I am trying to create a nfs kerberos configuration with includedir. The context is the following :
default realm points to TEST.REALM.COM (hadoop installation)
nas/nfs realm points to NFS.ANOTHER.REALM.COM
When I put all realms and domain realms in the krb5.conf file, I am able to mount my nfs share. When I use the includedir tag, thinks won't work out.
Here is my krb5.conf
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
allow_weak_crypto = false
Here is the config file for the default hadoop realm
[libdefaults]
default_realm = TEST.REALM.COM
TEST.REALM.COM = {
ticket_lifetime = 1d
renew_lifetime = 14d
}
[realms]
TEST.REALM.COM = {
kdc = admhadoop1.realm.com
kdc = admhadoop1.realm.com
admin_server = admhadoop1.realm.com
}
[domain_realm]
.realm.com = TEST.REALM.COM
realm.com = TEST.REALM.COM
Here is the config for the nfs realm
[libdefaults]
NFS.ANOTHER.REALM.COM = {
ticket_lifetime = 14d
renew_lifetime = 180d
}
[realms]
NFS.ANOTHER.REALM.COM = {
kdc = admnfs1.realm.com
kdc = admnfs2.realm.com
admin_server = admnfs1.realm.com
}
[domain_realm]
nfs01.realm.com = NFS.ANOTHER.REALM.COM
The /etc/krb5.keytab only containes the users host, nfs and root for the test01 server
Whit this configuration when I try to mount a share from nfs01.realm.com I'll get this kind of error :
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a1d130 data 0x7fff55a1d000
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a185b0 data 0x7fff55a18480
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a1d130 data 0x7fff55a1d000
rpc.gssd[7078]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt16)
rpc.gssd[7078]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 '
rpc.gssd[7078]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt16)
rpc.gssd[7078]: process_krb5_upcall: service is '<null>'
rpc.gssd[7078]: Full hostname for 'nfs01.realm.com' is 'nfs01.realm.com'
rpc.gssd[7078]: Full hostname for 'test01.realm.com' is 'test01.realm.com'
rpc.gssd[7078]: No key table entry found for TEST01$#TEST.REALM.COM while getting keytab entry for 'TEST01$#TEST.REALM.COM'
rpc.gssd[7078]: No key table entry found for root/test01.realm.com#TEST.REALM.COM while getting keytab entry for 'root/test01.realm.com#TEST.REALM.COM
rpc.gssd[7078]: No key table entry found for nfs/test01.realm.com#TEST.REALM.COM while getting keytab entry for 'nfs/test01.realm.com#TEST.REALM.COM
rpc.gssd[7078]: No key table entry found for host/test01.realm.com#TEST.REALM.COM while getting keytab entry for 'host/test01.realm.com#TEST.REALM.COM
rpc.gssd[7078]: ERROR: gssd_refresh_krb5_machine_credential: no usable keytab entry found in keytab /etc/krb5.keytab for connection with host nfs01.realm.com
rpc.gssd[7078]: ERROR: No credentials found for connection to server nfs01.realm.com
rpc.gssd[7078]: doing error downcall
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a1d130 data 0x7fff55a1d000
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a1d130 data 0x7fff55a1d000
rpc.gssd[7078]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt17
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a1d130 data 0x7fff55a1d000
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a1d130 data 0x7fff55a1d000
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a1d130 data 0x7fff55a1d000
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a1d130 data 0x7fff55a1d000
rpc.gssd[7078]: dir_notify_handler: sig 37 si 0x7fff55a1d130 data 0x7fff55a1d000
It looks like the nfs deamon doesn not work with the includedir tag.
What do you think ?
the problem was that the files in the included directory should only have alphanumerical names (with "-" and "_") but no "." like in my case.
Related
hope you can help me.
I have a java application that use mongodb 2.6.7. Now i must upgrade to 4.4.0 version. During the process
I decided to implement the TLS connection and here my problems began. Connection timed out.
To simplify the work I decided to connect directly using the mongo shell. Now, this is the situation:
i have the mongod server active on a linux pc (ubuntu 20.04 - ip: 192.168.1.191, mongodb installed 4.4.0, OpenSSL installed 1.1.1f), and i trying to connect with a windows 10 pc (2004 version - ip: 192.168.1.193, mongodb installed 4.4.0, OpenSSL installed 1.1.1g).
I created a self signed certificate with this commands:
openssl genrsa -des3 -passout pass:qwer -out ./demoCA/private/cakey.pem 4096
openssl req -new -x509 -days 730 -key ./demoCA/private/cakey.pem -passin pass:qwer -out ./demoCA/cacert.pem -subj '/C=LL/ST=lin/L=lin/O=lin/OU=lin/CN=lin' -outform PEM
cp ./demoCA/cacert.pem ./demoCA/certs/00.pem
cd ./demoCA/certs
ln -s 00.pem `openssl x509 -hash -noout -in 00.pem`.0
cd ..
cd ..
openssl genrsa -out ./private_key.pem 4096
openssl req -new -key ./private_key.pem -out ./request.pem -subj '/C=LL/ST=lin/L=lin/O=lin/OU=lin/CN=192.168.1.191' -outform PEM
openssl ca -in ./request.pem -passin pass:qwer
cp ./demoCA/newcerts/01.pem ./demoCA/certs/01.pem
cd ./demoCA/certs
ln -s 01.pem `openssl x509 -hash -noout -in 01.pem`.0
cd ..
cd ..
cat ./private_key.pem ./demoCA/certs/01.pem > ./certificate.pem
then i started mongod with this command:
mongod --config /etc/mongod.conf
here the mongod.conf:
# Where and how to store data.
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
# engine:
# mmapv1:
# wiredTiger:
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
# network interfaces
net:
port: 27017
bindIp: 192.168.1.191
tls:
mode: requireTLS
certificateKeyFile: [ABSOLUTE_PATH]/certificate.pem
CAFile: [ABSOLUTE_PATH]/demoCA/cacert.pem
# how the process runs
processManagement:
timeZoneInfo: /usr/share/zoneinfo
#security:
security:
authorization: "enabled"
i downloaded on my Win pc certificate.pem and cacert.pem and tried to connect with:
mongo --tls --tlsCertificateKeyFile c:\ssl-cert-lin\certificate.pem --tlsCAFile c:\ssl-cert-lin\cacert.pem -u root -p test --authenticationDatabase mydb --host 192.168.1.191 --port 27017
the result:
Error: couldn't connect to server 192.168.1.191:27017, connection attempt failed: SocketException: The client and server cannot communicate, because they do not possess a common algorithm.
After a thousand attempts, i tried to do viceversa, installing mongodb server on windows and connecting from linux to window. I followed the same procedure creating the certificate, same configuration of mongod, same connection parameters with the mongo command (after the upload of win certificate on linux). Linux mongo command connect correctly to mongod windows server.
So i tried to test connection directly by OpenSSL keeping both the mongo server (on linux and on windows) alive.
From linux (ip:192.168.1.191) i launched command:
root#btksrv:~# openssl s_client -connect 192.168.1.193:27017 -CAfile ./ssl-cert-win/cacert.pem
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = WW, ST = win, L = win, O = win, OU = win, CN = win
verify return:1
depth=0 C = WW, ST = win, O = win, OU = win, CN = 192.168.1.193
verify return:1
---
Certificate chain
0 s:C = WW, ST = win, O = win, OU = win, CN = 192.168.1.193
i:C = WW, ST = win, L = win, O = win, OU = win, CN = win
---
Server certificate
-----BEGIN CERTIFICATE-----
[lines removed...]
-----END CERTIFICATE-----
subject=C = WW, ST = win, O = win, OU = win, CN = 192.168.1.193
issuer=C = WW, ST = win, L = win, O = win, OU = win, CN = win
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2248 bytes and written 453 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: B84B0000D21B35AF457FBA576C3C1A4BD42DEC5B1DAC2FA33203DEA6E88DE4E7
Session-ID-ctx:
Master-Key: CA4CEC4DE4AA5B67BC577CCA3DF7D5E5DF5ECEC9438592AAC9D7DDDB105E31FB8CB78DBBE962C0A90D99195ECD86FCBB
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1596710695
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
read:errno=0
From windows (ip:192.168.1.193) i launched command:
c:\>openssl s_client -connect 192.168.1.191:27017 -CAfile c:\ssl-cert-lin\cacert.pem
CONNECTED(00000120)
Can't use SSL_get_servername
depth=1 C = LL, ST = lin, L = lin, O = lin, OU = lin, CN = lin
verify return:1
depth=0 C = LL, ST = lin, O = lin, OU = lin, CN = 192.168.1.191
verify return:1
---
Certificate chain
0 s:C = LL, ST = lin, O = lin, OU = lin, CN = 192.168.1.191
i:C = LL, ST = lin, L = lin, O = lin, OU = lin, CN = lin
1 s:C = LL, ST = lin, L = lin, O = lin, OU = lin, CN = lin
i:C = LL, ST = lin, L = lin, O = lin, OU = lin, CN = lin
---
Server certificate
-----BEGIN CERTIFICATE-----
[lines removed...]
-----END CERTIFICATE-----
subject=C = LL, ST = lin, O = lin, OU = lin, CN = 192.168.1.191
issuer=C = LL, ST = lin, L = lin, O = lin, OU = lin, CN = lin
---
Acceptable client certificate CA names
C = LL, ST = lin, L = lin, O = lin, OU = lin, CN = lin
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3832 bytes and written 403 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 0D60B8F6140E7483DDE2D4D3B405E2C81FCC6C18C32B03DA811395A0ED9189A0
Session-ID-ctx:
Resumption PSK: 10782266BDE34F8820365AD13FCB606128B410B6D9DBC31D382542E17058975030B4B472A907730AB63573FBD7E900B3
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
[lines removed...]
Start Time: 1596711179
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: E3A023177260EC48FEF860C30FBF32986E6AA83EA897D5D4E68DD1418329B6C4
Session-ID-ctx:
Resumption PSK: BE969CD81BB54EFF67C1F877A29A15C40839767A145252BDD16BDC2E91242E069C8E04D4A3E3DA7D099120D78749EA12
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
[lines removed...]
Start Time: 1596711179
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
read:errno=0
Looking at the last 2 code blocks i think there is a mismatch protocol... Linux use TLS 1.3 and windows use 1.2 protocol. Could this be the problem? in this case how can I solve?
Otherwise what can be the problem? (and the solution)
Thanks in advance for your help
P.s. before using mongo v4.4 i tried v4.2... same thing
Found the solution. The problem was in Openssl. Linux has a preinstalled version of OpenSSL. In Windows i downloaded a installer from here: https://slproweb.com/products/Win32OpenSSL.html
the problem is that a third part compiled OpenSSL could has a different encryption.
I uninstalled OpenSSL from both Linux and Windows and downloaded the uncompiled library from https://github.com/openssl/openssl. After the compilation, i recreated the certificates and now windows mongo can connect linux mongod and viceversa
I have a simple udp server/client setup where I send a message from the client and print it on the server. This works well for a regular IP packet but the message is not received when I add an IP options header to the packet, even though I can sniff the packet using scapy.
Here's the packet without IP options
###[ Ethernet ]###
dst = 00:04:00:00:04:01
src = 00:aa:00:02:00:04
type = 0x800
###[ IP ]###
version = 4L
ihl = 5L
tos = 0x0
len = 47
id = 1
flags =
frag = 0L
ttl = 61
proto = udp
chksum = 0x62f4
src = 10.0.2.101
dst = 10.0.4.101
\options \
###[ UDP ]###
sport = 10001
dport = 3478
len = 27
chksum = 0x2bd1
###[ Raw ]###
load = 'message from a game'
And here's the packet with IP options header:
###[ Ethernet ]###
dst = 00:04:00:00:04:01
src = 00:aa:00:02:00:04
type = 0x800
###[ IP ]###
version = 4L
ihl = 8L
tos = 0x0
len = 59
id = 1
flags =
frag = 0L
ttl = 61
proto = udp
chksum = 0x5fe8
src = 10.0.2.101
dst = 10.0.4.101
\options \
|###[ IPOption ]###
| copy_flag = 1L
| optclass = control
| option = 31L
| length = 12
| value = '\x00\x01\x00\x00RTGAME'
###[ UDP ]###
sport = 10001
dport = 3478
len = 27
chksum = 0x2bd1
###[ Raw ]###
load = 'message from a game'
And here's the UDP server:
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.bind(('', args.port))
while True:
try:
data, addr = sock.recvfrom(1024)
print("received: %s" % data)
except KeyboardInterrupt:
sock.close()
break
I've been stuck on this for a few days and would love if someone could figure it out.
Thanks
have just been playing and the following works as a self-contained/minimal working example for me with Python 3.7.1 under both OSX and Linux
generating a valid set of IP Options:
from scapy.all import IPOption, raw
ipopts = raw(IPOption(
copy_flag=1, optclass='control', option=31,
value='\x00\x01\x00\x00RTGAME'))
(if you don't have Scapy, the above should generate: b'\x9f\x0c\x00\x01\x00\x00RTGAME')
client code:
import socket
from time import sleep
with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
s.connect(('127.0.0.1', 3478))
s.setsockopt(socket.IPPROTO_IP, socket.IP_OPTIONS, ipopts)
while True:
s.send(b'message from a game')
sleep(1)
server code:
import socket
with socket.socket(socket.AF_INET, socket.SOCK_DGRAM) as s:
s.bind(('', 3478))
s.setsockopt(socket.IPPROTO_IP, socket.IP_RECVOPTS, 1)
while True:
print(*s.recvmsg(4096, 1024))
this should result in the "server" displaying lines like:
b'message from a game\n' [(0, 6, b'\x9f\x0c\x00\x01\x00\x00RTGAME')] 0 ('127.0.0.1', 46047)
furthermore, I can watch packets move over the network by running:
sudo tcpdump -i lo0 -vvv -n 'udp and port 3478'
at the command line, or this in Scapy:
sniff(iface='lo0', filter='udp and port 3478', prn=lambda x: x.show())
for some reason I don't actually receive the ancillary data containing the IP Options under OSX, but the data shows up in the packet sniffers.
The problem was due to an incorrect IPv4 checksum. I failed to mention in the question that I'm running this in a mininet environment with custom switches. The IP options get added in transit by a switch, but the checksum wasn't updated. Once I fixed that, the packet made it to the server.
Thanks for the help and pointers everyone!
Mail from Plesk.
But i recieve this answer
Out: 220 **DOMAIN** ESMTP Postfix (Debian/GNU)
In: EHLO [10.33.205.183]
Out: 250-**DOMAIN**
Out: 250-PIPELINING
Out: 250-SIZE 31457280
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 454 4.7.0 TLS not available due to local problem
In: ???
Out: 502 5.5.2 Error: command not recognized
In: ?????(?'??????
Out: 502 5.5.2 Error: command not recognized
In: ????
Out: 502 5.5.2 Error: command not recognized
Out: 421 4.4.2 **DOMAIN** Error: timeout exceeded
Session aborted, reason: timeout
For other details, see the local mail logfile
Here is my main.cf:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file = /etc/postfix/tls/httpsd.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = ***DOMAIN***
alias_maps = hash:/etc/aliases, hash:/var/spool/postfix/plesk/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = localhost.startdedicated.de, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::1]/128 **IP**/32
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:30
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
non_smtpd_milters =
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
virtual_mailbox_limit = 0
message_size_limit = 31457280
I should say, that i not be an expert on linux and mailing!
The config file is located: /etc/postfix/main.cf
The cert /etc/postfix/tls/httpsd.pem is the servers default cert.
Thank you!
TL;TR: both bad client and bad server.
The mail server you use is configured wrong in that it believes it can to TLS (as seen in EHLO containing STARTTLS) but then fails to actually use TLS (error when client tries to use TLS). Additionally the client simply ignores the error message to the STARTTLS command and continues with the TLS handshake. This causes error messages from the server which expects proper SMTP commands but instead gets what looks like garbage (the TLS ClientHello).
i'm trying to configure postfix to work with an external smtp server.
This is my main.cf file (this is from a fresh installation and few customize settings):
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = ubuntuTesting
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = ubuntuTesting, localhost.localdomain, localhost
relayhost = smtp.site.it
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_sasl_auth_enable = yes
# optional: necessary if email provider uses load balancing and
# forwards emails to another smtp server
# for delivery (ie: smtp.yahoo.com --> smtp.phx.1.yahoo.com)
smtp_cname_overrides_servername = no
I've created the sasl_passwd with smtp, username and password. When i try to send an email with 'mail' command this is the output in the logs
Jun 12 15:13:13 ubuntuTesting postfix/qmgr[2390]: AE6FD1E136B: from=<ubuntu#ubuntuTesting>, size=368, nrcpt=1 (queue active)
Jun 12 15:13:14 ubuntuTesting postfix/smtp[2401]: AE6FD1E136B: enabling PIX workarounds: disable_esmtp delay_dotcrlf for smtp.site.com[xxx.xxx.xx.xx]:25
Jun 12 15:13:14 ubuntuTesting postfix/smtp[2401]: AE6FD1E136B: to=<stefano#site.com>, relay=smtp.site.com[xxx.xxx.xx.xx]:25, delay=0.72, delays=0.04/0.04/0.59/0.05, dsn=4.4.2, status=deferred (lost connection with smtp.site.com[xxx.xxx.xx.xx] while sending MAIL FROM)
Jun 12 15:23:03 ubuntuTesting postfix/smtp[2491]: AE6FD1E136B: enabling PIX workarounds: disable_esmtp delay_dotcrlf for smtp.site.com[xxx.xxx.xx.xx]:25
Jun 12 15:23:03 ubuntuTesting postfix/smtp[2491]: AE6FD1E136B: to=<stefano#site.com>, relay=smtp.site.com[xxx.xxx.xx.xx]:25, delay=590, delays=589/0.01/0.36/0.04, dsn=4.4.2, status=deferred (lost connection with smtp.site.com[xxx.xxx.xx.xx] while sending MAIL FROM)
I think the issues is that the smtp server accept AUTH PLAIN login type, but i can't figure out how to login correctly. I've tried a lot of things.
I can make it works with my google account, but not with this one.
I installed SNMP on my Linux in order to monitory load balance, disk space etc.
yum install net-snmp net-snmp-utils
vim /etc/snmp/snmpd.conf # added "rocommunity public"
/etc/init.d/snmpd start
Walking the SNMP returns very few entries, no load average, disk space etc.:
snmpwalk -v 1 -c public localhost
SNMPv2-MIB::sysDescr.0 = STRING: Linux XXX 2.6.35.4-rscloud #8 SMP Mon Sep 20 15:54:33 UTC 2010 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (232884) 0:38:48.84
SNMPv2-MIB::sysContact.0 = STRING: Root <root#localhost> (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: XXX
SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf)
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORID.1 = OID: SNMPv2-MIB::snmpMIB
SNMPv2-MIB::sysORID.2 = OID: TCP-MIB::tcpMIB
SNMPv2-MIB::sysORID.3 = OID: IP-MIB::ip
SNMPv2-MIB::sysORID.4 = OID: UDP-MIB::udpMIB
SNMPv2-MIB::sysORID.5 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup
SNMPv2-MIB::sysORID.6 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance
SNMPv2-MIB::sysORID.7 = OID: SNMP-MPD-MIB::snmpMPDCompliance
SNMPv2-MIB::sysORID.8 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance
SNMPv2-MIB::sysORDescr.1 = STRING: The MIB module for SNMPv2 entities
SNMPv2-MIB::sysORDescr.2 = STRING: The MIB module for managing TCP implementations
SNMPv2-MIB::sysORDescr.3 = STRING: The MIB module for managing IP and ICMP implementations
SNMPv2-MIB::sysORDescr.4 = STRING: The MIB module for managing UDP implementations
SNMPv2-MIB::sysORDescr.5 = STRING: View-based Access Control Model for SNMP.
SNMPv2-MIB::sysORDescr.6 = STRING: The SNMP Management Architecture MIB.
SNMPv2-MIB::sysORDescr.7 = STRING: The MIB for Message Processing and Dispatching.
SNMPv2-MIB::sysORDescr.8 = STRING: The management information definitions for the SNMP User-based Security Model.
SNMPv2-MIB::sysORUpTime.1 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.2 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.3 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.4 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.5 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.6 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.7 = Timeticks: (0) 0:00:00.00
SNMPv2-MIB::sysORUpTime.8 = Timeticks: (0) 0:00:00.00
Found the problem:
needed to reset the .conf file completely:
echo "rocommunity public" > /etc/snmp/snmp.conf
needed to specify the exact branch to walk:
snmpwalk -v 1 -c public localhost .1.3.6.1.4.1.2021.10
For others like me who might search for this:
It is due to the rocommunity being restricted to basic access in the default SNMPd config with the line:
rocommunity public default -V systemonly
To give full access to localhost just uncomment the previous line which is:
rocommunity public localhost
Or you can give all computers full access like OP did via:
rocommunity public