Difference between revisions of "Set up your mail server for sending"

From Linuxintro
imported>WikiSysop
(New page: = Sender verification = Now you do not want anyone to be able to use your mail server as spam-catapult. So you need ''sender verification'' in your postfix service. Make sure your authen...)
 
imported>ThorstenStaerk
 
(21 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Sender verification =
+
= Overview =
Now you do not want anyone to be able to use your mail server as spam-catapult. So you need ''sender verification'' in your postfix service.  
+
When you have [[set up a mail server]] you can by default send mails within your own domain (e.g. linuxintro.org) but not to the outside. What you probably want is that internet users can connect via a mail client, e.g. Thunderbird to your mail server. If they know a valid username and password, they are allowed to read and send mails.
  
 +
= Configure it =
 +
Authentication is done by saslauthd. So install saslauthd, in this case for SUSE Linux:
 +
[[yast]] -i cyrus-sasl-saslauthd
 +
Start the service:
 +
/etc/init.d/saslauthd start
 
Make sure your authentication service is running:
 
Make sure your authentication service is running:
 
  /etc/init.d/saslauthd status  
 
  /etc/init.d/saslauthd status  
 
has to deliver
 
has to deliver
 
  running
 
  running
 +
Make sure the service starts on boot
 +
chkconfig saslauthd on
 
In /etc/postfix/main.cf, set  
 
In /etc/postfix/main.cf, set  
smtp_sasl_auth_enable = yes
 
 
  smtpd_sasl_auth_enable = yes
 
  smtpd_sasl_auth_enable = yes
 +
In /etc/postfix/main.cf, add permit_sasl_authenticated to smtpd_recipient_restrictions. The resulting line may look like this:
 +
smtpd_recipient_restrictions = permit_mynetworks,
 +
                                permit_sasl_authenticated,
 +
                                reject_unauth_destination,
 +
                                check_policy_service inet:127.0.0.1:60000
 +
 
Restart Postfix
 
Restart Postfix
 
  /etc/init.d/postfix restart
 
  /etc/init.d/postfix restart
Start kmail, setup localhost as incoming and outgoing mail server. In kmail, change the sending account's authentication method to "LOGIN". Send a mail to testuser@localhost.
 
  
== TroubleShooting ==
+
= Test it =
 +
To test it, find out your plain authentication string. To do this, [[open a console]] and do a base64 encoding of your username (''myuser'' in this example) and your password (''mypassword'' in this example):
 +
# perl -MMIME::Base64 -e 'print encode_base64("''myuser''\0''myuser''\0''mypassword''");'
 +
You get a string that we will need again soon, it looks like
 +
''bXl1c2VyAG15dXNlcgBteXBhc3N3b3Jk''
 +
Now connect to your mail server (in this example linuxintro.org):
 +
# telnet ''linuxintro.org'' 25
 +
The server responds:
 +
Trying ''108.166.126.74''...
 +
Connected to ''linuxintro.org''.
 +
Escape character is '^]'.
 +
220 ''mail.linuxintro.org'' ESMTP Postfix
 +
If you are missing the response "Connected to...", your internet provider is probably blocking port 25. In this case read [[setting up a mail server on port 587]]. Otherwise you write
 +
EHLO hostname
 +
Now the server responds like
 +
250-mail.linuxintro.org
 +
250-PIPELINING
 +
250-SIZE
 +
250-VRFY
 +
250-ETRN
 +
250-AUTH LOGIN PLAIN
 +
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
 +
Now you write
 +
AUTH PLAIN ''bXl1c2VyAG15dXNlcgBteXBhc3N3b3Jk''
 +
The server writes
 +
235 2.7.0 Authentication successful
 +
This means it has worked. So write
 +
QUIT
 +
And you see the response
 +
221 2.0.0 Bye
 +
Connection closed by foreign host.
 +
 
 +
= mail is refused =
 +
Sometimes it happens that you get mails like this one:
 +
 
 +
Delayed Mail (still being retried)
 +
[...]
 +
  <name@domain.net>: host mail.domain.com[87.16.52.149] said: 450 4.7.1 Client host
 +
    rejected: cannot find your hostname, [109.167.135.66] (in reply to RCPT TO
 +
    command)
 +
 
 +
This means sending of your mail worked but the receiving mail server refuses to accept it. This is most probably because your mail server name resolves to an IP address, but this IP address does not resolve to your mail server name:
 +
# ping mail.domain.de
 +
PING '''''mail.domain.de''''' (109.167.135.66) 56(84) bytes of data.
 +
64 bytes from '''''suse-256''''' (109.167.135.66): icmp_seq=1 ttl=64 time=0.031 ms
 +
In this case you ping to ''mail.domain.de'', but the answer comes from the server ''suse-256''.
 +
;Solution: At your IP address' provider, set the reverse DNS entry to deliver the correct hostname, in this example ''mail.domain.de''. Here is an example for RackSpace: http://www.rackspace.com/knowledge_center/article/rackspace-cloud-essentials-6-creating-a-reverse-dns-record Some things can go wrong here. For example I had the respective IP address in /etc/hosts and as name server I was using my [[Fritz!Box]] that cached the DNS record.
 +
 
 +
= TroubleShooting =
  
If you get  
+
== Authentication not enabled ==
 +
;Symptom:
 +
You get  
 
  Sending failed: Your SMTP server does not support authentication. The server responded: "5.5.1 Error: authentication not enabled"
 
  Sending failed: Your SMTP server does not support authentication. The server responded: "5.5.1 Error: authentication not enabled"
  
 +
;Solution:
 
You will need to modify /etc/postfix/main.cf, set  
 
You will need to modify /etc/postfix/main.cf, set  
 
  smtp_sasl_auth_enable = yes
 
  smtp_sasl_auth_enable = yes
Line 24: Line 88:
 
  /etc/init.d/postfix restart
 
  /etc/init.d/postfix restart
  
If you get
+
== generic failure ==
 +
;Symptom:
 +
You get
 
  Sending failed. Most likely the password is wrong. The server responded: "5.7.8 Error: authentication failed: generic failure"
 
  Sending failed. Most likely the password is wrong. The server responded: "5.7.8 Error: authentication failed: generic failure"
 +
 +
;Solution:
 
You need to make sure your authentication service has been started:
 
You need to make sure your authentication service has been started:
 
  /etc/init.d/saslauthd status
 
  /etc/init.d/saslauthd status
Line 31: Line 99:
 
  running
 
  running
  
If you get  
+
== no authentication mechanism available ==
 +
;Symptom:
 +
You get  
 
  Sending failed: Your SMTP server does not support The server responded: "5.7.8 Error: authentication failed: no mechanism available"
 
  Sending failed: Your SMTP server does not support The server responded: "5.7.8 Error: authentication failed: no mechanism available"
 +
 +
;Reson:
 
You may have
 
You may have
 
* plain
 
* plain
 
* digest-md5
 
* digest-md5
 
* cram-md5
 
* cram-md5
as authentication method in kmail. Change this to Login.
+
as authentication method in kmail.  
  
If you get
+
;Solution:
 +
Change this to Login.
 +
 
 +
== no worthy mechanisms found ==
 +
;Symptom:
 +
You get
 
  Sending failed: An error occurred during authentication: SASL(-4):no mechanism available: No worthy mechs found
 
  Sending failed: An error occurred during authentication: SASL(-4):no mechanism available: No worthy mechs found
 +
 +
;Reason:
 
You may have
 
You may have
 
* GSSAPI
 
* GSSAPI
as authentication method in kmail. Change this to Login.
+
as authentication method in kmail.  
 +
 
 +
;Solution:
 +
Change this to Login.
  
If nothing happens and no mail is sent, you may have
+
== no mail is sent ==
 +
;Symptom:
 +
Nothing happens and no mail is sent
 +
 
 +
;Reason:
 +
You may have
 
* NTLM  
 
* NTLM  
as authentication method in kmail. Change this to Login.
+
as authentication method in kmail.  
 +
 
 +
;Solution:
 +
Change this to Login.
 +
 
 +
= See also =
 +
* [[Set_up_a_mail_server_on_port_587]]
 +
* http://samcaldwell.net/index.php/technical-articles/3-how-to-articles/15-creating-tls-certificate-using-openssl
 +
* http://www.adomas.org/2006/08/postfix-dovecot/

Latest revision as of 15:59, 28 November 2015

Overview

When you have set up a mail server you can by default send mails within your own domain (e.g. linuxintro.org) but not to the outside. What you probably want is that internet users can connect via a mail client, e.g. Thunderbird to your mail server. If they know a valid username and password, they are allowed to read and send mails.

Configure it

Authentication is done by saslauthd. So install saslauthd, in this case for SUSE Linux:

yast -i cyrus-sasl-saslauthd

Start the service:

/etc/init.d/saslauthd start

Make sure your authentication service is running:

/etc/init.d/saslauthd status 

has to deliver

running

Make sure the service starts on boot

chkconfig saslauthd on

In /etc/postfix/main.cf, set

smtpd_sasl_auth_enable = yes

In /etc/postfix/main.cf, add permit_sasl_authenticated to smtpd_recipient_restrictions. The resulting line may look like this:

smtpd_recipient_restrictions = permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination,
                               check_policy_service inet:127.0.0.1:60000

Restart Postfix

/etc/init.d/postfix restart

Test it

To test it, find out your plain authentication string. To do this, open a console and do a base64 encoding of your username (myuser in this example) and your password (mypassword in this example):

# perl -MMIME::Base64 -e 'print encode_base64("myuser\0myuser\0mypassword");'

You get a string that we will need again soon, it looks like

bXl1c2VyAG15dXNlcgBteXBhc3N3b3Jk

Now connect to your mail server (in this example linuxintro.org):

# telnet linuxintro.org 25

The server responds:

Trying 108.166.126.74...
Connected to linuxintro.org.
Escape character is '^]'.
220 mail.linuxintro.org ESMTP Postfix

If you are missing the response "Connected to...", your internet provider is probably blocking port 25. In this case read setting up a mail server on port 587. Otherwise you write

EHLO hostname

Now the server responds like

250-mail.linuxintro.org
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Now you write

AUTH PLAIN bXl1c2VyAG15dXNlcgBteXBhc3N3b3Jk

The server writes

235 2.7.0 Authentication successful

This means it has worked. So write

QUIT

And you see the response

221 2.0.0 Bye
Connection closed by foreign host.

mail is refused

Sometimes it happens that you get mails like this one:

Delayed Mail (still being retried)
[...]
 <name@domain.net>: host mail.domain.com[87.16.52.149] said: 450 4.7.1 Client host
    rejected: cannot find your hostname, [109.167.135.66] (in reply to RCPT TO
    command)

This means sending of your mail worked but the receiving mail server refuses to accept it. This is most probably because your mail server name resolves to an IP address, but this IP address does not resolve to your mail server name:

# ping mail.domain.de
PING mail.domain.de (109.167.135.66) 56(84) bytes of data.
64 bytes from suse-256 (109.167.135.66): icmp_seq=1 ttl=64 time=0.031 ms

In this case you ping to mail.domain.de, but the answer comes from the server suse-256.

Solution
At your IP address' provider, set the reverse DNS entry to deliver the correct hostname, in this example mail.domain.de. Here is an example for RackSpace: http://www.rackspace.com/knowledge_center/article/rackspace-cloud-essentials-6-creating-a-reverse-dns-record Some things can go wrong here. For example I had the respective IP address in /etc/hosts and as name server I was using my Fritz!Box that cached the DNS record.

TroubleShooting

Authentication not enabled

Symptom

You get

Sending failed: Your SMTP server does not support authentication. The server responded: "5.5.1 Error: authentication not enabled"
Solution

You will need to modify /etc/postfix/main.cf, set

smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes

and restart postfix:

/etc/init.d/postfix restart

generic failure

Symptom

You get

Sending failed. Most likely the password is wrong. The server responded: "5.7.8 Error: authentication failed: generic failure"
Solution

You need to make sure your authentication service has been started:

/etc/init.d/saslauthd status

has to deliver

running

no authentication mechanism available

Symptom

You get

Sending failed: Your SMTP server does not support The server responded: "5.7.8 Error: authentication failed: no mechanism available"
Reson

You may have

  • plain
  • digest-md5
  • cram-md5

as authentication method in kmail.

Solution

Change this to Login.

no worthy mechanisms found

Symptom

You get

Sending failed: An error occurred during authentication: SASL(-4):no mechanism available: No worthy mechs found
Reason

You may have

  • GSSAPI

as authentication method in kmail.

Solution

Change this to Login.

no mail is sent

Symptom

Nothing happens and no mail is sent

Reason

You may have

  • NTLM

as authentication method in kmail.

Solution

Change this to Login.

See also