Discussion:
Request help with SASL issue and postfix
(too old to reply)
Rich Cook
2014-08-15 22:00:35 UTC
Permalink
Hello, I am having a maddening problem. Apologies for cross-posting. I have googled of course for answers, but I cannot figure out exactly what the issue is.
I am trying to put the final touches on my postfix/fetchmail setup. Mostly it's working but the crucial piece I'm missing is the ability to send mail to other hosts through my comcast relay from the command line.

I can send mail from my mail client but not from the command line via sendmail, which I would like very much to be able to do. There is just some little SASL detail or something going on here that I'm missing. I could use a good pair of eyes for help!

To put it in a nutshell, here is what I'm seeing in the logs when I do "postfix flush":
Note that I can telnet to smtp.comcast.net 587 and make a connection, so I am ignoring "no route to host" messages at the moment. Especially since you can see it does connect. Config logs are below. Sorry for the long message, but I'm hopefully anticipating the questions a knowledgable expert might ask of me. :-)

I can ramp up the verbosity but you probably get the idea.
Warm thanks for any help!

================================================================================ =============
# LOG FILE CONTENTS:
Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: 810762983FD0: from=<***>, size=332, nrcpt=1 (queue active)
Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: AED65298168E: from=<***>, size=327, nrcpt=1 (queue active)
Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: AF585298168F: from=<***>, size=327, nrcpt=1 (queue active)
Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: C873A29816BA: from=<***>, size=306, nrcpt=1 (queue active)
Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: CFE0E2983B7C: from=<***>, size=302, nrcpt=1 (queue active)
Aug 15 12:48:27 RichCookHomeMac postfix/qmgr[60944]: D71C029816E8: from=<***>, size=307, nrcpt=1 (queue active)
Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61130]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host
Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61133]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host
Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61132]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host
Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61132]: CFE0E2983B7C: to=<***>, relay=smtp.comcast.net[76.96.40.155]:587, delay=1844, delays=1844/0/0.09/0, dsn=4.0.0, status=deferred (host smtp.comcast.net[76.96.40.155] refused to talk to me: 421 omta14.emeryville.ca.mail.comcast.net comcast Too many sessions opened)
Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61130]: Untrusted TLS connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61133]: Untrusted TLS connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61131]: Untrusted TLS connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61134]: Untrusted TLS connection established to smtp.comcast.net[76.96.40.155]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61130]: warning: SASL authentication failure: No worthy mechs found
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61130]: AED65298168E: to=<***>, relay=smtp.comcast.net[76.96.40.155]:587, delay=190442, delays=190441/0/0.39/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available)
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61133]: warning: SASL authentication failure: No worthy mechs found
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61133]: 810762983FD0: to=<***>, relay=smtp.comcast.net[76.96.40.155]:587, delay=1162, delays=1161/0/0.4/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available)
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61131]: warning: SASL authentication failure: No worthy mechs found
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61131]: AF585298168F: SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61134]: warning: SASL authentication failure: No worthy mechs found
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61134]: C873A29816BA: SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available
Aug 15 12:48:28 RichCookHomeMac postfix/error[61137]: D71C029816E8: to=<***>, relay=none, delay=190645, delays=190645/0.41/0/0, dsn=4.7.0, status=deferred (delivery temporarily suspended: SASL authentication failed; cannot authenticate to server smtp.comcast.net[76.96.40.155]: no mechanism available)
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61131]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61131]: AF585298168F: to=<***>, relay=none, delay=190350, delays=190349/0/0.42/0, dsn=4.4.1, status=deferred (connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host)
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61134]: connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61134]: C873A29816BA: to=<***>, relay=none, delay=190865, delays=190864/0/0.43/0, dsn=4.4.1, status=deferred (connect to smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host)


================================================================================ =============
# main.cf:
mydomain_fallback = localhost
# message_size_limit = 10485760 # commented out by Rich
biff = no
#mynetworks = 127.0.0.0/8, [::1]/128
#smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated permit
recipient_delimiter = +
smtpd_tls_ciphers = medium
inet_protocols = all
inet_interfaces = loopback-only
#======================================================================
# Rich Cook mods:
message_size_limit = 0

relayhost=[smtp.comcast.net]:587
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes

smtpd_sasl_auth_enable=yes
smtpd_use_pw_server=yes
enable_server_options=yes
smtpd_pw_server_security_options=plain, login
smtp_tls_loglevel=1
smtpd_sasl_security_options=noanonymous
smtp_tls_security_level=encrypt
broken_sasl_auth_clients=yes
# commented out as I do not fully understand yet, but does not fix to put it back in.
# smtpd_recipient_restrictions=check_sender_access hash:/etc/postfix/access, check_client_access hash:/etc/postfix/access, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_recipient_access hash:/etc/postfix/access
smtpd_sasl_local_domain=$mydomain
smtp_sasl_mechanism_filter =

# =========================================================================
***@RichCookHomeMac (postfix ): ls -l /etc/postfix/
total 392
-rw-r--r-- 1 root wheel 11942 Feb 8 2014 LICENSE
-rw-r--r-- 1 root wheel 1629 Feb 8 2014 TLS_LICENSE
-rw-r--r-- 1 root wheel 20876 Feb 8 2014 access
-rw-r--r-- 1 root wheel 16384 Aug 15 12:17 access.db
-rw-r--r-- 1 root wheel 8830 Aug 15 12:28 aliases
-rw-r--r-- 1 root wheel 8829 Jun 1 14:57 aliases.desktop
-rw-r--r-- 1 root wheel 3548 Feb 8 2014 bounce.cf.default
-rw-r--r-- 1 root wheel 11681 Feb 8 2014 canonical
-rw-r--r-- 1 root wheel 44 Feb 8 2014 custom_header_checks
-rw------- 1 root wheel 157 Aug 15 11:37 fetchmailrc
-rw-r--r-- 1 root wheel 9904 Feb 8 2014 generic
-rw-r--r-- 1 root wheel 21535 Feb 8 2014 header_checks
-rw-r--r-- 1 root wheel 28864 Aug 15 12:43 main.cf
-rw-r--r-- 1 root wheel 26970 Feb 8 2014 main.cf.default
-rw-r--r-- 1 root wheel 26155 Jun 1 15:04 main.cf.upgradedMtnLion
-rw-r--r-- 1 root wheel 27430 Feb 8 2014 main.cf~orig
-rw-r--r-- 1 root wheel 1441 Feb 8 2014 makedefs.out
-rw-r--r-- 1 root wheel 7443 Feb 8 2014 master.cf
-rw-r--r-- 1 root wheel 7443 Feb 8 2014 master.cf.default
-rw-r--r-- 1 root wheel 18473 Feb 8 2014 postfix-files
-rw-r--r-- 1 root wheel 6816 Feb 8 2014 relocated
-rw-r----- 1 root wheel 44 Aug 15 10:56 sasl_passwd
-rw-r----- 1 root wheel 16384 Aug 15 12:18 sasl_passwd.db
-rw-r--r-- 1 root wheel 12549 Feb 8 2014 transport
-rw-r--r-- 1 root wheel 12494 Feb 8 2014 virtual
Burkhard Ott
2014-08-16 14:19:48 UTC
Permalink
Post by Rich Cook
Aug 15 12:48:27 RichCookHomeMac postfix/smtp[61130]: connect to
smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host Aug 15
12:48:27 RichCookHomeMac postfix/smtp[61133]: connect to
smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host Aug 15
12:48:27 RichCookHomeMac postfix/smtp[61132]: connect to
smtp.comcast.net[2001:558:fe2d:70::30]:587: No route to host Aug 15
12:48:27 RichCookHomeMac postfix/smtp[61132]: CFE0E2983B7C: to=<***>,
Your IPv6 seems to be broken, packets can't get routed via a default
gatway.
Post by Rich Cook
Aug 15 12:48:28 RichCookHomeMac postfix/smtp[61131]: warning: SASL
authentication failure: No worthy mechs found

Do they support login or plain text?


cheers
Rich Cook
2014-08-17 15:06:58 UTC
Permalink
Post by Rich Cook
Hello, I am having a maddening problem. Apologies for cross-posting. I have googled of course for answers, but I cannot figure out exactly what the issue is.
I am trying to put the final touches on my postfix/fetchmail setup. Mostly it's working but the crucial piece I'm missing is the ability to send mail to other hosts through my comcast relay from the command line.
SOLVED.
Here is a summary of what I do and it works great to send email through comcast.
WARNING: comcast sends this stuff in plain text authorization.
NOTE: You also have to create the /etc/postfix/sasl_passwd file referenced below by doing this as root user:

echo '[smtp.comcast.net]:587 username:password' > /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd

The following settings in main.cf resulted in a working system. Thanks to Viktor Dukhovni, Patrick Koetter, and Rick Zeman.

I believe the key is the following two lines, which override the default behavior.
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous

# Put the following in main.cf at the end:
Probably the only
***@RichCookHomeMac (~ (BARE:master)): postconf -n
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5
enable_server_options = yes
html_directory = /usr/share/doc/postfix/html
inet_interfaces = loopback-only
inet_protocols = all
mail_owner = _postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 0
mydestination = localhost,localhost.$myhostname,$myhostname,localhost.richcook.net,richcook.net
mydomain = richcook.net
mydomain_fallback = localhost
myhostname = richcook.net
mynetworks = 192.168.0.0/16,rcmac.llnl.gov,localhost,mom.richcook.net
newaliases_path = /usr/bin/newaliases
queue_directory = /Library/Server/Mail/Data/spool
readme_directory = /usr/share/doc/postfix
relayhost = [smtp.comcast.net]:587
sample_directory = /usr/share/doc/postfix/examples
sendmail_path = /usr/sbin/sendmail
setgid_group = _postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = may
smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject
smtpd_pw_server_security_options = plain, login
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_use_pw_server = yes
Luuk
2014-08-17 15:24:37 UTC
Permalink
Post by Rich Cook
Post by Rich Cook
Hello, I am having a maddening problem. Apologies for cross-posting. I have googled of course for answers, but I cannot figure out exactly what the issue is.
I am trying to put the final touches on my postfix/fetchmail setup. Mostly it's working but the crucial piece I'm missing is the ability to send mail to other hosts through my comcast relay from the command line.
SOLVED.
Here is a summary of what I do and it works great to send email through comcast.
WARNING: comcast sends this stuff in plain text authorization.
echo '[smtp.comcast.net]:587 username:password' > /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd
The following settings in main.cf resulted in a working system. Thanks to Viktor Dukhovni, Patrick Koetter, and Rick Zeman.
I believe the key is the following two lines, which override the default behavior.
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous
I had the same two lines in my config since yesterday

But today i deleted them (and the other lines i added yesterday) because
i was unable to receive mail from google to a local account.

Next weekend i have to do a restart to find out what i need to change to
be able to receive mail on port 587 with authentication, and keep
receiving mail via port 25 without it being blocked ;)

( /me currently not able to send send mail from a remote network via my
server )
i***@gmail.com
2014-10-01 07:35:14 UTC
Permalink
Post by Rich Cook
SOLVED.
echo '[smtp.comcast.net]:587 username:password' > /etc/postfix/sasl_passwd
This is a good workaround for the comcast MTA. Other cases still unsolved?
Post by Rich Cook
I believe the key is the following two lines, which override the default behavior.
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = noanonymous
I believe these settings are right. I have exactly these. But it doesn't help.

Also I believe that postfix upgrade brought this problem. I have postfix-2.11.1

Best regards,

Loading...