mail/postfix - outgoing authentication broken under some circumstances

[pmhausen]

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

• I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• The title contains the plugin to which this issue belongs

Describe the bug
Depending on the features of the relay host outbound authentication for relaying might fail.

To Reproduce

1. Configure the Postfix plugin, General, e.g.
   Smart Host: mail2.pluspunkthosting.de:587
   Enable SMTP Authentication: [X]
   Authentication Username: postfix@hausen.com
   Authentication Password: *******

2. Relay a mail through the Postfix server

Expected behavior
Postfix should authenticate at the relay host and send the mail.

Observed behavior*
I don't know if this is particular to my mail server. The server offers in its ESMTP banner these authentication options:

250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI 
250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI 

Postfix fails and the message stays in the queue forever:

root@opnsense:/var/log/postfix # mailq
-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
DC77FF7E4       319 Fri Feb 11 17:52:51  pmh@hausen.com
(SASL authentication failed; cannot authenticate to server mail2.pluspunkthosting.de[217.29.33.229]: generic failure)
                                         pmh@hausen.com

If one increases the debug level to 10, we get this additional info:

<20>1 2022-02-11T17:53:05+01:00 opnsense.ettlingen.hausen.com postfix/smtp 16930 - [meta sequenceId="14"] warning: SASL authentication failure: GSSAPI Error: No credentials were supplied, or the credentials were unavailable or inaccessible (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_125))

A temporary solution is to disable GSSAPI configuration in main.cf:

smtp_sasl_mechanism_filter = !gssapi, !ntlm, static:rest

or

smtp_sasl_mechanism_filter = plain, login

I googled these config options, I really don't know what I am doing. So unfortunately I cannot suggest a patch but have to give this to someone who knows Postfix ...

Kind regards,
Patrick

[kulikov-a]

Hi! imho this is not "A temporary solution" but is the only wright way to make to make it work if the plugin may authenticate on smart host with only a "plain" mech. since the plugin will always choose the most secure mechanism among those present on the server and client:
see postfix sasl docs, [Postfix SMTP/LMTP client policy - SASL mechanism names] section:

Given the SASL security options of the previous section, the Cyrus SASL library will choose the most secure authentication mechanism that both the SMTP client and server implement. Unfortunately, that authentication mechanism may fail because the client or server is not configured to use that mechanism.

To prevent this, the Postfix SMTP client can filter the names of the authentication mechanisms from the remote SMTP server. Used correctly, the filter hides unwanted mechanisms from the Cyrus SASL library, forcing the library to choose from the mechanisms the Postfix SMTP client filter passes through.

The following example filters out everything but the mechanisms PLAIN and LOGIN:

/etc/postfix/[main.cf](http://www.postfix.org/postconf.5.html):
    [smtp_sasl_mechanism_filter](http://www.postfix.org/postconf.5.html#smtp_sasl_mechanism_filter) = plain, login
Note
If the remote server does not offer any of the mechanisms on the filter list, authentication will fail.

We close this section with an example that passes every mechanism except for GSSAPI and LOGIN:

/etc/postfix/[main.cf](http://www.postfix.org/postconf.5.html):
    [smtp_sasl_mechanism_filter](http://www.postfix.org/postconf.5.html#smtp_sasl_mechanism_filter) = !gssapi, !login, [static](http://www.postfix.org/DATABASE_README.html#types):all

so may be adding smtp_sasl_mechanism_filter = plain to template is the wright choice?

[pmhausen]

Agreed. But possibly make it a configurable option? Are there any situations when anything else would be needed?

From this document:
http://www.postfix.org/SASL_README.html

I get that possibly

smtp_sasl_mechanism_filter = !gssapi, static:all

might be the best solution. Or make it a free form string in the advanced options section and leave it at the responsibility of the admin?

Kind regards,
Patrick

[kulikov-a]

Or make it a free form string in the advanced options section and leave it at the responsibility of the admin?

the best way imho.
NTLM, for example, may work in one case (v1) and not work in another (NTLMv2)

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.

[pmhausen]

I have come to the conclusion that inserting

smtp_sasl_mechanism_filter = !gssapi, static:all

unconditionally is the only sensible way to go for now. OPNsense does not support GSSAPI so outgoing SMTP (client) authentication will always fail if the remote mailserver offers GSSAPI and this line is not present.

The patch does not change anything else.

PR incoming ...