smtp relay with auth when client connect

[wolf-skin]

This is very flexible docker which I can config the postfix by environment variable.

However, I had a issue when use it. I want it to be a smtp relay which let some device to send me email because my device is very old and only allow SSL (no TLS) or plain text connection, so it cannot connect smtp of outlook or gmail. I decide to use this docker to get the email from my device and as a smtp relay to use smpt of outlook to send email to me. I cannot use NO AUTH option to relay my email because the old device must send login even empty the user and password,

After done the setup, I test it directly by telnet, after input ELHO {hostname}, I use AUTH LOGIN and input "Y2FtCg==" "Y2FtCg==" (user/password as cam/cam which encode by base64) but the result is "535 5.7.8 Error: authentication failed: authentication failure", the log show "SASL login authentication failed". I try to use testsaslauthd from docker console, but still has authentication fail message. I still not setup relay part, just test the device can connect this docker and submit email to it only. Following is the docker-compose.yml and passwd_file docker-compose.yml

version: "2"
  #use hostname "smtp" as SMTP server
  smtp:
    container_name: "postfix-relay"
    image: mwader/postfix-relay:latest
    restart: always
    ports:
    - "10025:25"
    volumes:
    - /srv/docker_data/smtp-relay/passwd_file:/etc/postfix/sasl/sasl_passwds
    - /srv/docker_data/smtp-relay/mwader/postfix-relay/log:/var/log/
    environment:
    - TZ=Asia/Hong_Kong
    - SASL_Passwds=/etc/postfix/sasl/sasl_passwds
    - POSTFIX_cyrus_sasl_config_path=/etc/postfix/sasl
    - POSTFIX_myhostname=naspi.local
    - POSTFIX_smtpd_sasl_local_domain=$myhostname
    - POSTFIX_smtpd_sasl_auth_enable=yes
    - POSTFIX_broken_sasl_auth_clients=yes
    - POSTFIX_smtpd_sasl_security_options=noanonymous
    - POSTFIX_smtpd_recipient_restrictions="permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination"
    #- OPENDKIM_DOMAINS=naspi.local
    #- POSTFIX_smtpd_tls_security_level=may
    #- POSTFIX_relayhost=[smtp-mail.outlook.com]:587
    #- POSTFIX_smtpd_use_tls=yes
    #- POSTFIX_smtpd_recipient_restrictions="permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination"
    - RSYSLOG_LOG_TO_FILE=yes
    - RSYSLOG_TIMESTAMP=yes

passwd_file cam:$6$.CbOgrN4xn.RB$sOZo8mHHuFi79OvHYVJlDN51YFmcBeVi1BhlC3fUiuBItHVOXkUcfH.ZZEZ0m37nkPtYPI8y3TGW7SISKj9/u0

Would you help me. Thanks!

[wader]

Hi, thanks. I'm no smtp auth expert by any means. I think i would start by dumping traffic (tcpdump/wireshark etc) just to make sure it looks sane, ex are things double base64 encoded or something else weird going on? also maybe see if it's possible to enable more verbose or debug logging for SALS.

[wolf-skin]

Not double base64, because user and password is the same (“cam”), and the user and pw need to encode to base64 in AUTH command even set as plain. So I put twice in smtp. Moreover, the postfix document sayid if pwcheck_method is saslauthd, mech_list should be PLAIN LOGIN only.

Do you know how to enable the debug log, especially for authentication? Thanks

[wader]

Not double base64, because user and password is the same (“cam”), and the user and pw need to encode to base64 in AUTH command even set as plain. So I put twice in smtp. Moreover, the postfix document sayid if pwcheck_method is saslauthd, mech_list should be PLAIN LOGIN only.

Aha ok. Sorry was unclear, i mean more as if the smtp client already did base64 of username/password. But a tip is just for sanity dump traffic and see if things are ok before digging into other things.

Do you know how to enable the debug log, especially for authentication? Thanks

No haven't done that myself

[wolf-skin]

Finally I solved client client to this docker. However, the relay part has issue. The log shown as below:

2023-05-19T14:41:01.219815+08:00 93e9e1d5dffa postfix/smtpd[153]: disconnect from unknown[192.168.254.161] helo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
2023-05-19T14:41:01.220294+08:00 93e9e1d5dffa postfix/smtpd[153]: master_notify: status 1
2023-05-19T14:41:01.220318+08:00 93e9e1d5dffa postfix/smtpd[153]: connection closed
2023-05-19T14:41:01.274035+08:00 93e9e1d5dffa postfix/smtp[159]: connect to smtp-mail.outlook.com[2603:1046:c01:2481::6]:587: Cannot assign requested address
2023-05-19T14:41:06.048413+08:00 93e9e1d5dffa postfix/smtpd[156]: proxymap stream disconnect
2023-05-19T14:41:06.048510+08:00 93e9e1d5dffa postfix/smtpd[156]: auto_clnt_close: disconnect private/tlsmgr stream
2023-05-19T14:41:06.790759+08:00 93e9e1d5dffa postfix/smtp[159]: 2861D156803A9: to=<abc.abc@gmail.com>, relay=smtp-mail.outlook.com[40.99.10.22]:587, delay=5.6, delays=0.08/0.03/0.48/5, dsn=5.7.57, status=bounced (host smtp-mail.outlook.com[40.99.10.22] said: 530 5.7.57 Client not authenticated to send mail. [SI2PR01CA0016.apcprd01.prod.exchangelabs.com 2023-05-19T06:41:06.744Z 08DB57BE14497622] (in reply to MAIL FROM command))
2023-05-19T14:41:06.790907+08:00 93e9e1d5dffa postfix/smtp[159]: 2861D156803A9: lost connection with smtp-mail.outlook.com[40.99.10.22] while sending RCPT TO
2023-05-19T14:41:06.794012+08:00 93e9e1d5dffa postfix/cleanup[158]: C1828156803AD: message-id=<20230519064106.C1828156803AD@naspi.local>
2023-05-19T14:41:06.796809+08:00 93e9e1d5dffa postfix/bounce[160]: 2861D156803A9: sender non-delivery notification: C1828156803AD
2023-05-19T14:41:06.797374+08:00 93e9e1d5dffa postfix/qmgr[152]: C1828156803AD: from=<>, size=2855, nrcpt=1 (queue active)
2023-05-19T14:41:06.800254+08:00 93e9e1d5dffa postfix/qmgr[152]: 2861D156803A9: removed
2023-05-19T14:41:06.823517+08:00 93e9e1d5dffa postfix/smtp[159]: connect to smtp-mail.outlook.com[2603:1046:c01:2481::6]:587: Cannot assign requested address
2023-05-19T14:41:12.293921+08:00 93e9e1d5dffa postfix/smtp[159]: C1828156803AD: to=<cam.alarm.chris@outlook.com>, relay=smtp-mail.outlook.com[40.99.10.6]:587, delay=5.5, delays=0/0/0.44/5.1, dsn=5.7.57, status=bounced (host smtp-mail.outlook.com[40.99.10.6] said: 530 5.7.57 Client not authenticated to send mail. [SI2P153CA0025.APCP153.PROD.OUTLOOK.COM 2023-05-19T06:41:12.258Z 08DB57DDC73446F9] (in reply to MAIL FROM command))
2023-05-19T14:41:12.294409+08:00 93e9e1d5dffa postfix/smtp[159]: C1828156803AD: lost connection with smtp-mail.outlook.com[40.99.10.6] while sending RCPT TO
2023-05-19T14:41:12.296214+08:00 93e9e1d5dffa postfix/qmgr[152]: C1828156803AD: removed

The issue is "Client not authenicated to send mail", do you have any idea which part I am wrong? I already input the From as "xxx@outlook.com" which same as my login account.

 to=<abc.abc@gmail.com>, relay=smtp-mail.outlook.com[40.99.10.22]:587, delay=5.6, delays=0.08/0.03/0.48/5, dsn=5.7.57, status=bounced (host smtp-mail.outlook.com[40.99.10.22] said: 530 5.7.57 Client not authenticated to send mail. [SI2PR01CA0016.apcprd01.prod.exchangelabs.com 2023-05-19T06:41:06.744Z 08DB57BE14497622] (in reply to MAIL FROM command))

Thanks!

[wader]

Hi, so this is postfix-relay trying to send an email to gmail thru an outlook relay?

Sorry no idea really :( you might be better of asking on stackoverflow or some dedicated postfix forum etc.

Have the same config/setup worked fine with some other postfix installation etc? thinking if this is postfix-relay image specific or not

[wolf-skin]

Finally, I use very stupid method which use your docker to receive email came from old device and relay them to the docker of "juanluisbaptiste/postfix", then relay again to Outlook. Because the second smtp relay can send out mail, but it hasn't AUTH feature in receiving email.

[wader]

Glad you found a solution, sorry i couldn't be more or help. Close issue?