes, I checked anything there. Is this okay ? Anything else I need to take care about ?

I ask because I still get entries at the SMTP log, although they all look like errors, not sure. Here is a copy of some lines:

Oct 27 18:38:24 star1 postfix/smtpd[7997]: lost connection after RCPT from bzq-88-152-212-226.red.bezeqint.net[88.152.212.226]
Oct 27 18:38:24 star1 postfix/cleanup[8235]: B8A0B4CB14: message-id=<20061027163824.B8A0B4CB14@www.starenterprise.com>
Oct 27 18:38:24 star1 postfix/qmgr[7979]: B8A0B4CB14: from=<double-bounce@www.starenterprise.com>, size=742, nrcpt=1 (queue active)
Oct 27 18:38:24 star1 postfix/smtpd[7997]: disconnect from bzq-88-152-212-226.red.bezeqint.net[88.152.212.226]
Oct 27 18:38:24 star1 postfix/local[8270]: B8A0B4CB14: to=<root@www.starenterprise.com>, orig_to=<postmaster>, relay=local, delay=0, status=sent (delivered to file: /dev/null)
Oct 27 18:38:24 star1 postfix/qmgr[7979]: B8A0B4CB14: removed
Oct 27 18:38:24 star1 postfix/smtpd[7980]: connect from d83-186-24-85.cust.tele2.be[83.186.24.85]
Oct 27 18:38:25 star1 postfix/trivial-rewrite[7983]: warning: do not list domain sunnyscript.com in BOTH mydestination and virtual mailboxdomains
Oct 27 18:38:25 star1 postfix/smtpd[7980]: warning: unknown smtpd restriction: "relays.ordb.org"
Oct 27 18:38:25 star1 postfix/smtpd[7980]: NOQUEUE: reject: RCPT from d83-186-24-85.cust.tele2.be[83.186.24.85]: 451 Server configuration error; from=<wanamake@fwlaw.com> to=<ru.davidson@sunnyscript.com> proto=SMTP helo=<fwlaw.com>
Oct 27 18:38:25 star1 postfix/smtpd[7980]: lost connection after RCPT from d83-186-24-85.cust.tele2.be[83.186.24.85]
Oct 27 18:38:25 star1 postfix/cleanup[8235]: 0ED044CB15: message-id=<20061027163825.0ED044CB15@www.starenterprise.com>
Oct 27 18:38:25 star1 postfix/qmgr[7979]: 0ED044CB15: from=<double-bounce@www.starenterprise.com>, size=736, nrcpt=1 (queue active)
Oct 27 18:38:25 star1 postfix/smtpd[7980]: disconnect from d83-186-24-85.cust.tele2.be[83.186.24.85]
Oct 27 18:38:25 star1 postfix/local[8236]: 0ED044CB15: to=<root@www.starenterprise.com>, orig_to=<postmaster>, relay=local, delay=0, status=sent (delivered to file: /dev/null)
Oct 27 18:38:25 star1 postfix/qmgr[7979]: 0ED044CB15: removed
Oct 27 18:38:32 star1 postfix/smtpd[7982]: connect from 20151219186.user.veloxzone.com.br[201.51.219.186]

Reply

Answer 3

UptimeJeff

Level 4

3,479 points

Oct 27, 2006 5:49 PM in response to tobias Eichner

those entries don't have anything to do with smtp authentication.

what domains do you receive mail for?
Do you require virtual domains?

post the output of the following command run from Terminal:
postconf -n

Jeff

Reply

Answer 4

Oct 28, 2006 8:10 AM in response to UptimeJeff

Do you require virtual domains?

You mean domains that are sharing the same IP ? Yes, we need this feature. Does this mean a security risk that needs special attention ?

The output of postconf -n is this:

command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug peerlevel = 2
enable serveroptions = yes
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailbox sizelimit = 0
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maps rbldomains =
message sizelimit = 10485760
mydestination = $myhostname,localhost.$mydomain,localhost,domain1.com,domain2.com
mydomain = domain1.com
mydomain_fallback = localhost
myhostname = www.domain1.com
mynetworks = 127.0.0.1/32,123.44.555.66
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /private/var/spool/postfix
readme_directory = /usr/share/doc/postfix
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtpd clientrestrictions = permit_mynetworks relays.ordb.org permit
smtpd pw_server_securityoptions = gssapi,cram-md5,login,plain
smtpd recipientrestrictions = permit sasl_authenticated,permit_mynetworks,reject_unauthdestination,permit
smtpd sasl_authenable = yes
smtpd tls_keyfile =
smtpd use_pwserver = yes
unknown local_recipient_rejectcode = 550
virtual mailboxdomains = hash:/etc/postfix/virtual_domains
virtual_transport = lmtp:unix:/var/imap/socket/lmtp

I hope that helps and someone can say whether or not SMTP authentication is enabled. My own test (currently only with the IP, because our domains aren't active yet) showed that I was not able to send mails without user/pwd pair. But I'm a bit paranoid here, for obvious reasons 😉

I found in the above output this line:
smtpd clientrestrictions = permit_mynetworks relays.ordb.org permit

Are relays.ordb.org used by default for blacklisting ? I haven't enabled "Use these junkmail rejection servers..." in the mail service. I have done so in the past, but removed relays.ordb.org - is this an error in the server admin tools that has left the entry here ?

Reply

Answer 5

UptimeJeff

Level 4

3,479 points

Oct 28, 2006 8:22 AM in response to tobias Eichner

I'm not sure why you are concentrating on smtp authentication.
You said you tested it and it worked, and according to your config you have enable dit.

I would concentrate on other aspects of your config which have issues.

- your log states "warning: do not list domain sunnyscript.com in BOTH mydestination and virtual mailboxdomains"
It's telling you this for a reason. You may need to study about what virtual domains are and determine if you require them. As it is, you have sunnyscript.com listed as a local and a virtual domain, and the system is warning you of this mistake. Do not list domains as both a localhost alias AND as a virtual domain. If you don't REQUIRE the virtual domains feature then you may find the system easier to manage with this feature disabled.

- This line is incorrect:
smtpd clientrestrictions = permit_mynetworks relays.ordb.org permit
personally, I wouldn't use that blacklist, but if your choose to the line should read:
smtpdclientrestrictions = permit_mynetworks rejectrblclient relays.ordb.org permit
better yet, you may want to use this black list:
smtpdclientrestrictions = permit_mynetworks rejectrblclient sbl-xbl.spamhaus.org permit</b?
You edited the contents of your postconf -n (removed domain names) so I can't offer much more advice (like checking dns records).
Jeff

Reply

Answer 6

Oct 28, 2006 8:34 AM in response to UptimeJeff

Wow, this was quite a fast reply 🙂

- your log states "warning: do not list domain
sunnyscript.com in BOTH mydestination and
virtual mailboxdomains"
It's telling you this for a reason. You may need to
study about what virtual domains are and determine if
you require them. As it is, you have sunnyscript.com
listed as a local and a virtual domain, and the
system is warning you of this mistake. Do not list
domains as both a localhost alias AND as a virtual
domain. If you don't REQUIRE the virtual domains
feature then you may find the system easier to manage
with this feature disabled.

We require it, since we don't have a unique IP for each domain we intend to host.

But strange what you say... I have asked exactly this questions several times to Apple's support and they claimed to leave the domains (e.g. domain1.com and domain2.com) entries at Mail/Settings/Advanced/Hosting in both areas, "Local Host Aliases" and "Locally hosted virtual domains".

So I also think that these domains must be removed from "local host aliases" area. Do you ? Should I leave the pre-filled entry "localhost" ?

(The server is intended to getting accessed only over the Internet, there will be no local user sending mails)

- This line is incorrect:
smtpd clientrestrictions = permit_mynetworks
relays.ordb.org permit
personally, I wouldn't use that blacklist, but if
your choose to the line should read:

No, I don't want to use it. But I haven't altered this file manually, I always used the server admin tools (they seem to be buggy in many aspects).

smtpdclientrestrictions = permit_mynetworks
rejectrblclient relays.ordb.org permit
better yet, you may want to use this black list:
smtpdclientrestrictions = permit_mynetworks
rejectrblclient sbl-xbl.spamhaus.org permit</b?</div>
How would the line look without blacklists:
mtpdclientrestrictions = permit_mynetworks permit
?
And where can I manually edit it ?

You edited the contents of your postconf -n (removed
domain names) so I can't offer much more advice (like
checking dns records).

Thank you for your offer, I surely come back to it 🙂 Anyway, currently the domains are not working nevertheless (we are at this time in the stage to set up anything).

Jeff

Reply

Answer 7

UptimeJeff

Level 4

3,479 points

Oct 28, 2006 9:23 AM in response to tobias Eichner

Regarding virtual domains. This has nothing to do with having a single IP (for web hosting, yes- but for mail hosting no)
You need virtual domains if you require seperate mailboxes with the same name but different domains (confusing explanation). It's easier to illustrate it... If you need info@domain1.com and info@domain2.com to be separate mailboxes, then you require virtual domains. Without virtualdomains then info@domain1.com and info@domain2.com would be the same mailbox.
Apple's implementation of virtual domains is minimally functional. If you can function without virtual domains, the config and maintenance is easier. If you require virtual domains, you will probably discover limitations of Apple's implementation and have to switch to Postfix Virtual Aliases. It's not simple if you've never set it up before and you'll have to work in command-line quite a bit.
Make sure you REQUIRE virtual domains if you decide to use them. If you don't require them, then disable and put all your domains in local host aliases.

The Apple rep was wrong when he told you that the domains should be listed in both places, they should not be.

The smtpd clientrestrictions error, you'll need to edit the file by hand.
You can use a GUI editor of you're not comfortable in Terminal- but you need to use a GUI editor which saves unix text files properly. Try TextWrangler. The file is /etc/postfix/main.cf
To have no black lists, you could remove the smtpd clientrestrictions line altogether, or edit it to:
smtpd clientrestrictions = permit_mynetworks permit

Jeff

Reply

Answer 8

Oct 28, 2006 1:49 PM in response to UptimeJeff

Yes, we need virtual domains. There is no way around.

Anyway, I hoped for a solution using the admin tools and not by via the terminal.

Thank you for your tip regarding fixing the smtpd clientrestrictions error. I'll do it in that way using pico over the terminal.

Reply

Answer 9

Oct 28, 2006 3:00 PM in response to UptimeJeff

Just forgot to ask: Should I also remove the "localhost" entry from the local host aliases or just the domains ?

Reply

Answer 10

Oct 29, 2006 5:46 AM in response to UptimeJeff

Quite strange:

When opening my mail queue I still have entries there (although currently no users are on the server, it is becoming setting up). For example:

Message ID: 1298E4E30D
Date: Sun Oct 29 14:45:18
Size: 4595
Sender: MAILER-DAEMON
Recipient(s) & Status:
----------------------
jarmiumol@hfd.com

When emptying the queue, it takes not long and there are more mails. Up to 44 in worst case.

Why does this happen, anyone has an idea ?

Reply

Answer 11

Oct 29, 2006 11:28 PM in response to UptimeJeff

At server admin, I removed the domain listings from "localhost aliases" as advised previously.

When restarted mail service, it took not more than five minutes till my mail queue was full of (spam) messages and the server's CPU performance went down dramatically. Therefore I think that the system is still getting abused by spammers and SMTP authentication is not correctly enabled.

Please help.

Reply

Answer 12

Nov 1, 2006 3:04 AM in response to tobias Eichner

I ran some tests from websites offering to check for open SMTP relays. All of them stated that the server isn't an open relay.

So far, so good.

But... is it normal behavior that all messages are appearing at the mail queue ? In my definition the mail is put into queue when it was received by the server successfully and waiting to get processed.

In the meantime my mail queue contains 600 messages. Most of them are stating various errors (e.g. server dropped connection, refused, etc.).

I guess that the mail queue is automatically cleaned up by the server, isn't ?

I would forward if someone can bring light into this issue.

Reply