After threatening to turn on SMTP authentication a few years ago, Virginmedia suddenly did last weekend without warning. I had authentication working with postfix when they first threatened but removed the settings since then and I cant get it to work again. These are the relevant bits of /etc/postfix/main.cf:
I've tried changing "smtp_sasl_security_options = noanonymous" to "smtp_sasl_security_options = ", "smtp_use_tls = yes" to "smtp_use_tls = no", [ and ] round smtp.ntlworld.com and nothing I do seems to work. I can send directly using Thunderbird with Connection security = SSL/TLS and Authentication = Normal Password and it works fine.
All I seem to get in my logs are:
Does anyone have a working set up or any words of wisdom they can give me?
# Outbound SMTP authentication
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
relayhost = smtp.ntlworld.com:465
smtp_use_tls = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
and my matching /etc/postfix/sasl_passwd is:smtp.ntlworld.com:465 my.email.address@ntlworld.com:my_password
I've verified the password with:postmap -q smtp.ntlworld.com /etc/postfix/sasl_passwd
and it returns my.email.address@ntlworld.com:my_password
I've tried changing "smtp_sasl_security_options = noanonymous" to "smtp_sasl_security_options = ", "smtp_use_tls = yes" to "smtp_use_tls = no", [ and ] round smtp.ntlworld.com and nothing I do seems to work. I can send directly using Thunderbird with Connection security = SSL/TLS and Authentication = Normal Password and it works fine.
All I seem to get in my logs are:
Jan 13 20:23:30 server postfix/smtp[31223]: 2C814E0FE5: to=<wherever@gmail.com>, relay=smtp.ntlworld.com[62.254.26.221]:465, delay=3310, delays=3299/0.16/11/0, dsn=4.4.2, status=deferred (lost connection with smtp.ntlworld.com[62.254.26.221] while receiving the initial server greeting)
Does anyone have a working set up or any words of wisdom they can give me?
In Mail
Share this post:
Responses (20)
-
Accepted Answer
Even the authentication problem with SMTP persists on Gmail, even after reconfiguring twice or thrice, I was facing errors while sending and receiving emails from other users, could possibly be due to gmail error 007 associated with that of Gmail. -
Accepted Answer
-
Accepted Answer
Ok here are my findings about virginmedia.
smtp.virginmedia.com:25 closed.
smtp.ntlworld.com:25 open
smtp.blueyonder.co.uk open
I have been using smtp.virginmedia.com and have now changed to blueyonder and have no issues what so ever, so if like me you've been having problems and you are using smtp.virginmedia.com change to either ntlworld or blueyonder and you'll be good to go. -
Accepted Answer
VM removed the requirement to use authentication a few days ofter thay imposed it because of customer uproar. However, they say they would still like customers to use authentication. Since I have it set up I can't be bothered to remove it, but if I did not already have it, I doubt if I'd add it. -
Accepted Answer
-
Accepted Answer
Leonard wrote:
Exactly the same!! grr, Im just gonna put virginmedia in the client as the smtp server, it's the only way i can send email when I'm outside the domain.....
That will only work while you are on a VM network. I believe their SMTP server will block relaying from outside its network.
Did you reinstall ClearOS or just Postfix? If just Postfix it may not have overwritten your main.cf. Either way, have a look at your "postconf -n" and see if it has the same problems. -
Accepted Answer
Exactly the same!! grr, Im just gonna put virginmedia in the client as the smtp server, it's the only way i can send email when I'm outside the domain.....
Feb 21 17:50:54 mail postfix/smtpd[18118]: fatal: open dictionary: expecting "type:name" form instead of "smtp_sasl_password_maps"
Feb 21 17:50:55 mail postfix/master[2207]: warning: process /usr/libexec/postfix/smtpd pid 18118 exit status 1
Feb 21 17:50:55 mail postfix/master[2207]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
We have a few differences, but in your output have a look at your "local_recipient" line. It appears to have a few lines of configuration in one which will be messing it up. How are you editing your file? If you are dragging it onto your PC then using notepad it will go wrong because on the Linux end-of-line markers are done differently to notepad. Wordpad can work, but better is to use something like WinSCP and its built-in editor or get WinSCP to use notepad++. Can you try fixing that.
FWIW I notice you are using "smtpd_sasl_auth_enable = yes". If you are only relaying from your LAN I suggest you disable SMTP Authentication and rely on the restricted networks, or, at least keep port 25 closed to the public. If you wanted to relay from outside, I've been making some investigations and it looks like the ClearOS settings allow you to keep SMTP Authentication off but relay through port 587 (STARTTLS) with authentication. At the moment most password cracking is going on through port 25 and not port 587 so it may be a better way to go. I hope to check this out soon as my wife now has a smartphone and as I have my own domain, I will need to relay through it. I really do not want to open port 25 to the public for authenticated relaying. -
Accepted Answer
Hi Nick yeah done all that mate, here is the output of postconf -n
Many Thanks.
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $alias_maps $virtual_alias_maps smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
luser_relay =
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mine.co.uk
myhostname = mine.co.uk
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_delimiter = +
relayhost = [127.0.0.1]:10465
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps, ldap:/etc/postfix/zarafa-aliases.cf, ldap:/etc/postfix/zarafa-groups.cf -
Accepted Answer
Did you follow the authentication guide to set up the password in /etc/postfix/sasl_passwd? The file should be in the form:
Then load the file with a:[127.0.0.1]:10465 your_ntlworld_user_name@ntlworld.com:your_password
postmap /etc/postfix/sasl_passwd
If it is not that, then please post the output to:postconf -n
-
Accepted Answer
Hi Nick,
I tried this but I am left with these errors from /var/log/maillog
Feb 20 23:15:57 mail postfix/smtpd[17777]: fatal: open dictionary: expecting "type:name" form instead of "smtp_sasl_password_maps"
Feb 20 23:15:58 mail postfix/master[17631]: warning: process /usr/libexec/postfix/smtpd pid 17777 exit status 1
Feb 20 23:15:58 mail postfix/master[17631]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
I don't suppose you encountered this error with a fix?
Fresh install clearos 6.5
2.6.32-504.8.1.v6.x86_64 -
Accepted Answer
Update and solution:
I mailed the postfix mailing list and they pointed me to stunnel as well and to use a search "postfix stunnel 465". From that I found this solution which had to be modified a bit:
Go to /etc/init.d/stunnel and change /var/run/stunnel/stunnel.pid to /var/run/stunnel.pid (twice) and /usr/sbin/stunnel to /usr/bin/stunnel.yum -y install stunnel --enablerepo=clearos-core
wget -O /etc/init.d/stunnel https://bugzilla.redhat.com/attachment.cgi?id=325164
Create a file /etc/stunnel/stunnel.conf and put the following in it:
Then[smtps]
accept = 10465
client = yes
connect = smtp.ntlworld.com:465
Then test it works with:chmod 755 /etc/init.d/stunnel
chkconfig stunnel on
service stunnel start
Then moving on to postfix and keeping it in line with the ClearOS Authentication User Guide make sure you have the following in your /etc/postfix/main.cf:$ telnet localhost 10465
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 outbound.att.net ESMTP ready
$ quit
221 2.0.0 Bye
Connection closed by foreign host.
Some guides also set "smtp_use_tls = yes" and "smtp_sasl_security_options = noanonymous". I am not sure why as you are not using these features with stunnel. I have them anyway as I use sender_dependent_relayhosts where the other sender (gmail) requires them.smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
relayhost = [127.0.0.1]:10465
Again, in line with the user guide, create a file /etc/postfix/sasl_passwd:
Then load the password and reload postfix:[127.0.0.1]:10465 your_ntlworld_email_address:your_ntlworld_email_password
At this point you can delete the /etc/postfix/sasl_passwd file which contains the plain text password.postmap /etc/postfix/sasl_passwd
service postfix reload
You should now be able to relay through smtp.ntlworld.com port 465.
Another good thing happened with the postfix devs. There was a flurry of activity on my thread and a patch has been written to avoid needing to use stunnel. I don't know if the patch is complete and it is against the latest version of postfix which is post 2.11, but we are only on 2.6.6.
[edit]
If you use logwatch, your stunnel entries in the report will will look wrong. I can suggest changes to improve it.
[/edit] -
Accepted Answer
This is getting dire. I don't have, or at least can't see, an obvious configuration error. I can relay via my gmail account but it rewrites the "from" in the mail header so it messes up my email addresses belonging to my domain. If Virginmedia turn on authentication everywhere I am stranded.
I'll try to investigate the stunnel bit as soon as I get time.
I just wish Clear would add an smtp server relay to their mx backup offering. I'd happily pay for that.
[edit]
And, just repeating, it works correctly from directly from Thunderbird.
[/edit] -
Accepted Answer
The [ and ] prevent an MX lookup before an A lookup. In the VM case smtp.virvinmedia.com does not have an MX record. It would be safer to leave them out and with all my testing I finished with them out. Actually VM may have backed down a bit as I left off the :465 and it worked - using port 25 - which was failing before. I really want to get the authentication going again in case it is turned back on! -
Accepted Answer
I use gmail as my relay host (and I thought virginmedia changed over to using gmail!); the only real difference I can see is that the only way I could get it to work was with;
smtp_tls_security_level = may
relayhost = [smtp.gmail.com]:587
and with matching [] in sasl_passwd
without the [] it wouldn't work .. -
Accepted Answer
Thanks. I know I had it working ages ago but they have changed something as I used to use port 587 which is now closed.
Last night just before going to bed I did a "postconf -n" and it showed different settings to what I posted in main.cf so I think I have duplicate entries. I'll check tonight.
I can get by for the moment as smtp.virgin.net is still not authenticated but I don't imagine it will last. -
Accepted Answer
http://doc.coker.com.au/internet/how-to-debug-smtp-with-tlsssl-and-auth/
Following steps here I was able to test the SSL connection against smtp.ntlworld.com using openssl, but it fails to connect if 'STARTTLS' is requested. The resulting connection appears to connect using TLSv1, TLSv1.1 or SSLv3 and authenticates OK... so not sure what Postfix is doing!
[root@leonardo ~]# openssl s_client -CApath /etc/ssl/certs/ -connect smtp.ntlworld.com:465
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=GB/ST=Hampshire/L=Hook/O=Virgin Media Ltd/OU=internet operations/CN=smtp.ntlworld.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...snip...
-----END CERTIFICATE-----
subject=/C=GB/ST=Hampshire/L=Hook/O=Virgin Media Ltd/OU=internet operations/CN=smtp.ntlworld.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4276 bytes and written 563 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : RC4-SHA
Session-ID: DD79AB593xxxxxxxxxxxxxxxxxxx3E5B3F6B82CB5
Session-ID-ctx:
Master-Key: 89DED20F9xxxxxxxxxxxxxxxxxxxA38D6A94276719
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1421193871
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
220 know-smtprelay-4-imp bizsmtp ESMTP server ready
ehlo mail.mydomain.com
250-know-smtprelay-4-imp hello [86.2.222.6], pleased to meet you
250-HELP
250-AUTH LOGIN PLAIN
250-SIZE 52000000
250-8BITMIME
250-STARTTLS
250 OK
auth login
334 VXNlcm5hbWU6
xxxxxxxxxxxxxxx
334 UGFzc3dvcmQ6
xxxxxxxxxxxxxxx
235 ... authentication succeeded
quit
221 know-smtprelay-4-imp bizsmtp closing connection
read:errno=0 -
Accepted Answer
I got it working once with a wrapper called stunnel, which can tunnel any traffic (in this case SMTP over SSL)
Apparently from other threads on the VM forums it's because Postfix won't do SSL on port 465 but I'm not sure
http://community.virginmedia.com/t5/Forum-Archive/Running-postfix-email-relay-smtp/td-p/66253/page/2
I'm still working without SMTP authentication on port 25...for now!
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »