SASL Problem

Well after a long night I managed to setup Postfix and SASL2 under
Debian. As you can guess, it's not working completely. I set up SASL2 to
check a sasl2db. It works if you do the SMTP conversation by hand. Thats
the promt you get:

---
220 bla.bla.org ESMTP Balin
ehlo tobi.local
250-blabla.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5
250 8BITMIME
AUTH PLAIN xyz
235 Authentication successful
---

These are the important lines in my main.cf:
---
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_unknown_recipient_domain,
reject_rhsbl_recipient blackhole.securitysage.com,
reject_unauth_destination,
permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = bla.org
broken_sasl_auth_clients = yes
---

To make it short: The problem is that the MTA and the MUA don't start an
authentification progress. If I send mail the mailserver sais relay
denied and does not even try to authentificate via SASL. I configured my
MUA (Tunderbird - and yes I even tried Outlook Express :D) to
Authentificate by username and password which is correctly set up too.

mail.log only sais the following lines: ---
Dec 19 02:30:43 balin postfix/smtpd[10320]: connect from
dialin-145-254-099-238.arcor-ip.net[145.254.99.238]
Dec 19 02:30:45 balin postfix/smtpd[10320]: NOQUEUE: reject: RCPT from
dialin-145-254-099-238.arcor-ip.net[145.254.99.238]: 554
<tobi.sasse@bla.de>: Relay access denied; from=<tobi@bla.org>
to=<tobi.sasse@bla.de> proto=ESMTP helo=<[145.254.99.238]>
---

Why does nobody requests an SASL Authentification, I think it's running
but nobody wants to use it :D

Strange things. I hope somebody can give me a tip. Good Night and thank you,

Tobi
--
Tobias Sasse
tobi@coldweb.org
http://tobi.coldweb.org/

Oh I forgot: Thats what the smtpd.conf sais:

---
pwcheck_method: auxprop
---


--
Tobias Sasse
tobi@coldweb.org
http://tobi.coldweb.org/

Oh and I just discovered, that's what the SMTP prompt looks from
external hosts:

---
220 SMTP service ready
ehlo tobi.local
250-Requested mail action okay, completed
250-SIZE 10240000
250 8BITMIME
AUTH PLAIN xxx
504 Unrecognized authentication type
---

If you compare it to the one I postet in my first mail (from localhost)
there are these AUTH BLA tags missing. Could there be errors through
firewall-filtering or something?

I don't know.. I hope there is somebody with an idea out there.

Thank you,
Tobi

--
Tobias Sasse
tobi@coldweb.org
http://tobi.coldweb.org/

Check this and update accordingly........

Type this command "sasldblistuser2"
All your login will be listed something like this.....

user1@hostname: userPassword
user2@hostname: userPassword
user3@hostname: userPassword

now your smtpd_sasl_local_domain setting should what appears in hostname
field above.
My setting here is smtpd_sasl_local_domain = mail (which is my hostname!)

Regards,

Clifford



"Tobias Sasse" <tobi@coldweb.org> wrote in message
news:32k64rF3m98doU1@individual.net...
> Oh and I just discovered, that's what the SMTP prompt looks from
> external hosts:
>
> ---
> 220 SMTP service ready
> ehlo tobi.local
> 250-Requested mail action okay, completed
> 250-SIZE 10240000
> 250 8BITMIME
> AUTH PLAIN xxx
> 504 Unrecognized authentication type
> ---
>
> If you compare it to the one I postet in my first mail (from localhost)
> there are these AUTH BLA tags missing. Could there be errors through
> firewall-filtering or something?
>
> I don't know.. I hope there is somebody with an idea out there.
>
> Thank you,
> Tobi
>
> --
> Tobias Sasse
> tobi@coldweb.org
> http://tobi.coldweb.org/

Clifford Gonsalves schrieb:
> Check this and update accordingly........
>
> Type this command "sasldblistuser2"
> All your login will be listed something like this.....
>
> user1@hostname: userPassword
> user2@hostname: userPassword
> user3@hostname: userPassword
>
> now your smtpd_sasl_local_domain setting should what appears in hostname
> field above.
> My setting here is smtpd_sasl_local_domain = mail (which is my hostname!)

Well yes the domain and hostnames are ok. The problem is the Watchguard
Firebox which seems to provide some sort of SMTP-Proxy. The remarkable thing
is that there are completley different SMPT-Outputs if you connect to Port 25
by telnet locally or from external sources.

--
Tobias Sasse
tobi@coldweb.org
http://tobi.coldweb.org/

On 2004-12-20 07:14:43 -0500, Tobias Sasse <tobi@coldweb.org> said:

> Well yes the domain and hostnames are ok. The problem is the Watchguard
> Firebox which seems to provide some sort of SMTP-Proxy. The remarkable thing
> is that there are completley different SMPT-Outputs if you connect to Port 25
> by telnet locally or from external sources.

Yes, the WatchGuard SMTP proxy will interfere with SMTP authentication
(I ran into this problem with another platform/MTA). The only fix of
which I am aware is to use the Filtered-SMTP service (and then you lose
the advantages of the proxy--blocked attachments, attachment sizes,
etc.).

HTH.

--
Scott Lowe

Scott Lowe schrieb:
> Yes, the WatchGuard SMTP proxy will interfere with SMTP authentication
> (I ran into this problem with another platform/MTA). The only fix of
> which I am aware is to use the Filtered-SMTP service (and then you lose
> the advantages of the proxy--blocked attachments, attachment sizes, etc.).

Well there are two Mailservers connected to the Firewall. Is it possible
that my one connects to the Internet without the SMTP Proxy? I am not
interested in the advantages I have from the Firebox, if I could provide
SASL + TLS without it %)


--
Tobias Sasse
tobi@coldweb.org
http://tobi.coldweb.org/

Tobias Sasse schrieb:
> Scott Lowe schrieb:
>
>> Yes, the WatchGuard SMTP proxy will interfere with SMTP authentication
>> (I ran into this problem with another platform/MTA). The only fix of
>> which I am aware is to use the Filtered-SMTP service (and then you
>> lose the advantages of the proxy--blocked attachments, attachment
>> sizes, etc.).
>
> Well there are two Mailservers connected to the Firewall. Is it possible
> that my one connects to the Internet without the SMTP Proxy? I am not
> interested in the advantages I have from the Firebox, if I could provide
> SASL + TLS without it %)

Do you need the outgoing smtp proxied at all? Otherwise the simplest
solution would be to disable outgoing for the SMTP service
and add the "Filtered SMTP" from the packet filters section
with an allow for outgoing connections.

HTH
-Christian

Christian Winter wrote (without reading thoroughly):
> Tobias Sasse schrieb:
>
>> Scott Lowe schrieb:
>>
>>> Yes, the WatchGuard SMTP proxy will interfere with SMTP
>>> authentication (I ran into this problem with another platform/MTA).
>>> The only fix of which I am aware is to use the Filtered-SMTP service
>>> (and then you lose the advantages of the proxy--blocked attachments,
>>> attachment sizes, etc.).
>>
>>
>> Well there are two Mailservers connected to the Firewall. Is it possible
>> that my one connects to the Internet without the SMTP Proxy? I am not
>> interested in the advantages I have from the Firebox, if I could provide
>> SASL + TLS without it %)
>
>
> Do you need the outgoing smtp proxied at all? Otherwise the simplest
> solution would be to disable outgoing for the SMTP service
> and add the "Filtered SMTP" from the packet filters section
> with an allow for outgoing connections.

I should have read the whole thread...
In the "Incoming" filter configuration of the SMTP service
("Modify Service" -> "Properties") you can turn on "Allow AUTH"
on the ESMTP tab.

-Christian