chlw's picture

Hi

I installed Version 14.0 LAMP Stack on a MS Hyper-V-Cluster.

Then transferred an existing phpBB-board and updated it to the latest version (3.1.6). Everything works fine except for the connection to my smtp-server (which is supposed to send the e-mails from the board). Tried different ones with different settings (ports, auth method etc), got none working...

The failure logs in my board (below) show, that the connection to the server is established but when it comes to some TLS stuff something goes wrong with the connection and it breaks...


I suspect that it could have something to do with the "hardened default SSL/TLS setting" which is described as "technically TLS settings as all versions of SSL are now disabled." (from here: https://www.turnkeylinux.org/blog/turnkey-14-0-release).

I tried to set the "Compatible Cipher List recommended for older clients" in this file: /etc/apache2/mods-available/ssl.conf (and rebooted machine) but this didn't work either (form here: https://github.com/turnkeylinux/common/blob/master/conf/turnkey.d/zz-ssl...).

As I have the same board running as a test-site on a Turnkey Linux version 13.1 (on the MS Hyper-V-Cluster as well) wihtout any problems, I think it might has to do with the new tight security features in der version 14.0.

Now, I have no clue where to look further for some information on how to resolve the problem, the results of all search I did weren't of much help...

Can somebody guide me in a new direction? How can I disable (at least temporarily) the security features? Or some of them? Is this TLS-related at all...?

Do you need any further information on my system?


Thanks a lot for any help on that!


Chris

 

 

phpBBFailure logs from two different smtp servers:

Backtrace
Connecting to mail.somedomain.ch:25
LINE: 1020 <- 220-websrv1.hostservers.ch ESMTP Exim 4.77 #2 Tue, 13 Oct 2015 23:44:29 +0200 

LINE: 1020 <- 220-We do not authorize the use of this system to transport unsolicited, 

LINE: 1020 <- 220 and/or bulk e-mail. 

# EHLO lamp
LINE: 1369 <- 250-websrv1.hostservers.ch Hello 213-193-80-20.static.cablecom.ch [213.193.80.20] 

LINE: 1369 <- 250-SIZE 52428800 

LINE: 1369 <- 250-PIPELINING 

LINE: 1369 <- 250-AUTH PLAIN LOGIN 

LINE: 1369 <- 250-STARTTLS 

LINE: 1369 <- 250 HELP 

# STARTTLS
LINE: 1414 <- 220 TLS go ahead 

# AUTH LOGIN
LINE: 1493 <- 554 Security failure 

 

Backtrace
Connecting to mail.dachel.ch:587
LINE: 1020 <- 220 mail.dachel.ch Kerio Connect 8.3.3 ESMTP ready 

# EHLO lamp
LINE: 1369 <- 250-mail.dachel.ch 

LINE: 1369 <- 250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5 NTLM 

LINE: 1369 <- 250-STARTTLS 

LINE: 1369 <- 250-ENHANCEDSTATUSCODES 

LINE: 1369 <- 250-8BITMIME 

LINE: 1369 <- 250-PIPELINING 

LINE: 1369 <- 250-ETRN 

LINE: 1369 <- 250-DSN 

LINE: 1369 <- 250 HELP 

# STARTTLS
LINE: 1414 <- 220 2.0.0 Ready to start TLS 

# AUTH LOGIN
Forum: 

I also had a connection problem for a service, when upgrading v13=>v14.

SSL / TLS is handled by stunnel now. Your service may need to to be 'directed through' stunnel. It will work on a fresh install, but may break when v13 configs are restored back to a v14 appliance.

see here v14.0 is different 

Jeremy Davis's picture

Sorry about delayed response. FWIW by default TurnKey has postfix to directly send email (not via a separate/secondary SMTP server). Although TurnKey config has changed in v14.0; because it doesn't receive emails and essentially acts as it's own SMTP it doesn't (and shouldn't) use TLS (some email servers will not accept encrypted email from an unknown source).

From a glance It looks to me like you are trying to send emails in the open (i.e. no TLS) and your SMTP requires TLS authentication. I would look at the sendmail settings...

[edited to fix a mistake in my text; I originally mistakenly wrote "sendmail" rather than "postfix" in my second sentence].

chlw's picture

I received the notification about your answers only right now and have not checked manually before... So I also have a huge delay in my answer...

First of all: Thanks for your quick replies and your help!

I solved the problem a few days after my post by googling and trying other things -- and ended up in digging deeper into the Postfix configuration. To be honest: I haven't even documented what I did. At the end (after a few days of trying and trying and trying...) I was just happy everything worked. As far as I remember I configured the Postfix Server in a way that it sends the mails over another ("well configured") SMTP Server. It's probably not a very clever and clean solution, but it works...

 

And yes, TKL v14 IS indeed very different from previous versions, which were "a breeze" even for a complete linux newbie like me. It seems that security (and I totally agree that this is a very, very important issue...) takes it's toll...

 

With this: Thanks again!

 

Chris

Jeremy Davis's picture

And I'm really glad to hear that you got it fixed in the end.

Your solution of using a separate SMTP server is completely valid and legitimate. And we probably should have it documented.

The v14.0 appliances should still send emails OOTB. Although some ISPs block direct email sending; and also sometimes your host IP may have been blacklisted (this is common with dynamic IP addresses; particularly on services like AWS which are often abused by spammers).

chlw's picture

Just to comment your answer as well (forgot in th other post...):

The v14.0 appliance does send emails OOTB. The "problems" were exactly the ones you describe in your post (although in my case dynamic IPs were not the issue as I was on a fixed IP).

And I'm definitely sure you can configure the postfix mailserver in a way that all the issues are solved within the TKL appliance. I just took my solution with using an already existing (and working) mailserver because this was an "easier" solution for me to get it working.

I had to find a solution quickly for my forum, so once the "quick and dirty" solution worked, I was just happy with that and didn't dig deeper into anything else...

chlw's picture

As I  already said: I don't remember all the steps I made to get it to work...

But if you take all the information here, a couple of hours time and Google as your friend, hopefully you get it to work as well...

I looked it up and as far as I can remember and find out from history I can reproduce at least the following steps (don't remember the right order...):

  • Installed the following: dovecot (apt-get install dovecot-imapd dovecot-pop3d)
  • Installed  the following:  apt-get install libsasl2-modules-otp libsasl2-modules-ldap libsasl2-modules-sql libsasl2-modules-gssapi-mit libsasl2-modules-gssapi-heimdal
  • Created file:   nano /etc/postfix/sasl_passwd  ->  [mailserver.otherdomain.tld]:587 user:password
  • Done the following:  postmap /etc/postfix/sasl_passwd


and my /etc/postfix/main.cf looks like this:

 

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = 123.456.789.111.static.anydomain.tld
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = name.domain.tld
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localdomain, localhost, localhost.localdomain, localhost, name.domain.tld
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
myorigin = name.domain.tld
inet_interfaces = all
smtp_generic_maps = hash:/etc/postfix/generic

# specify SMTP relay host
relayhost = [mailserver.otherdomain.tld]:587

# enable SASL authentication
smtp_sasl_auth_enable = yes
# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# Enable STARTTLS encryption
smtp_use_tls = yes
# where to find CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

smtpd_sasl_type = dovecot

# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth

 

Jeremy Davis's picture

Thank you! I'm sure that will help others!
Jeremy Davis's picture

If you're using TurnKey Linux and having an issue, please create a new user account, log in and start a new thread.

Please provide details on which appliance you're using, which version it is (if not sure post the output of 'turnkey-version'), where it's running (e.g. local VirtualBox VM, Hub cloud server, etc, etc), plus details on any customisation you may have done (probably don't need details at this point, just a general idea of what you've done).

Then please detail the problem you are having (feel free to post links to other threads that describe similar issue to yours). If you are seeing any errors or warnings anywhere please post them verbatim i.e. exactly as they are (ideally copy/paste the text; although screenshots can be attached to the first post in a thread if that's easier). Please also note where you saw the errors (e.g. in browser, log file, commandline, etc).

Then provide info on what you have tried already and what the results were (if any). Again please feel free to link to other posts that show similar experiences.

Armed with that info, we have a really good shot at diagnosing and fixing the issue! :)

Add new comment