Develop Reference

OpenSSL Client Certification "rsa routines:int_rsa_verify:wrong signature length error" (Nginx)

I have followed the guides here: https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/ and here: https://www.djouxtech.net/posts/nginx-client-certificate-authentication/ to setup Client Certification authentication (with CRL) for my home network on Raspbian. However when using both methods (starting fresh each time) i get the following error in the Nginx access log (with a HTTP 400 response to the client):
2021/01/03 13:35:32 [alert] 26452#26452: *10 ignoring stale global SSL error (SSL: error:04091077:rsa routines:int_rsa_verify:wrong signature length error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib) while waiting for request, client: 192.168.1.1, server: 0.0.0.0:443
2021/01/03 13:35:32 [info] 26452#26452: *10 client SSL certificate verify error: (8:CRL signature failure) while reading client request headers, client: 192.168.1.1, server: ****, request: "GET / HTTP/1.1", host: "***"
I do already have Client Certificates working using this guide: https://gist.github.com/rkaramandi/20a04a41536f3d7e6d2f26b0b9605ab6 but i wanted to move to having a more maintainable system with a CRL to make certificate maintenance easier.
My Nginx config for the site is:
server {
listen 443 ssl;
server_name ***;
#added for client cert auth
ssl_client_certificate /etc/ssl/ca/certs/cacert.pem;
# ssl_client_certificate /etc/nginx/ssl/ca.crt; #The working non-CRL CA
ssl_crl /etc/ssl/ca/crl/ca.crl;
ssl_verify_client optional;
ssl_verify_depth 2;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
#added for client cert auth
location / {
# SSL client verification is optional in general but not for the front end, so I can use other apps without client certificates.
if ($ssl_client_verify != SUCCESS) {
return 403;
}
proxy_pass http://***;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
ssl_certificate /etc/letsencrypt/live/***/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/***/privkey.pem; # managed by Certbot
}
I can't seem to find any solutions to the error i am seeing other than to start again. I have tried generating the client certificates with 2048 and 4096 key lengths but this doesn't seem to fix the problem.
I tried generating a client certificate and revoking it just to see if the CRL worked and it seemed to but i still get the length error:
2021/01/03 13:52:19 [alert] 27291#27291: *4 ignoring stale global SSL error (SSL: error:04091077:rsa routines:int_rsa_verify:wrong signature length error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib) while waiting for request, client: 192.168.1.1, server: 0.0.0.0:443
2021/01/03 13:52:19 [info] 27291#27291: *4 client SSL certificate verify error: (23:certificate revoked) while reading client request headers, client: 192.168.1.1, server: ***, request: "GET / HTTP/1.1", host: "***"
I have also tried commenting out most lines in the Nginx site config file with no impact so i think this is an issue with the certificates being generated using OpenSSL as opposed to a Nginx issue.
My openssl.cnf file used is below in case there is a part not mentioned in the guides causing an issue:
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# Note that you can include other files from the main configuration
# file using the .include directive.
#.include filename
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# System default
openssl_conf = default_conf
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/ssl/ca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several certs with same subject.
new_certs_dir = $dir/certs # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE = $dir/private/.rand # Private random file number
x509_extensions = usr_cert # The extensions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 300 # how long before next CRL
default_md = default # use public key default MD
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ***
localityName = Locality Name (eg, city)
localityName_default = ***
0.organizationName = Organization Name (eg, company)
0.organizationName_default = ***
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = ***
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = critical,CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
signer_digest = sha256 # Signing digest to use. (Optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
ess_cert_id_alg = sha1 # algorithm to compute certificate
# identifier (optional, default: sha1)
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT#SECLEVEL=2
Does anyone have any thoughts of what i might be doing wrong or a more recent guide that i can use to get this setup?

OK so now i feel silly, i updated to aes256 instead of des3 using the original guide and this is working as expected now.

Openstack how to properly activate vpnaas log?

We have an openstack cluster build with openstack ansible, we are very happy with it. Actually i am trying to set an VPN. We have activate all necessary thing and tried successfully between our openstack and a sonicwall. We are trying now with a customer unfortunately the connection don't come up and i am looking to find some log but it seems that's nothing is logged.
We are on Openstack Ussuri and Ubuntu 20.04
We have activate Strongswan
Below some config file:
Controller-node:
/etc/neutron/neutron.conf
[DEFAULT]
# Disable stderr logging
use_stderr = false
debug = true
publish_errors = true
fatal_deprecations = False
use_journal = True
## Rpc all
executor_thread_pool_size = 64
rpc_response_timeout = 60
transport_url = hide
# Domain to use for building hostnames
dns_domain = openstacklocal
# Agent
[agent]
polling_interval = 5
report_interval = 60
root_helper = sudo /openstack/venvs/neutron-21.0.0/bin/neutron-rootwrap
/etc/neutron/rootwrap.conf
root_helper_daemon = sudo /openstack/venvs/neutron-21.0.0/bin/neutron-
rootwrap-daemon /etc/neutron/rootwrap.conf
# Messaging
[oslo_messaging_rabbit]
ssl = True
rpc_conn_pool_size = 30
# Notifications
[oslo_messaging_notifications]
topics = notifications
driver = messagingv2
transport_url = hide
# Concurrency (locking mechanisms)
[oslo_concurrency]
lock_path = /var/lock/neutron
/etc/neutron/l3_agent.ini:
[DEFAULT]
debug = True
# Drivers
interface_driver = linuxbridge
agent_mode = legacy
# Conventional failover
allow_automatic_l3agent_failover = True
# HA failover
ha_confs_path = /var/lib/neutron/ha_confs
ha_vrrp_advert_int = 2
ha_vrrp_auth_password = hide
ha_vrrp_auth_type = PASS
# Metadata
enable_metadata_proxy = True
# L3 plugins
# VPNaaS
[vpnagent]
vpn_device_driver = neutron_vpnaas.services.vpn.device_drivers.strongswan_ipsec.StrongSwanDriver
[AGENT]
extensions = vpnaas
/etc/neutron/neutron_vpnaas.conf:
[service_providers]
service_provider = VPN:strongswan:neutron_vpnaas.services.vpn.service_drivers.ipsec.IPsecVPNDriver:default
/etc/neutron/rootwrap.conf:
[DEFAULT]
# List of directories to load filter definitions from (separated by ',').
# These directories MUST all be only writeable by root !
# List of directories to search executables in, in case filters do not
# explicitely specify a full path (separated by ',')
# If not specified, defaults to system PATH environment variable.
# These directories MUST all be only writeable by root !
# Enable logging to syslog
# Default value is False
use_syslog = False
# Which syslog facility to use.
# Valid values include auth, authpriv, syslog, local0, local1...
# Default value is 'syslog'
syslog_log_facility = syslog
# Which messages to log.
# INFO means log all usage
# ERROR means only log unsuccessful attempts
syslog_log_level = ERROR
# Rootwrap daemon exits after this seconds of inactivity
daemon_timeout = 600
filters_path = /etc/neutron/rootwrap.d,/usr/share/neutron/rootwrap
exec_dirs = /openstack/venvs/neutron- 21.0.0/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin
[xenapi]
# XenAPI configuration is only required by the L2 agent if it is to
# target a XenServer/XCP compute host's dom0.
xenapi_connection_url = <None>
xenapi_connection_username = root
xenapi_connection_password = <None>
/openstack/venvs/neutron-21.0.0/lib/python3.8/site-packages/neutron_vpnaas/services/vpn/device_drivers/template/strongswan/ipsec.conf.template:
# Configuration for {{vpnservice.id}}
config setup
charondebug="ike 4, knl 4,net 4,enc 4,chd 4,esp 4,cfg 2,dmn 4,mgr 4,asn 4"
conn %default
keylife=20m
rekeymargin=3m
keyingtries=1
authby=psk
mobike=no
{% for ipsec_site_connection in vpnservice.ipsec_site_connections%}
conn {{ipsec_site_connection.id}}
keyexchange={{ipsec_site_connection.ikepolicy.ike_version}}
left={{ipsec_site_connection.external_ip}}
leftsubnet={{ipsec_site_connection['local_cidrs']|join(',')}}
leftid={{ipsec_site_connection.local_id}}
leftfirewall=yes
right={{ipsec_site_connection.peer_address}}
rightsubnet={{ipsec_site_connection['peer_cidrs']|join(',')}}
rightid={{ipsec_site_connection.peer_id}}
auto=route
dpdaction={{ipsec_site_connection.dpd_action}}
dpddelay={{ipsec_site_connection.dpd_interval}}s
dpdtimeout={{ipsec_site_connection.dpd_timeout}}s
ike={{ipsec_site_connection.ikepolicy.encryption_algorithm}}-{{ipsec_site_connection.ikepolicy.auth_algorithm}}-{{ipsec_site_connection.ikepolicy.pfs}}
ikelifetime={{ipsec_site_connection.ikepolicy.lifetime_value}}s
{%- if ipsec_site_connection.ipsecpolicy.transform_protocol == "ah" %}
ah={{ipsec_site_connection.ipsecpolicy.auth_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
{%- else %}
esp={{ipsec_site_connection.ipsecpolicy.encryption_algorithm}}-{{ipsec_site_connection.ipsecpolicy.auth_algorithm}}-{{ipsec_site_connection.ipsecpolicy.pfs}}
{%- endif %}
lifetime={{ipsec_site_connection.ipsecpolicy.lifetime_value}}s
type={{ipsec_site_connection.ipsecpolicy.encapsulation_mode}}
{% endfor %}
If someone can help me to activate log that's will be great
Thanks

I've finally managed to activate the log, below my config in addition of the first post:
On controllers:
/etc/strongswan.d/charon-logging.conf
charon {
# Section to define file loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
filelog {
# <name> may be the full path to the log file if it only contains
# characters permitted in section names. Is ignored if path is
# specified.
charon {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# If this option is enabled log entries are appended to the existing
# file.
append = no
# Default loglevel.
default = 3
# Enabling this option disables block buffering and enables line
# buffering.
flush_line = yes
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
ike_name = yes
# Optional path to the log file. Overrides the section name. Must be
# used if the path contains characters that aren't allowed in
# section names.
path = /var/log/charon-ike.log
# Adds the milliseconds within the current second after the
# timestamp (separated by a dot, so time_format should end with %S
# or %T).
time_add_ms = yes
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
time_format = %b %e %T
}
}
# Section to define syslog loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
syslog {
# Identifier for use with openlog(3).
# identifier = CHARON
# <facility> is one of the supported syslog facilities, see LOGGER
# CONFIGURATION in strongswan.conf(5).
# auth {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# Default loglevel.
# default = 2
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = yes
# }
}
}
And most important:
sudo apparmor_parser -R /etc/apparmor.d/usr.lib.ipsec.charon
With this config you will have a log file under /var/log/charon-ike.log .
Maybe you need to restart neutron
Thanks for the help ;)

This it not an answer but it makes it more readable. We didn't touch the charon configs, but this is the /etc/strongswan.d/charon-logging.conf:
charon {
# Section to define file loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
filelog {
# <filename> is the full path to the log file.
# <filename> {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# If this option is enabled log entries are appended to the existing
# file.
# append = yes
# Default loglevel.
# default = 1
# Enabling this option disables block buffering and enables line
# buffering.
# flush_line = no
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
# Prefix each log entry with a timestamp. The option accepts a
# format string as passed to strftime(3).
# time_format =
# }
}
# Section to define syslog loggers, see LOGGER CONFIGURATION in
# strongswan.conf(5).
syslog {
# Identifier for use with openlog(3).
# identifier =
# <facility> is one of the supported syslog facilities, see LOGGER
# CONFIGURATION in strongswan.conf(5).
# <facility> {
# Loglevel for a specific subsystem.
# <subsystem> = <default>
# Default loglevel.
# default = 1
# Prefix each log entry with the connection name and a unique
# numerical identifier for each IKE_SA.
# ike_name = no
# }
}
}

postfix throwing Recipient address rejected error when configured with virtual_mailbox_domains

I have configured postfix to send received email to local LMTP agent using virtual_mailbox_domains parameter it works fine if the received email is received for FQDN of the machine running postfix but if it's for the IP address of the machine then it throws the following error "Recipient address rejected: User unknown in local recipient table". Tried different things but no luck. I would really appreciate any tips on this scenario.
Thanks for your help in advance!
Here is the topology:
IP FQDN
Machine A (sending machine) 10.2.20.40 machine-a.test.com
Machine B (Postfix + LMTP) 10.2.20.50 mta.test.com
Machine B is running postfix + custom LMTP.
Example 1 (succeeds)
Send email to user#mta.test.com from Machine A. This use case succeeds and Postfix successfully delivers email to customer LMTP agent listening on localhost's socket.
Success case /etc/postfix/main.cf:
virtual_mailbox_domains = mta.test.com
/etc/postfix/virtual_mailbox_map:
user#mta.test.com lmtp:inet:127.0.0.1:5678
Example 2 (Failed case)
Send email to user#10.2.20.50 from Machine A. This case fails and Postfix throws this error in mail.log "NOQUEUE: reject: RCPT from unknown[10.2.20.40]: 550 5.1.1 : Recipient address rejected: User unknown in local recipient table; from= to= proto=ESMTP helo=<[127.0.1.1]>"
Failure case /etc/postfix/main.cf:
virtual_mailbox_domains = 10.2.20.50
/etc/postfix/virtual_mailbox_map:
user#10.2.20.50 lmtp:inet:127.0.0.1:5678
POSTFIX main.cf (Common config part for both cases):
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
inet_interfaces = all
inet_protocols = all
mydestination = localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
recipient_delimiter = +
smtpd_client_restrictions = permit_mynetworks, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks, permit, reject_unauth_destination
resolve_numeric_domain = yes
unknown_local_recipient_reject_code = 550
myhostname = mta-machine
virtual_mailbox_maps = hash:/etc/postfix/virtual_mailbox_map
virtual_transport = lmtp:inet:127.0.0.1:5678

user#10.2.20.50 is incorrect syntax.
user#[10.2.20.50] is what the RFC allows for.
But anyway: Since Postfix says "User unknown in local recipient table", the domain part is considered to be local. Not virtual.

You could try adding:
[10.2.20.50] is_a_virtual_domain
user#[10.2.20.50] someother#address
to virtual_alias_maps and check if it works, but I'm not sure about this at all.
#[10.2.20.50] syntax is rather byzantine.

Sieve not filtering email

I setup Postfix with Spamassassin and Dovecot with Sieve. Spamassassin will tag the email as spam.
I am trying to get Sieve to move mail tagged as "Spam" by SpamAssassin into the Junk folder. However, it is not doing so. I have no idea what I am doing wrong and am quite frustrated.
Here's my dovecot.conf dump:
$ dovecot -n
# 2.2.9: /etc/dovecot/dovecot.conf
# OS: Linux 3.13.0-37-generic x86_64 Linux Mint 17.1 Rebecca ext4
info_log_path = /var/log/dovecot-info.log
log_path = /var/log/dovecot.log
mail_location = maildir:/var/mail/vmail/%u
managesieve_notify_capability = mailto
managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date ihave
namespace {
inbox = yes
location =
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Junk {
auto = subscribe
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
prefix =
separator = /
type = private
}
passdb {
args = scheme=plain /etc/dovecot/passwd
driver = passwd-file
}
plugin {
sieve = ~/.dovecot.sieve
sieve_before = /etc/dovecot/sieve/sieve.default
sieve_default = /etc/dovecot/sieve/sieve.default
sieve_dir = ~/sieve
sieve_global_dir = /var/lib/dovecot/sieve/
}
protocols = imap lmtp sieve
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
user = postfix
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
inet_listener sieve_deprecated {
port = 2000
}
process_min_avail = 0
service_count = 1
vsz_limit = 64 M
}
service managesieve {
process_limit = 1024
}
ssl_cert = </etc/ssl/certs/ssl-cert-snakeoil.pem
ssl_key = </etc/ssl/private/ssl-cert-snakeoil.key
userdb {
args = uid=vmail gid=vmail home=/home/vmail/%u
driver = static
}
protocol lda {
mail_plugins = " sieve"
}
protocol lmtp {
mail_plugins = " sieve"
}
protocol sieve {
mail_max_userip_connections = 10
mail_plugins =
managesieve_implementation_string = Dovecot Pigeonhole
managesieve_logout_format = bytes=%i/%o
managesieve_max_compile_errors = 5
managesieve_max_line_length = 65536
managesieve_notify_capability =
managesieve_sieve_capability =
}
My /etc/dovecot/sieve/sieve.default is the following:
$ cat /etc/dovecot/sieve/sieve.default
require "fileinto";
if header :contains "X-Spam-Flag" "YES" {
fileinto "Junk";
}
The "Junk" folder exists. Here is a dump of the email:
From user#domain.tld Mon May 11 14:37:44 2015
Return-Path: <user#domain.tld>
X-Original-To: user#testmail.domain.tld
Delivered-To: user#testmail.domain.tld
Received: by Linux-Mint (Postfix, from userid 5001)
id A59ECE34D1; Mon, 11 May 2015 14:37:44 -0400 (EDT)
Received: from localhost by Linux-Mint
with SpamAssassin (version 3.4.0);
Mon, 11 May 2015 14:37:44 -0400
From: User <user#domain.tld>
To: user#testmail.domain.tld
Subject: *****SPAM***** This is Junk Mail
Date: Mon, 11 May 2015 14:37:38 -0400
Message-Id: <20150511183738.GD7930#user-pc>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on Linux-Mint
X-Spam-Flag: YES
X-Spam-Level: **************************************************
X-Spam-Status: Yes, score=1000.0 required=5.0 tests=GTUBE autolearn=no
autolearn_force=no version=3.4.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----------=_5550F6F8.2DF3E67D"
Status: RO
Content-Length: 1867
Lines: 52
This is a multi-part message in MIME format.
------------=_5550F6F8.2DF3E67D
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Spam detection software, running on the system "Linux-Mint",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
##CONTACT_ADDRESS## for details.
Content preview: GTUBE string: XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
[...]
Content analysis details: (1000.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
1000 GTUBE BODY: Generic Test for Unsolicited Bulk Email
------------=_5550F6F8.2DF3E67D
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Received: from domain.tld (my-hostname.domain.tld [IPv6:REMOVED])
by Linux-Mint (Postfix) with ESMTPS id 0A6A2E34BF
for <user#testmail.domain.tld>; Mon, 11 May 2015 14:37:40 -0400 (EDT)
Received: from user-pc (unknown [IPv6:2001:470:8:209::c0ff:ee])
by domain.tld (Postfix) with ESMTPSA id 03FD41028E
for <user#testmail.domain.tld>; Mon, 11 May 2015 18:37:40 +0000 (UTC)
Date: Mon, 11 May 2015 14:37:38 -0400
From: User <user#domain.tld>
To: user#testmail.domain.tld
Subject: This is Junk Mail
Message-ID: <20150511183738.GD7930#user-pc>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
GTUBE string:
XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X
------------=_5550F6F8.2DF3E67D--
I am testing this email from one server to another, the sender and receiver are not the same machine. The recipient was user#testmail.domain.tld and the sender was user#domain.tld. The email is clearly marked as spam.
Why isn't it moving the email into the Junk folder?

Figured it out. As I am still a noob, my answer may not be the best, but I hope it helps someone out there.
This had a few problems, but primarily postfix was not routing mail to dovecot for delivery. Dovecot+sieve were totally bypassed.
To fix this, I had to have Postfix and Dovecot communicate over lmtp. First, I setup dovecot:
protocol lda {
mail_plugins = $mail_plugins sieve
}
protocol lmtp {
mail_plugins = $mail_plugins sieve
}
service lmtp {
inet_listener lmtp {
address = 127.0.0.1 ::1
port = 10025
}
}
Then I had to tell postfix to talk to dovecot. I did this by doing:
virtual_transport = lmtp:[::1]:10025
Then back to dovecot, I had to properly configure sieve.
plugin {
sieve = ~/.dovecot.sieve
sieve_dir = ~/sieve
sieve_before = /etc/dovecot/sieve/sieve.default
sieve_default = /etc/dovecot/sieve/sieve.default
sieve_global_dir = /var/lib/dovecot/sieve/
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
service_count = 1
process_min_avail = 0
vsz_limit = 64M
}
service managesieve {
process_limit = 1024
}
protocol sieve {
managesieve_max_line_length = 65536
mail_max_userip_connections = 10
# Space separated list of plugins to load (none known to be useful so far).
# Do NOT try to load IMAP plugins here.
mail_plugins =
managesieve_logout_format = bytes=%i/%o
managesieve_implementation_string = Dovecot Pigeonhole
managesieve_sieve_capability =
managesieve_notify_capability =
managesieve_max_compile_errors = 5
}
From here I put in the standard spamassassin filter rules in /etc/dovecot/sieve/sieve.default, which in my case was:
require "fileinto";
if header :contains "X-Spam-Flag" "YES" {
fileinto "Junk";
}
After that, I ran:
sievec /etc/dovecot/sieve/sieve.default
This "compiled" the sieve rules. And finally, I restarted dovecot and postfix.
sudo service dovecot restart
sudo service postfix restart
Upon that, I sent myself a test spam and it was redirected to the spam folder. I hope this helps and I ask that you pardon and correct any mistakes I may have made.

lmtp seemingly unsupported by postfix

I'm setting up my mail server and I followed that tutorial https://www.linode.com/docs/email/postfix/email-with-postfix-dovecot-and-mysql to help me doing so. Everything went fine during the setup and configuration but when it went to test problem started. From what I've tested I can log in just fine and the logs shows me that the connection has been accepted, but when I want to receive or to send a email I start to see errors like the following line :
server postfix/smtpd[28557]: error: unsupported dictionary type: lmtp
I searched a lot online but I can't seems to find any resources about that specific error. Running postconf -m doesn't show me "lmtp" but I'm not sure if it's normal or not.
Would anyone have any suggestions?
Here are my configuration files :
main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
#smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
#smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
#smtpd_use_tls=yes
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_cert_file=/etc/dovecot/dovecot.pem
smtpd_tls_key_file=/etc/dovecot/private/dovecot.pem
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
#Enabling SMTP for authenticated users, and handing off authentication to Dovecot
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
#Handing off local delivery to Dovecot's LMTP, and telling it where to store mail
virtual_transport = lmtp:unix:private/dovecot-lmtp
#Virtual domains, users, and aliases
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = server.brunodelor.info
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost
relayhost =
#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - - - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup unix n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
dovecot.conf
## Dovecot configuration file
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
protocols = imap lmtp
##
## Dictionary server settings
##
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
#expire = sqlite:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
10-master.conf
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
#port = 993
#ssl = yes
}
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
# Create inet listener only if you can't use the above UNIX socket
#inet_listener lmtp {
# Avoid making LMTP visible for the entire internet
#address =
#port =
#}
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = $default_vsz_limit
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service auth {
# permissions (e.g. 0777 allows everyone full permissions).
unix_listener /var/spool/postfix/private/auth {
mode = 0666
user = postfix
group = postfix
}
unix_listener auth-userdb {
mode = 0600
user = vmail
#group = vmail
}
# Postfix smtp-auth
#unix_listener /var/spool/postfix/private/auth {
# mode = 0666
#}
# Auth process is run as this user.
user = dovecot
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
user = vmail
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}
10-mail.conf
##
## Mailbox locations and namespaces
##
# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
mail_location = maildir:/var/mail/vhosts/%d/%n
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
# Namespace type: private, shared or public
#type = private
# Hierarchy separator to use. You should use the same separator for all
# namespaces or some clients get confused. '/' is usually a good one.
# The default however depends on the underlying mail storage format.
#separator =
# Prefix required to access this namespace. This needs to be different for
# all namespaces. For example "Public/".
#prefix =
# Physical location of the mailbox. This is in same format as
# mail_location, which is also the default for it.
#location =
# There can be only one INBOX, and this setting defines which namespace
# has it.
inbox = yes
}
Thanks for reading :)

You should remove space at beginning of the line:
virtual_transport = lmtp:unix:private/dovecot-lmtp
And the same for next lines.