PDA

View Full Version : SASL AUTH with postfix on Sarge


keulu
23rd January 2006, 11:03
Hi,

I'm desperately trying to authenticate via sasl2 through postfix installed on a Debian Sarge.
I wanted to use sasldb authentication, so I created a test account : login:test password:test with no realm info.
TLS support in postfix is not activated at the moment.

Here's the output for a local telnet test:


# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 mysmtp.mydomain.tld ESMTP (Debian/GNU)
ehlo localhost
250-mysmtp.mydomain.tld
250-PIPELINING PLAIN
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
AUTH PLAIN dGVzdAB0ZXN0AHRlc3Q=
535 Error: authentication failed


mail.log says :


warning: SASL authentication failure: Password verification failed
warning: localhost.localdomain[127.0.0.1]: SASL PLAIN authentication failed


The account has been tested OK as far as saslauthd is concerned:


# testsaslauthd -u test -p test -f /var/spool/postfix/var/run/saslauthd/mux
0: OK "Success."


Everything works fine in the chrooted postscript when configured to ask for shadow passwords (MECHANISMS="shadow" in /etc/default/saslauthd and pwcheck_method: saslauthd in /etc/postfix/sasl/smtpd.conf) but no way to make it work with MECHANISMS="sasldb" and pwcheck_method: auxprop.

Thanks for any assistance to solve this problem.;)
I already spent a couple of days tearing my hair off on this issue, but I could not find neither any valuable info on the internet nor any workaround on my own.:mad:
Sorry for all the code provided...

Here is my main.cf:


smtpd_banner = $myhostname ESMTP (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = mysmtp.mydomain.tld
mydomain = mydomain.tld

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

myorigin = $mydomain
mydestination = $myhostname, $mydomain, localhost

relayhost =
mynetworks = 127.0.0.0/8
home_mailbox = Maildir/
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 51200000
recipient_delimiter = +
inet_interfaces = $myhostname, localhost

smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_invalid_hostname,
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
smtpd_sender_restrictions =
reject_unknown_sender_domain,
reject_non_fqdn_sender

# Use amavis filtering
content_filter=smtp-amavis:[127.0.0.1]:10024

# Reject exe attachement files
header_checks = regexp:/etc/postfix/header_checks

# SASL support (SMPTP AUTH)
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
# smtpd_sasl_application_name = smtpd
broken_sasl_auth_clients = yes

# SSL / TLS identification key files
# smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
# smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
# smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

# SSL / TLS support parameters
# smtpd_tls_auth_only = no
# smtpd_use_tls = yes
# smtpd_tls_loglevel = 1
# smtpd_tls_ask_ccert = yes
# smtpd_tls_received_header = yes
# smtpd_tls_session_cache_timeout = 3600s
# tls_random_source = dev:/dev/urandom


and my master.cf:


smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5
# -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

# only used by postfix-tls
tlsmgr fifo - - n 300 1 tlsmgr
smtps inet n - y - - smtpd -v
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
587 inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes

smtp-amavis unix - - n - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookup=yes

127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,rej ect
-o mynetworks=127.0.0.1/8
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000


and finally my /etc/postfix/sasl/smtpd.conf:


pwcheck_method: auxprop
mech_list: plain login
auxprop_plugin: sasldb2

falko
23rd January 2006, 18:05
Did you create the user's password with saslpasswd2? See man saslpasswd2

keulu
23rd January 2006, 20:08
yes, exactly what I did...:)

nibman
28th August 2006, 13:27
Hello!

I have the same problem as Keulu here and I can't find any solution to the problem.

I had a completely new installation of Debian 3.1 when starting to install according to the "Perfect Setup" for the correct version of Debian. I followed every step by copying and pasting, but still the SMTP AUTH functionality doesn't work. Everytime I try to connect with the client (Microsoft Outlook Express & others) the password isn't accepted.

In the logfile I get the following error everytime I try to authenticate a user:

Aug 28 09:57:10 postfix/smtpd[12365]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

I have checked with testsaslauthd and it responds OK.

I have set password with saslpasswd2 to no awail.

What else can I try? Can I do other checks to see if everything is working? Since the logfile is referring to that smtpd is unable to connect to saslauthd is there anything I can do to make sure it is connecting? How does it connect? Is it using a pipe or a socket? If the pipe is known perhaps one can try that, manually?

I am out of options right now. I have checked every place on Internet I can find that discuss this problem. It was so easy for version 3.0 of Debian. Everything worked directly.

Please help!

falko
29th August 2006, 20:37
Aug 28 09:57:10 postfix/smtpd[12365]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

Please make sure saslauthd is started. What's the output of ps aux | grep saslauthd? Also make sure saslauthd is chrooted correctly (as Postfix is running chrooted), as described in the tutorial. Compare your /etc/default/saslauthd and /etc/init.d/saslauthd with the ones from the tutorial.

nibman
30th August 2006, 09:13
Hello, thanks for the reply!

I just got it working... I changed in my client from port 465 tcp to use port 25 tcp. In the earlier version I had to use port 465 and not 25 to get it working. Why is it different now??

falko
31st August 2006, 22:49
I guess the process on port 465 isn't running chrooted, as is the process on port 25. You can check in /etc/postfix/master.cf.