web-dev-qa-db-ja.com

Postfix認証の失敗、メールを送信できません

Postfix電子メールサーバーをセットアップしようとして、Postfixサービスのtelnetセッションでコマンド「auth login」を使用すると、次のエラーが発生しました。


535 5.7.8 Error: authentication failed: generic failure

warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

以下のリンクに従ってサービスをセットアップしました。
buntu 16.04でPostfixをインストールおよび設定する方法

コンピューターに「postmaster」と「yida」の2人のユーザーを作成しました。 「postmaster」はs-nailメールを使用してメールを受信できませんでしたが、「yida」に送信できましたが、「yida」は「postmaster」のようにローカルユーザーとのみメールを送受信できました。

メールログには次の問題があります。

postfix/smtp[3386]: connect to gmail-smtp-in.l.google.com[2607:f8b0:4001:c11::1a]:25: Network is unreachable


これは、自分のGmailアカウントにメールを送信しようとしたときに発生します。

興味深いのは、認証を断念し、テスト用のtelnetセッションで「mail from」コマンドを入力し続け、サーバーから「OK」応答が返されたことです。 Postfixは認証を必要としていないようです。

以下の関連ファイルをご覧ください。

/etc/postfix/master.cf

# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

/etc/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = server.sample.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = $myhostname, sample.com, server.sample.com, localhost.sample.com, localhost
relayhost = 
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
home_mailbox = Maildir/
virtual_alias_maps = hash:/etc/postfix/virtual

# SASL SUPPORT FOR CLIENTS
#
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail clients.
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
   permit_sasl_authenticated,
   permit_mynetworks,
   check_relay_domains

compatibility_level = 2

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

/etc/s-nail.rc

#@ s-nail.rc
#@ Configuration file for S-nail(1) v14.8.6
# S-nail(1): v14.8.6 / 2015-12-28

## The standard POSIX 2008/Cor 1-2013 mandates the following initial settings:
# (Keep in sync: ./main.c:_startup(), ./nail.rc, ./nail.1:"Initial settings"!)
# [a]   noallnet, noappend, asksub, noaskbcc, noaskcc, noautoprint,
# [b-e] nobang, nocmd, nocrt, nodebug, nodot, escape="~",
# [f-i] noflipr, nofolder, header, nohold, noignore, noignoreeof,
# [j-o] nokeep, nokeepsave, nometoo, nooutfolder,
# [p-r] nopage, Prompt="? ", noquiet, norecord,
# [s]   save, nosendwait, noshowto, nosign, noSign,
# [t-z] toplines="5"
# Notes:
# - no*onehop* doesn't exist in this implementation.
#   (To pass options through to an MTA, either add them after a "--" separator
#   on the command line or by setting the *sendmail-arguments* variable.)
# - *Prompt* is "\\& " by default, which will act POSIX-compliant
#   unless the user would set *bsdcompat*

## The remaining content adjusts the standard-imposed default settings.
# Note that some of the following flags are specific to S-nail(1) and may thus
# not work with other Mail(1) / mailx(1) programs.
# Entries are marked [OPTION] if their availability is compile-time dependent

## Variables

# If threaded mode is activated, automatically collapse thread
set autocollapse

# Enter threaded mode automatically
#set autosort=thread

# Append rather than prepend when writing to mbox automatically.
# This has no effect unless *hold* is unset (it is set below)
set append

# Ask for a message subject.
set ask

# *bsdannounce* prints a header summary on folder change and thus complements
# *header* on a per-folder basis (it is meaningless unless *header* is set)
set bsdannounce

# Uncomment this in order to get coloured output in $PAGER.
# (Coloured output is only used if $TERM is either found in *colour-terms*
# or includes the string "color")
#set colour-pager

# Assume a CRT-like terminal and invoke a $PAGER
set crt

# Define date display in header summary
#set datefield="%R %m-%d" datefield-markout-older="   %g-%m-%d"

# When composing messages a line consisting of `.' finalizes a message
set dot

# Immediately start $EDITOR (or $VISUAL) when composing a message
#set editalong

# Startup into interactive mode even if the (given) mailbox is empty
#set emptystart

# When replying to or forwarding a message the comment and name parts of email
# addresses are removed unless this variable is set.
#set fullnames

# [OPTION] Add more entries to the history as is done by default
set history-gabby

# Do not forward to mbox by default since this is likely to be
# irritating for most users today; also see *keepsave*
set hold

# Quote the original message in replies by "> " as usual on the Internet
set indentprefix="> "

# Mark messages that have been answered
set markanswered

# Try to circumvent false or missing MIME Content-Type descriptions
# (Can be set to values for extended behaviour, please see the manual.)
set mime-counter-evidence

# Control loading of mime.types(5) file: the value may be a combination of the
# letters "s" and "u": if "u" is seen ~/.mime.types will be loaded if possible;
# "s" adds /etc/mime.types, if available; setting this without any value uses
# only a set of builtin mimetypes; the default behaviour equals "us".
# An extended syntax that allows loading of other, specified files is available
# if the value contains an equal sign "=", see the manual for more
#set mimetypes-load-control

# Do not remove empty mail folders.
# This may be relevant for privacy since other users could otherwise create
# them with different permissions
set keep

# Do not move `save'd or `write'n message to mbox by default since this is
# likely to be irritating for most users today; also see *hold*
set keepsave

# When writing mailbox files we strip Content-Length: and Lines: header fields
# from edited / changed messages, because S-nail doesn't deal with these
# (non-standard) fields -- and since other MUAs may rely on their content, if
# present, it seems more useful to strip them than to keep them, now that they
# became invalid; set this to include them nonetheless
#set keep-content-length

# A Nice Prompt for ISO 6429/ECMA-48 terminals
#set Prompt="\033[31m?\?[\$ \@]\& \033[0m"

# Automatically quote the text of the message that is responded to
set quote

# On group replies, specify only the sender of the original mail in  To: and
# mention it's other recipients in the secondary Cc: instead of placing them
# all together in To:
set recipients-in-cc

# When responding to a message, try to answer in the same character set
#set reply-in-same-charset

# [OPTION] Outgoing messages are sent in UTF-8 if possible, otherwise LATIN1.
# Note: it is highly advisable to read the section "Character sets" of the
# manual in order to understand all the possibilities that exist to fine-tune
# charset usage (variables also of interest: *ttycharset*, *charset-8bit*,
# *sendcharsets-else-ttycharset*; and of course we inherit the $LC_CTYPE /
# $LC_ALL / $LANG environment variables and react upon them)
set sendcharsets=utf-8,iso-8859-1

# When sending a message wait until the MTA (including the builtin SMTP one)
# exits before accepting further commands.  Only with this variable set errors
# reported by the MTA will be recognizable!
#set sendwait

# Display real sender names in header summaries instead of only addresses
set showname

# Show recipients of messages sent by the user himself in header summaries
set showto

## Commands

# Only include these selected header fields when forwarding messages
fwdretain subject date from to

# Only include the selected header fields when printing messages
retain date from to cc subject message-id mail-followup-to reply-to

## Some pipe-TYPE/SUBTYPE entries

# HTML as text, inline display via lynx(1)
#if $features !@ HTML-FILTER
#   set pipe-text/html="lynx -stdin -dump -force_html"
#endif

# PDF display, asynchronous display via xpdf(1)
#set pipe-application/pdf="@&set -C;\
#   : > \"${TMPDIR}/${NAIL_FILENAME_GENERATED}\";\
#   trap \"rm -f \\\"${TMPDIR}/${NAIL_FILENAME_GENERATED}\\\"\" \
#      EXIT INT QUIT PIPE TERM;\
#   set +C;\
#   cat > \"${TMPDIR}/${NAIL_FILENAME_GENERATED}\";\
#   xpdf \"${TMPDIR}/${NAIL_FILENAME_GENERATED}\""

# s-it-mode

#Added according to docs found in internet.
set emptystart
set folder=Maildir
set record=+sent

/ etc/default/saslauthd

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="shadow"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/run/saslauthd"

次の2つのことを達成したいと思います。1.「auth login」を正しく機能させます。 2.両方のユーザーが、Gmailアカウントなど、外部にメールを送信できるようにします。事前に助けてくれてありがとう。

1
Yida Zhang
postfix/smtp[3386]: connect to gmail-smtp-in.l.google.com[2607:f8b0:4001:c11::1a]:25: Network is unreachable

これは、IPv6が試行されるが、利用できないというヒントです。お使いのコンピューターはIPv6接続性を持っていると信じているようですが、実際にはIPv6接続性はありません。おそらく、IPv6を完全に無効にしてみてください:

/etc/sysctl.confに次の行を追加します。

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

そして再起動します。これにより、IPv6が無効になり、IPv4の使用が強制されます。その後、もう一度電子メールを送信してください。

さらに、postfixは認証なしでメールを受け入れますが、if宛先は設定されたドメインの1つではなく、設定で電子メールの中継を許可しないため、宛先を拒否します。これは重要!オープンリレーは即座にスパムソースに変わります...

これはラインで設定されます

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

認証の失敗に関しては、おそらくログインメソッドauth loginが設定に対して有効なsasl認証メカニズムではないためです。おそらくauth plainを探しています。ほとんどの認証プロトコルをサポートするThunderbirdなどの電子メールクライアントからログインしてみてください。

1
vidarlo