Postifx setup documentation does not specify removing the chroot for SMTP Auth

I'm running Postfix with TLS and SASL with both Feisty and Edgy (6.10) and used to do so with Dapper.

What you are experiencing is a configuration issue of some sort. Please have a look at:

http://www.postfix.org/DEBUG_README.html

At the end there is a section called "Reporting problems to <email address hidden>". Please provide the information request there here (not to the postfix mailing list). That will help us understand what is going on with your Postfix.

Hello their,

I would like to email you my postfix configuration but only in private. As I would not like it to appear for spam / safety reasons on ubuntus bugzilla. I am really lost, as I followed multiple guides to the letter. Literally "Copy / Paste" of course the domains changing from example.com. If I manage to follow that link tasks (http://www.postfix.org/DEBUG_README.html#debug_peer) it would be nice. I can send you any logs that I have here to make sure that the most basics are correct.

You might be able to spot something. It should not be a configuration error on a virgin ubuntu install by following guides to the letter.It is possible, but unlikely asd I stuck to the safety defaults. It seems from the link you have sent Scott that it is not running in chroot.

Tell me before I do please what to send (paste) to you: So far after I confirm this email address does not post back to a mailing list.

* /var/log/mail.log ?

* /etc/postfix/main.cf ?

* /etc/postfix/master.cf ?

* any other logs that may be helpful to you to help us all.

 --- On Wed 04/11, Scott Kitterman < <email address hidden> > wrote:
From: Scott Kitterman [mailto: <email address hidden>]
To: <email address hidden>
Date: Wed, 11 Apr 2007 12:08:36 -0000
Subject: [Bug 105378] Re: SASL authentication failure Ubuntu 6.10

I'm running Postfix with TLS and SASL with both Feisty and Edgy (6.10)and used to do so with Dapper.What you are experiencing is a configuration issue of some sort. Pleasehave a look at:http://www.postfix.org/DEBUG_README.htmlAt the end there is a section called "Reporting problems to <email address hidden>". Please provide the information request there here(not to the postfix mailing list). That will help us understand what isgoing on with your Postfix.-- SASL authentication failure Ubuntu 6.10https://bugs.launchpad.net/bugs/105378You received this bug notification because you are a direct subscriberof the bug.

_______________________________________________
No banners. No pop-ups. No kidding.
Make My Way your home on the Web - http://www.myway.com

It has posted my secondary but not private email address. Please can someone edit that above? I emailed right from the email client. Thanks.

There is no security sensitive information in postconf -n or saslfinger. You can safely provide that information here.

Log snippets should be fine unless you have made the logs more verbose than normal (don't do this it usually isn't necessary). You may want to change e-mail addresses/usernames in the logs, but that's it.

I am trying to triage your bug, not offer private consulting.

First noticed some changes regarding the smtpd.conf file it does not exist by default. I created it according to the guide so some changes do exist.

Added to it:
pwcheck_method: saslauthd
mech_list: plain login

"I am trying to triage your bug, not offer private consulting."

I was not trying to imply that, it even escaped my mind for private consulting. As noone is getting a compensated here for it. I do feel bit hurt, that someone would think that. Where my intentions were not even coming to that or even close. I been in various communities now for over 8+ years! To know no "expectations". I do not know how, neither need to know how one would come to that conclusion. I just felt untrusting that internet at large would see my website internals. Knowing access to which directory, making it easier for them. Since their is nothing wrong (seems so ) with that going to then post it. However, be advised I do not know how much is little and how much is too much. What exactly is appropriate either to help me / ubuntu. So please don't scold me for making a human error regarding log verbosity. It was not my intent to hurt you either or insinuate or add things out of the realm of my thoughts. Thinking that your obligated for something that your not. Not questioning your thoughts either, but do apologize if I was not clear. As a pay back, or be part of linux not to just sit their and keep my mouth closed and freeload. Decided to bug report it (few other reports on launchpad) rather then thinking "someone else will". Assumed it might actually be a problem inside ubuntu and by all means critical blocker, stopper, whatever you call it. My point is, was not looking for someone to offer consultation at their free time. This is my first time running a linux web server ever. Thanks.

I do not yet know what postfix -n does still learning. To be on the safe side tried postfix -n as none sudo. After thinking, going to not run that command as sudo privileged without knowing implications of it yet. If you feel too much info (full file) just feel free to skip it or jump to part of the file. Again, I do not know what when trying to debug postfix parts of that file one needs. Debugging on a programmers level is currently not even within my scope of understanding will read the link later just quick check. Error log is the last one in the file stripped of connections to the mail server.

Here is the postfix configuration from main.cf in /etc/postfix :

=================== main.cf ============================

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls = yes
smtpd_tls_ses...

Sorry, but I do do private consulting. For free, I'll work with you here on this bug. No insult was taken here and none was meant.

What is in your /etc/postfix/sasl/smtpd.conf?

K, if I will need consultations ever in the future have my eye on you. <friendly / chuckle / grin> :-) for now. For now just we need to know if we need to flag it as an ubuntus bug. I am the first person reporting it it seems did a search. The AMD64 bug was not relevant as one ubuntu users pointed out. It is possible for you not to have this bug.

Here are my thoughts:

That you have old configuration files that might have not been obsoleted in the upgrade process. They still work the way you left them.

contents of: /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

>> On install of postfix this file never existed:

/etc/postfix/sasl/smtpd.conf

So according to the guide placed the above into the above file.

https://help.ubuntu.com/6.10/ubuntu/serverguide/C/email-services.html

"Open the /etc/postfix/sasl/smtpd.conf file and add the following lines to end of the file:

pwcheck_method: saslauthd
mech_list: plain login
"

I just went back and looked and in your master.cf, your Postfix is still chrooted (this is the Ubuntu/Debian default because it's more secure). The guide doesn't tell you to change this, but you need to. So this is a bug in the documentation. See http://www.postfix.org/DEBUG_README.html#no_chroot for information on how to turn off chroot.

Since Debian and Ubuntu default to a chrooted Postfix, Postfix has to be taken out of the chroot for SMTP Auth to work (there is a way to do it with sasldb, see Bug#55320 for details, but only for that specific case). See http://www.postfix.org/SASL_README.html#server_cyrus where it says, "To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble."

The Ubuntu documentation makes no mention of the need to unchroot Postfix (which is what I think the reporters problem is):

https://help.ubuntu.com/6.10/ubuntu/serverguide/C/email-services.html

Note that this is true for all versions of Ubuntu.

http://www.postfix.org/DEBUG_README.html#no_chroot gives a description of how to turn off chroot and could serve as a basis for a fix to this documentation problem.

Few more comments, First of all thanks for all the links actually reading them now. So my understanding is chroot is more safer. As it is in a "jail" environment where it is self contained. Wish that keeping chroot on, keeping postfix working would work. But in reality it seems that some type of problem does exists and more hassle then worth. BTW: That link: http://www.postfix.org/DEBUG_README.html#no_chroot "part of it" is actually pretty straight forward to follow.

* Summary so far in general:

+ The ubuntu's postfix documentation seems to be bugged (or not bugged) but rather incomplete. In that area since it is missing some crucial information.

Requests:

+ If anyone else (mostly end users) are having this issue feel free to add to the bug and any measures you have taken. This information might actually help the maintainer's of the guides / contributed guides. To take any of the information when revisions are made in the future.

I have fixed the bug do to your help and googles help BTW UBUNTU ROCKS!. This is what the documentation guides need to add:

Steps did are below but they are sequenced here, in some point in the guide they will need to be added. The guide is very well written but does not take into account some things.

(This is actually done in two steps)

Step 1:

/etc/postfix/master.cf:
    # =============================================================
    # service type private unpriv chroot wakeup maxproc command
    # (yes) (yes) (yes) (never) (100)
    # =============================================================
    smtp inet n - n - - smtpd

Step 2:

adduser postfix sasl

=======================================
References of acknowledgments or rather sources:

1. http://www.postfix.org/DEBUG_README.html#no_chroot

2. http://groups.google.com/group/linux.debian.user/browse_thread/thread/13301dce33da1437/c125d6a003c0bec7%23c125d6a003c0bec7

< RESOLVED LOCALLY>

3. http://archives.neohapsis.com/archives/postfix/2003-12/2059.html

Thanks for the bug report. Committed a fix for this in r4093 in trunk. I'm unsure if we can backport it to dapper and edgy, but I'll check with Matthew to see if we can port this for feisty.

changing status.

Great. For Edgy I think it's not so important because people are unlikely to be setting up Edgy servers after Feisty is released. I think getting this fix into the Dapper documentation is imporant because people will be setting up Dapper servers until the next LTS release comes out.

Thanks for the quick turnaround.

Your very much welcome, glad this will be worked on.

I do have another problem not sure if it is a bug or not "TLS" works with postfix in thunderbird. Yet "SSL"does not work with thunderbird, even after opening ports. However it does not belong in this report going search for postfix ssl. Wonder if it is by design to work only with "Tls" not "ssl" checkbox. Also tested it on windows mail client and cant get it to work with ssl. Does not seem windows mail even supports tls.

What you are seeing is expected bevahior. Thunderbird (like most modern mail clients) supports the newer TLS protocol while most Microsoft mail clients support the older SSL wrapped port (SMTPS) approach on port 465. Setup for this is described here:

http://www.postfix.org/TLS_LEGACY_README.html#server_enable

You will see that there is an SMTPS line in your master.cf that is by default commented out. This is by design. If you are going to be doing much with Postfix, there are a lot of options, so you might want to get a book about it. Personally, I recommend "The Book of Postfix".

Scott K,

Thanks so much for the information, for tolerating me long enough too, I appreciate it am content not my misconfiguration. Also that it is not a new bug within ubuntu. Was thinking that ssl might be broken during compile time by devs.

-- Funny, how a propetiary operating system is so behind the times. With so much resources at disposal.

-- About the book, if I manage to get into a big book store it needs like for reading lots too. Rather look at pictures with diagrams then text, text text!! that jumps from one thing to next even within subpages heh. If things were all in sequence that is what think is wrong with the world. Everything is just bits and pieces acts like data from multiple streams.

Is there any reason why this bug isn't marked 'Fix Released'?
Bhuvaneswaran, did you hear back from Matthew about getting this into the Feisty Docs? Or if someone can tell me what to look for in Feisty I can check myself.

The docs took a different approach than we discussed in the bug. It appears that the docs now account for runnig SMTP Auth in a chroot (it didn't before). I didn't test what's in the docs, but it looks sane.

Going to glance over the document tonight and comment if find anything to add.