Ubuntu

系統升級後後綴無法正常工作(沒有 SASL 身份驗證機制)

  • May 6, 2017

我在 Ubuntu Server 機器 14.04 LTS 上執行了一個工作的 postfix/dovecot 配置。然後我使用 . 升級到 16.04.2 do-release-upgrade。除了我的郵件服務,一切似乎都正常。在更新之前一切正常,但現在我有一個奇怪的行為。當我從內部 LAN 連接時,客戶端沒有發生錯誤,但沒有顯示電子郵件,也沒有文件夾等,看起來郵件伺服器是空的。但是當我嘗試從外部(即 mxtoolbox)連接時,我得到You hung up on us after we connected. Please whitelist us. (connection lost). 在 syslog 中發生以下情況:

postfix/smtpd[26657]: connect from pws3.mxtoolbox.com[64.20.227.134]
dovecot: auth: Warning: sql: Ignoring changed user_query in /etc/dovecot/dovecot-sql.conf.ext, because us$
postfix/smtpd[26657]: fatal: no SASL authentication mechanisms
postfix/master[21009]: warning: process /usr/lib/postfix/sbin/smtpd pid 26657 exit status 1
postfix/master[21009]: warning: /usr/lib/postfix/sbin/smtpd: bad command startup -- throttling

我已經檢查了 no SASL 錯誤,但找不到問題。libsasl2-modules已安裝並且 saslauthd 服務正在執行,我在更新之前或之後沒有更改配置上的任何內容。

我正在為郵件系統使用 postfix、dovecot 和 mysql 數據庫。

postconf -n

append_dot_mydomain = no
biff = no
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 51200000
message_size_limit = 51200000
mydestination =
myhostname = mymaildomain.tld
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, check_client_access cidr:/etc/postfix/ip-block, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, check_client_access cidr:/etc/postfix/ip-block
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noplaintext
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_cert_file = /etc/letsencrypt/live/koehnkenet.de/fullchain.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/letsencrypt/live/koehnkenet.de/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual/mysql-aliases.cf, proxy:mysql:/etc/postfix/virtual/mysql_virtual_alias_domain_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual/mysql-domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual/mysql-maps.cf, proxy:mysql:/etc/postfix/virtual/mysql_virtual_alias_domain_mailbox_maps.cf, proxy:mysql:/etc/postfix/virtual/mysql_virtual_alias_domain_catchall_maps.cf
virtual_transport = dovecot

systemctl status dovecot -l

dovecot.service - Dovecot IMAP/POP3 email server
  Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
  Active: active (running) since Di 2017-05-02 00:59:41 CEST; 10h ago
    Docs: man:dovecot(1)
          http://wiki2.dovecot.org/
 Process: 21507 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
 Process: 21512 ExecStart=/usr/sbin/dovecot (code=exited, status=0/SUCCESS)
Main PID: 21515 (dovecot)
  CGroup: /system.slice/dovecot.service
          ├─21515 /usr/sbin/dovecot
          ├─21516 dovecot/anvil
          ├─21517 dovecot/log
          ├─21542 dovecot/config
          ├─26588 dovecot/imap-login
          ├─26592 dovecot/imap
          ├─26662 dovecot/imap-login
          ├─26666 dovecot/imap
          ├─26679 dovecot/auth
          ├─26680 dovecot/ssl-params
          └─26685 dovecot/auth -w

systemctl 狀態後綴 -l

   postfix.service - LSB: Postfix Mail Transport Agent
      Loaded: loaded (/etc/init.d/postfix; bad; vendor preset: enabled)
     Drop-In: /run/systemd/generator/postfix.service.d
              └─50-postfix-$mail-transport-agent.conf
      Active: active (running) since Di 2017-05-02 00:28:49 CEST; 11h ago
        Docs: man:systemd-sysv-generator(8)
     Process: 20854 ExecStop=/etc/init.d/postfix stop (code=exited, status=0/SUCCESS)
     Process: 20883 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCESS)
      CGroup: /system.slice/postfix.service
              ├─21009 /usr/lib/postfix/sbin/master
              ├─21011 qmgr -l -t fifo -u
              ├─21015 tlsmgr -l -t unix -u -c
              └─25923 pickup -l -t fifo -u -c

systemctl 狀態 saslauthd -l

saslauthd.service - LSB: saslauthd startup script
  Loaded: loaded (/etc/init.d/saslauthd; bad; vendor preset: enabled)
  Active: active (running) since Di 2017-05-02 00:27:59 CEST; 11h ago
    Docs: man:systemd-sysv-generator(8)
 Process: 20756 ExecStop=/etc/init.d/saslauthd stop (code=exited, status=0/SUCCESS)
 Process: 20775 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS)
  CGroup: /system.slice/saslauthd.service
          ├─20799 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
          ├─20800 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
          ├─20801 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
          ├─20802 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
          └─20803 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5

Mai 02 00:27:59 Mydomain systemd[1]: Starting LSB: saslauthd startup script...
Mai 02 00:27:59 Mydomain saslauthd[20775]:  * Starting SASL Authentication Daemon saslauthd
Mai 02 00:27:59 Mydomain saslauthd[20799]: detach_tty      : master pid is: 20799
Mai 02 00:27:59 Mydomain saslauthd[20799]: ipc_init        : listening on socket: /var/run/saslauthd/mux
Mai 02 00:27:59 Mydomain saslauthd[20775]:    ...done.
Mai 02 00:27:59 Mydomain systemd[1]: Started LSB: saslauthd startup script.

/etc/postfix/main.cf

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/mydomain.tld/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mydomain.tld/privkey.pem
smtpd_use_tls=yes

# Disable SSLv2/3 as they are vulnerable
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_ciphers = high

smtpd_tls_loglevel = 1


myhostname = mydomain.tld
myorigin = /etc/mailname
mydestination =
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 51200000
message_size_limit = 51200000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

###### SASL Auth ######
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noplaintext

###### Use Dovecot LMTP Service to deliver Mails to Dovecot ######
#virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_transport = dovecot
dovecot_destination_recipient_limit=1

##### Only allow mail transport if client is authenticated or in own network (PHP Scripts, ...) ######
smtpd_recipient_restrictions =
       permit_mynetworks,
       permit_sasl_authenticated,
       reject_unauth_destination,
       reject_rbl_client sbl.spamhaus.org,
       check_client_access cidr:/etc/postfix/ip-block,
       permit
smtpd_sender_restrictions = reject_unknown_sender_domain

###### MySQL Connection ######
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual/mysql-aliases.cf, proxy:mysql:/etc/postfix/virtual/mysql_virtual_alias_domain_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual/mysql-maps.cf, proxy:mysql:/etc/postfix/virtual/mysql_virtual_alias_domain_mailbox_maps.cf,  proxy:mysql:/etc/postfix/virtual/mysql_virtual_alias_domain_catchall_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual/mysql-domains.cf
local_recipient_maps = $virtual_mailbox_maps
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client sbl.spamhaus.org, check_client_access cidr:/etc/postfix/ip-block

/etc/postfix/master.cf

smtp       inet  n       -       y       -       -       smtpd

dovecot   unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail:mail argv=/usr/lib/dovecot/deliver -d ${recipient}

鴿子會議 -n

# 2.2.22 (fe789d2): /etc/dovecot/dovecot.conf
# Pigeonhole version 0.4.13 (7b14904)
# OS: Linux 4.4.0-75-generic x86_64 Ubuntu 16.04.2 LTS
auth_mechanisms = plain login
base_dir = /var/run/dovecot/
first_valid_uid = 150
last_valid_uid = 150
mail_gid = mail
mail_home = /media/daten/vmail/%d/%n
mail_location = maildir:~/mail:LAYOUT=fs
mail_privileged_group = mail
mail_uid = vmail
namespace inbox {
 inbox = yes
 location =
 mailbox Drafts {
   special_use = \Drafts
 }
 mailbox Junk {
   special_use = \Junk
 }
 mailbox Sent {
   special_use = \Sent
 }
 mailbox "Sent Messages" {
   special_use = \Sent
 }
 mailbox Trash {
   special_use = \Trash
 }
 prefix =
}
passdb {
 args = /etc/dovecot/dovecot-sql.conf.ext
 driver = sql
}
postmaster_address = postmaster@mydomain.tld
protocols = " imap lmtp"
service auth {
 unix_listener /var/spool/postfix/private/auth {
   group = postfix
   mode = 0660
   user = postfix
 }
 unix_listener auth-userdb {
   group = mail
   mode = 0600
   user = vmail
 }
}
service lmtp {
 unix_listener lmtp {
   group = postfix
   mode = 0660
   user = postfix
 }
 user = vmail
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mydomain.tld/fullchain.pem
ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
ssl_key = </etc/letsencrypt/live/mydomain.tld/privkey.pem

MySQL 正在執行,憑據也在執行,dovecot 的 sql 查詢也在執行並輸出正確的數據,當我嘗試在 phpmyadmin 中使用它們時,postfixadmin 也在執行。硬碟已安裝並且路徑也正確,vmail 文件夾包含郵件和文件夾等。我不知道為什麼我無法從公共網路連接,但只能從本地網路連接,郵箱中沒有顯示電子郵件或文件夾。

我發現了問題。問題是我用

smtpd_sasl_security_options = noanonymous,noplaintext

但沒有設置smtpd_tls_auth_only = yes,所以明文連接立即被拒絕。

在這裡找到答案:http: //postfix.1071664.n5.nabble.com/quot-smtpd-sasl-security-options-noplaintext-quot-with-dovecot-td25165.html

引用自:https://serverfault.com/questions/847736