Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
I am currently trying to set up postfix on RHEL as an SMTP Relay for our internal ticketing system.
The basic configuration is running and working fine; mails get send and recieved. We do alter some headers to secure our internal networks, but that's about it.
Trying 10.71.17.107...
Connected to mail-gw.doma.in.
Escape character is '?'.
220 mail-gw.doma.in ESMTP Postfix
STARTTLS
220 2.0.0 Ready to start TLS
Similary, I am able to ask the GMail-Server for STARTTLS, so I presume that firewalls are not an issue:
Trying 108.177.15.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '?'.
220 **************************************************
EHLO mail-gw.doma.in
250-mx.google.com at your service, [91.198.93.107]
250-STARTTLS
STARTTLS
220 2.0.0 Ready to start TLS
I have acquired a free SSL Certificate for this mail-gw, and it seems to be valid. However, whenever I relay a message to GMail, it shows me that the message has not been encrypted.
Not secure according to google
Here is my master.cf
smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd -v
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
And here is my main.cf
smtp_sasl_auth_enable = no
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwords
smtp_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtp_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtp_tls_key_file = /etc/pki/tls/private/prv.key
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtpd_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/pki/tls/certs/mail-gw_doma_in.ca-bundle
smtpd_tls_cert_file = /etc/pki/tls/certs/mail-gw_doma_in.crt
smtpd_tls_key_file = /etc/pki/tls/private/prv.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
I am all out of ideas, especially since all solutions in the internet are smtp_tls_security_level = may.
Any help would be appreciated.
e: As per the comments, here is my connection log with Google.
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 220 **************************************************
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: disable_esmtp
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: name_mask: delay_dotcrlf
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: 14ED21038196: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[173.194.76.27]:25
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: HELO mail-gw.doma.in
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: < gmail-smtp-in.l.google.com[173.194.76.27]:25: 250 mx.google.com at your service
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: server features: 0x31000 size 0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: smtp_stream_setup: maxtime=300 enable_deadline=0
Nov 15 07:06:44 atdc1-proxy01 postfix/smtp[26878]: > gmail-smtp-in.l.google.com[173.194.76.27]:25: MAIL FROM:<dct_test_it#doma.in>
Is it supposed to be this way? When I debug incoming connections, I see my server responding with all SMTP options (including STARTTLS)? Even more confusing since telnetting onto the google host also offers me STARTTLS.
I finally found the solution.
For some reason - I am not sure how - my Postfix thought that our Firewall was doing SMTP Inspection, and enabled the PIX workaround "disable_esmtp"
Thus, my Postfix only started a connection with a HELO, and didn't get the option to STARTTLS.
Solution:
In your main.cf, only enable the other workarounds. For the sake of brevity, I did it like this for now:
smtp_pix_workarounds = delay_dotcrlf
Hard for me to believe that I haven't found anything about this.
Related
I have been using this setup for many years Workaround
I just updated my server to the latest guide (Buster) and it was working good for a month.
I have DMARC setup
v=DMARC1; p=quarantine; sp=none; rua=mailto:postmaster#example.org; ruf=mailto:postmaster#example.org; rf=afrf; pct=100; ri=86400
I have SPF setup. I understand that this is a soft fail.
v=spf1 mx a ip4:XX.XX.XX.XX/27 ~all
And I have DKIM setup as well
v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQE...public key
I have tested these with mxtoolbox.com and they seem to be fine.
My master.cf is
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
And my main.cf is
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.2.0/24
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = mail.example.org
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, mail.example.org, mail3.example.org, localhost.example.org, localhost
relayhost =
I have received hundreds of thousands of emails to a specific account from that account like this:
Return-Path: <nobody#mail.example.org>
Delivered-To: support_desk#example.org
Received: from mail.example.org
by mail.example.org with LMTP
id wD98AeFp/F8WUgAASGYJ/Q
(envelope-from <nobody#mail.example.org>)
for <support_desk#example.org>; Mon, 11 Jan 2021 10:08:17 -0500
Received: by mail.example.org (Postfix, from userid 65534)
id 06C412449DA; Mon, 11 Jan 2021 08:11:36 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
s=2020122201; t=1610370697; h=from:from:sender:reply-to:subject:subject:date:date:
message-id:message-id:to:to:cc:mime-version:content-type:
content-transfer-encoding:in-reply-to:references;
bh=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=;
b=kDMb7uDRl/dzTXWGMi75Cx0OgKvqDTgzuMgBD8bsFzDCAYFgd3csm78WFY2XoLjq30BqTD
c3k4lwsvACLKhWK8L3j+l9AsX6lnJBzs7N7OBXWf6VN2U5Wdb3OSLjvyI20DOlwW/6sd94
lRC446wHCsex4iP7XOJXRaJo4+bH7NY=
To: support_desk#example.org
Subject: Support [TICKET 1877258] [TICKET 1877259]
From: Archie Support <support#example.org>
Message-Id: <20210111131137.06C412449DA#mail.example.org>
Date: Mon, 11 Jan 2021 08:11:36 -0500 (EST)
Can anyone please help and let me know if there is an issue with my config? It seems that now my server is also listed on a couple of blacklists.
Any ideas are appreciated.
Turned out to be a loop. Someone connected and guessed an account that was an alias, that would then reply to the sender and forward the email to some other account.
All-in-all a good excuse to enjoy a 12-pack while reading mail logs...
and thank you for reading. I know this question has been asked many times - I've read a ton of different answers, and have tried most of them. None of them have worked so far. I'm pretty new to using postfix and appreciate any assistance you can provide.
I'm using Proxmox 6.1, on Debian buster. I'm attempting to use the email function for failed backups. My domain is using Gsuite mail. I have setup the SMTP relay with both my ipv4 and ipv6 public addresses, and I have verified the credentials are correct and generated new .db each time I made a change.
My sasl_passwd
smtp-relay.gmail.com:587 root#mydomain.com:password
My main.cf (domain & ip have been edited)
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
#myhostname=pve.myisp (auto generated)
myhostname = mydomain.com
#G-Suite relay test
relayhost = smtp-relay.gmail.com:587
# Use tls
smtp_use_tls = yes
smtp_tls_security_level = encrypt
tls_random_source = dev:/dev/urandom
# Use sasl when authenticating to foreign SMTP servers
smtp_sasl_auth_enable = yes
# Path to password map file
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# List of CAs to trust when verifying server certificate
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# Eliminates default security options which are imcompatible with gmail
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
compatibility_level = 2
Error logs:
Apr 30 16:45:52 pve postfix/qmgr[34586]: 4B3AD320C9A: from=<root#mydomain.com>, size=396, nrcpt=1 (queue active)
Apr 30 16:45:54 pve postfix/smtp[34617]: 4B3AD320C9A: SASL authentication failed; server smtp-relay.gmail.com[74.125.30.28] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials m33sm110720uad.2 - gsmtp
Apr 30 16:45:54 pve postfix/smtp[34617]: 4B3AD320C9A: to=<mypersonalemail#gmail.com>, relay=smtp-relay.gmail.com[2607:f8b0:4003:c0b::1c]:587, delay=2.6, delays=0.05/0.06/2.4/0, dsn=4.7.8, status=deferred (SASL authentication failed; server smtp-relay.gmail.com[2607:f8b0:4003:c0b::1c] said: 535-5.7.8 Username and Password not accepted. Learn more at?535 5.7.8 https://support.google.com/mail/?p=BadCredentials v7sm169048ooo.20 - gsmtp)
I managed to solve my issue.
Ignore any & all gsuite documentation, and use [smtp.gmail.com]:587 instead of smtp-relay.gmail.com:587
I have device that i want to autorize to using TACACS+ server.
I have TACACS version: tac_plus version F4.0.4.26
I have tacacs server with next configuration
accounting file = /var/log/tac_plus.acct
key = testing123
default authentication = file /etc/passwd
user = sf {
default service = permit
login = cleartext 1234
}
user = DEFAULT {
# login = PAM
service = ppp protocol = ip {}
}
on device i have NSS with config:
/etc/nsswitch.conf
passwd: files rf
group: files
shadow: files
hosts: files dns
networks: files dns
protocols: files
services: files
ethers: files
rpc: files
and pam.d with sshd file in it
# SERVER 1
auth required /lib/security/pam_rf.so
auth [success=done auth_err=die default=ignore] /lib/security/pam_tacplus.so server=172.18.177.162:49 secret=testing123 timeout=5
account sufficient /lib/security/pam_tacplus.so server=172.18.177.162:49 service=ppp protocol=ip timeout=5
session required /lib/security/pam_rf.so
session sufficient /lib/security/pam_tacplus.so server=172.18.177.162:49 service=ppp protocol=ip timeout=5
password required /lib/security/pam_rf.so
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
auth include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Standard Un*x authorization.
account include common-account
# Set the loginuid process attribute.
session required pam_loginuid.so
# Standard Un*x session setup and teardown.
session include common-session
# Standard Un*x password updating.
password include common-password
and the problem, while i connect to device first time vie TeraTerm, i see that inputed user name was added in session start to /etc/passwd and /etc/shadow
but logging not succeed and in tacacs server i see in logs
Mon Dec 17 19:00:05 2018 [25418]: session.peerip is 172.17.236.2
Mon Dec 17 19:00:05 2018 [25418]: forked 5385
Mon Dec 17 19:00:05 2018 [5385]: connect from 172.17.236.2 [172.17.236.2]
Mon Dec 17 19:00:05 2018 [5385]: Found entry for alex in shadow file
Mon Dec 17 19:00:05 2018 [5385]: verify
IN $6$DUikjB1i$4.cM87/pWRZg2lW3gr3TZorAReVL7JlKGA/2.BRi7AAyHQHz6bBenUxGXsrpzXkVvpwp0CrtNYAGdQDYT2gaZ/
Mon Dec 17 19:00:05 2018 [5385]:
IN encrypts to $6$DUikjB1i$AM/ZEXg6UAoKGrFQOzHC6/BpkK0Rw4JSmgqAc.xJ9S/Q7n8.bT/Ks73SgLdtMUAGbLAiD9wnlYlb84YGujaPS/
Mon Dec 17 19:00:05 2018 [5385]: Password is incorrect
Mon Dec 17 19:00:05 2018 [5385]: Authenticating ACLs for user 'DEFAULT' instead of 'alex'
Mon Dec 17 19:00:05 2018 [5385]: pap-login query for 'alex' ssh from 172.17.236.2 rejected
Mon Dec 17 19:00:05 2018 [5385]: login failure: alex 172.17.236.2 (172.17.236.2) ssh
after that if i close TeraTerm and opening it again and trying to connect, connection established successfully, after that if i close TeraTerm and open again, the same problem appears each seccond try.
what may be a problem with it, i am driving crazy already
after deeply discovering problem, i fount out that iit was my fault, i compiled my name service using g++ instead of gcc.
Because of name service using
#include <pwd.h>
that defines interface for functions like nss_service_getpwnam_r and others, that was written in C, therefore i was must to:
extern "C" {
#include <pwd.h>
}
or to compile my program using GCC, hope in once someone will face same problem it will help him / her. good luck
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 5 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
Just did an update on my system and for some reason I can no longer log into my VPN service. I'm running gentoo.
Here's my /etc/openvpn/openvpn.conf.
client
dev tun
proto udp
remote myvpnguys.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
tls-client
remote-cert-tls server
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.pem
keepalive 10 300
auth-user-pass
I start my service on gentoo as follows:
$ sudo /etc/init.d/openvpn start
* Caching service dependencies ... [ ok ]
* Starting openvpn ... [ ok ]
* WARNING: openvpn has started, but is inactive
And here is the log file which shows the username prompt, but it's as if it just keeps on going.
$ sudo cat ./openvpn.log
Sat Aug 15 00:57:32 2015 OpenVPN 2.3.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Aug 15 2015
Sat Aug 15 00:57:32 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Auth Username:
Sat Aug 15 00:57:32 2015 ERROR: could not read Auth username from stdin
Sat Aug 15 00:57:32 2015 Exiting due to fatal error
This is a bug in 2.3.7 and fixed in 2.3.8:
https://community.openvpn.net/openvpn/ticket/248
Add this line to /etc/portage/package.keywords:
=net-misc/openvpn-2.3.8
and install 2.3.8.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I have a YARN cluster running in EMR. When ssh into the master node and run nmap 10.0.0.254 I get the following result
Starting Nmap 5.51 ( http://nmap.org ) at 2015-06-10 00:17 UTC
Nmap scan report for ip-10-0-0-254.ec2.internal (10.0.0.254)
Host is up (0.00045s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
8443/tcp open https-alt
8649/tcp open unknown
8651/tcp open unknown
8652/tcp open unknown
9000/tcp open cslistener
9101/tcp open jetdirect
9102/tcp open jetdirect
9103/tcp open jetdirect
9200/tcp open wap-wsp
14000/tcp open scotty-ft
I know the YARN resource manager is running on 10.0.0.254:9026, but I do not see it in the result above, however when I run nmap -p 9026 10.0.0.254 I get
Starting Nmap 5.51 ( http://nmap.org ) at 2015-06-10 00:18 UTC
Nmap scan report for ip-10-0-0-254.ec2.internal (10.0.0.254)
Host is up (0.000055s latency).
PORT STATE SERVICE
9026/tcp open unknown
Why does nmap not include the service running on 9026 when I run the first command?
By default, Nmap scans the most common 1,000 ports for each protocol (TCP in your case) 9026 is not one of the most common.
Here's how to specify ports to scan:
http://nmap.org/book/man-port-specification.html