Postfix Username and Password not accepted (BadCredentials) - postfix-mta

and thank you for reading. I know this question has been asked many times - I've read a ton of different answers, and have tried most of them. None of them have worked so far. I'm pretty new to using postfix and appreciate any assistance you can provide.
I'm using Proxmox 6.1, on Debian buster. I'm attempting to use the email function for failed backups. My domain is using Gsuite mail. I have setup the SMTP relay with both my ipv4 and ipv6 public addresses, and I have verified the credentials are correct and generated new .db each time I made a change.
My sasl_passwd
smtp-relay.gmail.com:587 root#mydomain.com:password
My main.cf (domain & ip have been edited)
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
#myhostname=pve.myisp (auto generated)
myhostname = mydomain.com
#G-Suite relay test
relayhost = smtp-relay.gmail.com:587
# Use tls
smtp_use_tls = yes
smtp_tls_security_level = encrypt
tls_random_source = dev:/dev/urandom
# Use sasl when authenticating to foreign SMTP servers
smtp_sasl_auth_enable = yes
# Path to password map file
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# List of CAs to trust when verifying server certificate
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# Eliminates default security options which are imcompatible with gmail
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
compatibility_level = 2
Error logs:
Apr 30 16:45:52 pve postfix/qmgr[34586]: 4B3AD320C9A: from=<root#mydomain.com>, size=396, nrcpt=1 (queue active)
Apr 30 16:45:54 pve postfix/smtp[34617]: 4B3AD320C9A: SASL authentication failed; server smtp-relay.gmail.com[74.125.30.28] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials m33sm110720uad.2 - gsmtp
Apr 30 16:45:54 pve postfix/smtp[34617]: 4B3AD320C9A: to=<mypersonalemail#gmail.com>, relay=smtp-relay.gmail.com[2607:f8b0:4003:c0b::1c]:587, delay=2.6, delays=0.05/0.06/2.4/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp-relay.gmail.com[2607:f8b0:4003:c0b::1c] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials v7sm169048ooo.20 - gsmtp)

I managed to solve my issue.
Ignore any & all gsuite documentation, and use [smtp.gmail.com]:587 instead of smtp-relay.gmail.com:587

Related

Issues getting kerberos/Windows AD login work for a web service

I have been struggling with this for quite a while now, and I can't get it to work.
Here is the setup:
I have a nginx webserver serving a django app at mywebapp.k8s.dal1.mycompany.io
It has the SPNEGO plugin compiled in and I have the following endpoint in my config:
location /ad-login {
uwsgi_pass django;
include /usr/lib/mycompany/lib/wsgi/uwsgi_params;
auth_gss on;
auth_gss_realm BURNERDEV1.DAL1.MYCOMPANY.IO;
auth_gss_service_name HTTP/mywebapp.k8s.dal1.mycompany.io;
auth_gss_allow_basic_fallback off;
}
My AD Domain controller is at burnerdev1.dal1.mycompany.io and I have the following users configured:
rep_movsd
portal
I run the following commands on the DC server in an Admin prompt:
ktpass -out krb5.keytab -mapUser portal#BURNERDEV1.DAL1.MYCOMPANY.IO +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
setspn -A HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal
C:\Users\myself\Documents\keytab>ktpass -out krb5.keytab -mapUser portal#BURNERDEV1.DAL1.MYCOMPANY.IO +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
Targeting domain controller: dal1devdc1.burnerdev1.dal1.mycompany.io
Using legacy password setting method
Failed to set property 'servicePrincipalName' to 'HTTP/mywebapp.k8s.dal1.mycompany.io' on Dn 'CN=portal,CN=Users,DC=burnerdev1,DC=dal1,
DC=mycompany,DC=io': 0x13.
WARNING: Unable to set SPN mapping data.
If portal already has an SPN mapping installed for HTTP/mywebapp.k8s.dal1.mycompany.io, this is no cause for concern.
Building salt with principalname HTTP/mywebapp.k8s.dal1.mycompany.io and domain BURNERDEV1.DAL1.MYCOMPANY.IO (encryption type 18)...
Hashing password with salt "BURNERDEV1.DAL1.MYCOMPANY.IOHTTPmywebapp.k8s.dal1.mycompany.io".
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 110 HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO ptype 1 (KRB5_NT_PRINCIPAL) vno 3 etype 0x12 (AES256-SHA1) k
eylength 32 (0x632d9ca3356374e9de490ec2f7718f9fb652b20da40bd212a808db4c46a72bc5)
C:\Users\myself\Documents\keytab>setspn -A HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal
Checking domain DC=burnerdev1,DC=dal1,DC=mycompany,DC=io
Registering ServicePrincipalNames for CN=portal,CN=Users,DC=burnerdev1,DC=dal1,DC=mycompany,DC=io
HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
Updated object
C:\Users\myself\Documents\keytab>
Now in the "Active Directory Users and Computers" section, I rightclicked the user and selected "Properties"
Then on the "Delegation" tab I set "Trust this user for delegation to any service (Kerberos only)"
Next I copy the krb5.keytab file to my webserver and restart the nginx container
On the Windows workstation which is part of the domain, I log on as rep_movsd - when I run klist:
C:\Users\rep_movsd>klist
Current LogonId is 0:0x208d7
Cached Tickets: (2)
#0> Client: rep_movsd # BURNERDEV1.DAL1.MYCOMPANY.IO
Server: krbtgt/BURNERDEV1.DAL1.MYCOMPANY.IO # BURNERDEV1.DAL1.MYCOMPANY.IO
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 7/16/2020 2:05:51 (local)
End Time: 7/16/2020 12:05:51 (local)
Renew Time: 7/23/2020 2:05:51 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: rep_movsd # BURNERDEV1.DAL1.MYCOMPANY.IO
Server: HTTP/mywebapp.k8s.dal1.mycompany.io # BURNERDEV1.DAL1.MYCOMPANY.IO
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize
Start Time: 7/16/2020 2:06:01 (local)
End Time: 7/16/2020 12:05:51 (local)
Renew Time: 7/23/2020 2:05:51 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
I setup Firefox to do SPENGO authentication
Then I hit mywebapp.k8s.dal1.mycompany.io/ad-login and I get a 403 Forbidden error
The nginx server debug log shows:
[debug] 16#16: *195 Client sent a reasonable Negotiate header
[debug] 16#16: *195 GSSAPI authorizing
[debug] 16#16: *195 Use keytab /etc/krb5.keytab
[debug] 16#16: *195 Using service principal: HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
[debug] 16#16: *195 my_gss_name HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO
[debug] 16#16: *195 gss_accept_sec_context() failed: Cannot decrypt ticket for HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO using keytab key for HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO:
[debug] 16#16: *195 GSSAPI failed
[debug] 16#16: *195 http finalize request: 403, "/ad-login?" a:1, c:1
[debug] 16#16: *195 http special response: 403, "/ad-login?"
[debug] 16#16: *195 http set discard body
[debug] 16#16: *195 charset: "" > "utf-8"
[debug] 16#16: *195 HTTP/1.1 403 Forbidden
BTW while messing around earlier - I found that if I had set a fixed password for the "portal" user with ktpass and logged in as that account on the workstation, the login would succeed.
I was under the mistaken impression that I'd need to create a new keytab for every user and combine all of them.
Any help is greatly appreciated - I read so many conflicting docs its only confused me further and I've been losing sleep over this.
Thanks in advance!
I've read your problem statement carefully, and I think if you follow the steps I wrote below the issue will be solved.
On the DC server where you are creating the keytab, (1) UAC must be temporarily disabled. (2) The user creating the keytab must be a member of the Domain Admins group.
Ensure the SPN is not a duplicate, then remove the SPN from the Active Directory user account portal. This must be done before creating a new keytab using the same SPN against the same account. The below command is a one-liner, word-wrapping makes it look like two lines.
setspn -d HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal
Re-create the keytab again exactly as you did before.
You do not need to run the command setspn -A HTTP/mywebapp.k8s.dal1.mycompany.io#BURNERDEV1.DAL1.MYCOMPANY.IO portal because SPN was already set on the Active Directory user account by the ktpass command in step 3.
Replace the old keytab with the new keytab.
Restart the nginx webserver service.
Clear browser cache AND clear Kerberos case (klist purge).
Try it again.
You must do all these steps including the final step 7. Do not skip any.
You service account is named portal. A hash of this password is stored in both Active Directory and the keytab. Same hash is in both locations. The keytab on the nginix server is utilized to decrypt the inbound Kerberos service tickets to determine who the user is attempting to access the web app. More specifically, the GSS authentication does all the work, it uses the keytab to un-scramble the encrypted service tickets. The user rep_movsd does not have the service account credentials. It is part of the Active Directory domain, and when accessing the nginix web server, it gets it's own Kerberos service ticket and its identity is proven to the web server by simply being in possession of a service ticket that is decrypted by the keytab. If it wasn't part of the BURNERDEV1.DAL1.MYCOMPANY.IO domain, or had an expired password, or was a disabled account, it would not be able to get a service ticket and thus not prove its identity and fail authentication.
If you have time, please see my TechNet Wiki article on keytab creation and the logic behind it to help you better understand this complex subject.

gRPC unable to create connection to server (Go) from client (Python)

I have this Python code that is supposed to use a certificate and connect to a server via the server's IP address (no FQDN available) but I get an error every time I try it:
ssl_transport_security.cc:222] LOOP - TLS client process_change_ciph - !!!!!!
ssl_transport_security.cc:222] LOOP - TLS client read_server_finishe - !!!!!!
ssl_transport_security.cc:222] LOOP - TLS client finish_client_hands - !!!!!!
ssl_transport_security.cc:222] LOOP - TLS client done - !!!!!!
ssl_transport_security.cc:222] HANDSHAKE DONE - TLS client done - !!!!!!
security_handshaker.cc:184] Security handshake failed: {"created":"#1582052112.923538253","description":"Peer name 172.18.0.14 is not in peer certificate","file":"src/core/lib/security/security_connector/ssl/ssl_security_connector.cc","file_line":55}
subchannel.cc:1003] Connect failed: {"created":"#1582052112.923538253","description":"Peer name 172.18.0.14 is not in peer certificate","file":"src/core/lib/security/security_connector/ssl/ssl_security_connector.cc","file_line":55}
subchannel.cc:940] Subchannel 0x55ad70542020: Retry immediately
subchannel.cc:967] Failed to connect to channel, retrying
From what I understand this could be due to me connecting to an ip address and not a FQDN but these are servers and I only have access to IP addresses. Any idea how to overcome this?
Python code used:
def get_secure_channel(host, port):
if os.environ.get('https_proxy'):
del os.environ['https_proxy']
if os.environ.get('http_proxy'):
del os.environ['http_proxy']
with open(os.path.join(settings.DJANGO_ROOT, '../grpc_proto/cert/server.crt'), 'rb') as f:
cert = f.read()
credentials = grpc.ssl_channel_credentials(root_certificates=cert)
return grpc.secure_channel('{}:{}'.format(host, port), credentials)
def reset_client(channel, ip_address):
stub = dnsadblock_pb2_grpc.DnsadblockServiceStub(channel)
return stub.ResetClient(dnsadblock_pb2.ResetClientRequest(ipAddress=ip_address))
channel = get_secure_channel(c.server.hostname, settings.GRPC_PORT)
rpc.reset_client(channel, c.ip_address)
https://support.dnsimple.com/articles/what-is-common-name/
In this case, the endpoint you are connecting are not matching the description of peer's certificate. Hence, the connection was rejected. You could either try to use one of the CN in your certificate to connect to the server. Or adding the endpoint to your certificate.
I was integrating a go grpc server and a Python client. To make it work I did the following.
When creating the server.csr file using this line
openssl req -new -sha256 -key certs/server.key -out certs/server.csr -config certs/certificate.conf
The certs/certificate.conf looked likes this:
[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = AU
ST = VIC
O = OCOM Software
CN = hub_proxy
[req_ext]
subjectAltName = #alt_names
[alt_names]
DNS.1 = hub_proxy
IP.1 = ::1
IP.2 = 127.0.0.1
Notice the CN = hub_proxy and the DNS.1 = hub_proxy
I am not sure which solved this but when I regenerated the certificates and keys with these settings.
And then connected to the server using the hostname (in the client) of hub_proxy:9000 (where 9000 is the port number) it worked.

How can I skip ssl certificate verification on HTTPS connection using the OpenEdge.Net Libraries?

I am trying to to do a POST to an API endpoint using Openedge.
I have installed the ssl certificate of the place i am requesting from but the https request fails, telling me it can't find the ssl certificate of that place (in my /usr/dlc/certs).
"_errors": [
{
"_errorMsg": "ERROR condition: Secure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate: for 85cf5865.0 in /usr/dlc/certs (9318) (7211)",
"_errorNum": 9318
}
]
So, i have resorted to doing an insecure request, like curl does it with the --insecure or wget does it with "no-check-certificate"
I am using the OpenEdge.Net Libraries on OpenEdge 11.6
creds = new Credentials('https://xxxx.com', 'usersname', 'password').
oPayload = NEW JsonObject().
oRequestBody = new String('CustomerReference=xxx&NoOfParcelsToAdd=2').
oRequest = RequestBuilder:Post('https://xxxxx.com/endpoint', oRequestBody)// Add credentials to the request
:UsingBasicAuthentication(creds)
:ContentType('application/x-www-form-urlencoded')
:AcceptJson() :Request.
oResponse = ClientBuilder:Build():Client:Execute(oRequest).
I want to know, for this OpenEdge.Net Libraries is there a tag that i can put in order to skip the checking of the certificate?
I don't know of any option to skip verification but I do know that a common source of that error is that your certificate authority is not in $DLC/certs. The default list of certificate authorities is fairly narrow.
USING OpenEdge.Net.HTTP.IHttpClientLibrary.
USING OpenEdge.Net.HTTP.Lib.ClientLibraryBuilder.
DEFINE VARIABLE oLib AS IHttpClientLibrary NO-UNDO.
oLib = ClientLibraryBuilder:Build()
:sslVerifyHost(NO)
:Library.
oHttpClient = ClientBuilder:Build()
:UsingLibrary(oLib)
:Client.

SSH via script is not working

I want to SSH to a machine (call it A). It's sshd config file looks like below:
AllowGroups wheel
AllowTcpForwarding no
AuthorizedKeysFile .ssh/authorized_keys
Banner /etc/issue
ChallengeResponseAuthentication no
Ciphers aes256-ctr,aes128-ctr
Compression delayed
GatewayPorts no
MACs hmac-sha1
MaxSessions 1
PasswordAuthentication yes
PermitRootLogin yes
PermitTunnel no
PermitUserEnvironment no
Protocol 2
RhostsRSAAuthentication no
StrictModes yes
Subsystem sftp /usr/lib64/ssh/sftp-server
UsePAM yes
UsePrivilegeSeparation yes
X11Forwarding no
I have another machine (call it B - ssh client)
Now, if I try to ssh to machineA as below, it works perfect:
ssh root#machineA
and then interactively provide password. Works perfect!
Now, I try passing password via a script using sshpass utility as below:
sshpass -p PASSWORD ssh -vvv -o=StrictHostKeyChecking=no root#machineA
This fails.
Last few lines from debug of -vvv gives below:
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: packet_send2: adding 64 (len 51 padlen 13 extra_pad 64)
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
/var/log/auth.log on machine A says below:
Connection from machineB port 44408
Failed password for root from machineB port 44408 ssh2
Connection closed by machineB port 44408 [preauth]
lastb command gives below:
root ssh:notty machineB Sun Jul 3 04:20 - 04:20 (00:00)
root ssh:notty machineB Sun Jul 3 04:19 - 04:19 (00:00)
I have been reading around for it. But, not something that I can stop at. Do you have any pointers? What could be the problem?
Anything related to sshpass or something?
I would try to narrow the problem:
Try with a simpler password, without special characters.
Try with a user different than root.
Try using certificates instead of password.
That is explained here: https://git-scm.com/book/en/v2/Git-on-the-Server-Generating-Your-SSH-Public-Key , https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2 etc.
Have a look at the server logs as well, check /var/log/secure or alike.

postfix virtualdomain - message bouncing - unknown user error in maillog

I have configured the virtual domain in postfix 2.x
Please check the configuration below:
virtual_mailbox_domains = ghhdomain.com, krdomain.com, murugeshdomain.com
#setup virtual domains mailbase for mailboxes
virtual_mailbox_base = /var/spool/mail
#create lookup file that maps email addresses to respective mailboxes
virtual_mailbox_map = hash:/etc/postfix/virtual
#who will be the owner of the mailbox file
virtual_uid_maps = static:503
virtual_gid_maps = static:503"
added to /etc/postfix/virtual
info#ghhdomain.com ghhdomain/info
info#krdomain.com krdomain/info"
done postmap /etc/postfix/virtual
while testing
Escape character is '^]'.
220 mail.murugeshdomain.com ESMTP Postfix
ehlo ghhdomain.com
250-mail.murugeshdomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
And.. When I do mail from: info#ghhdomain.com and rcpt to:info#ghhdomain.com
I get the enter code hereror in the log.
bounced - unknown user "info#ghhdomain.com
What is that missing,
TIA
Hari
Here you use the virtual_mailbox_map = hash:/etc/postfix/virtual, ie you use the virtual alias file for the virtual mailbox map. You are not suppose to do this.
So please use different files for virtual alias and virtual mailbox
So you can use,
virtual_mailbox_maps = hash:/etc/postfix/vmailbox
virtual_alias_maps = hash:/etc/postfix/virtual
/etc/postfix/vmailbox:
info#ghhdomain.com ghhdomain/info
info#krdomain.com krdomain/info
you can verify more details in this link
make aliases for local accounts/users
in /etc/postfix/main.cf edit :
virtual_alias_maps = mysql:/etc/postfix/virtual-alias-maps.cf
regexp:/etc/postfix/local-users-aliases
# ---- put everything on same line ---------
Now Postfix will build aliases list from mysql table (you can use and/or hash from file ... postfix accept a list of sources) and using regular expresion from file
write local-users-aliases
echo "/^(webmaster|www|ftp|postmaster|root|MAILER-DAEMON|abuse)/ u_mail#u_domain" >
/etc/postfix/local-users-aliases
after /etc/init.d/postfix restart any mail sent to postmaster fro ex will go to u_mail#u_domain

Resources