PDA

View Full Version : SASL failures - postfix/sasl/postfixadmin/mysql


dragonator
6th July 2008, 04:21
Hi folks,

I'm closing in on what I thought should be pretty straight forward, but my eyes are crossed from wading through all the HowTos and the Googled links to links to links, etc., so hopefully someone here can point me in the right direction. :)

I've configure an Ubuntu 8.04 server to run Postfix with postfixadmin, mysql, smtp-auth using sasl, courier for imap and pop, and multiple webmail interfaces. I seem to have almost everything working since I can receive mail OK, send mail fine via the webmail interfaces, create new domains/users, etc. The one thing I can't seem to do is send email normally through TBird or c/l telnet methods. :confused:

When I try to send mail I'm getting the following error:

warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

How do I track down what it's being denied permission to access?

falko
6th July 2008, 12:28
Please try this:
adduser postfix sasl
/etc/init.d/postfix restart
/etc/init.d/saslauthd start

dragonator
6th July 2008, 19:10
I'd already checked that. System response indicates that postfix is already a member of the sasl group.

root@mail:/etc/postfix# adduser postfix sasl
The user `postfix' is already a member of `sasl'.

Any guidance on how to track the particular file(s) it's trying to access? I could (and have) spent hours trying to check all the permissions on things, but they all seem correct/reasonable. I've always found that if I can track the process through one step at a time and see where the failure is I have a much better chance of finding why it fails.

Here's an excerpt from the mail.log in case that helps point to a particular piece of the puzzle.

postfix/smtpd[8545]: < dragon.sleepydragon.local[192.168.16.101]: EHLO [127.0.0.1]
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-mail.sleepydragon.net
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-PIPELINING
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-SIZE 10240000
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-ETRN
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-AUTH PLAIN LOGIN
postfix/smtpd[8545]: match_list_match: dragon.sleepydragon.local: no match
postfix/smtpd[8545]: match_list_match: 192.168.16.101: no match
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-AUTH=PLAIN LOGIN
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-ENHANCEDSTATUSCODES
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-8BITMIME
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250 DSN
postfix/smtpd[8545]: < dragon.sleepydragon.local[192.168.16.101]: AUTH PLAIN *replaced*
postfix/smtpd[8545]: xsasl_cyrus_server_first: sasl_method PLAIN, init_response *replaced*
postfix/smtpd[8545]: xsasl_cyrus_server_first: decoded initial response
postfix/smtpd[8545]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
postfix/smtpd[8545]: warning: SASL authentication failure: Password verification failed

falko
7th July 2008, 18:03
What's in /etc/default/saslauthd and /etc/postfix/master.cf?

dragonator
7th July 2008, 23:52
/etc/default/saslauthd

START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR} -r"
PIDFILE="${PWDIR}/saslauthd.pid"
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"


/etc/postfix/master.cf

smtp inet n - - - - smtpd -vv
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

dragonator
7th July 2008, 23:57
I also tried adding the postfix user to the root group to see if it was a file access related but it didn't seem to help so I removed it.

falko
8th July 2008, 13:58
/etc/default/saslauthd should look as follows:
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page for general information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

dragonator
8th July 2008, 21:21
That's what it did look like until my last attempt to resolve this. I added the entries for

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR} -r"
PIDFILE="${PWDIR}/saslauthd.pid"

They had no apparent effect. I've taken them out again, still the same results.

falko
9th July 2008, 21:31
What's the output of ls -la /var/spool/postfix/var/run/saslauthd?

dragonator
10th July 2008, 05:54
Rather than bounce back and forth, here's the output from saslfinger also.


root@mail:# ls -la /var/spool/postfix/var/run/saslauthd/
total 940
drwxr-xr-x 2 root sasl 4096 2008-07-08 22:48 .
drwxr-xr-x 3 postfix root 4096 2008-06-23 19:20 ..
-rw------- 1 root root 0 2008-07-08 22:48 cache.flock
-rw------- 1 root root 945152 2008-07-08 22:48 cache.mmap
srwxrwxrwx 1 root root 0 2008-07-08 22:48 mux
-rw------- 1 root root 0 2008-07-08 22:48 mux.accept
-rw------- 1 root root 6 2008-07-08 22:48 saslauthd.pid
root@mail:/tmp/saslfinger-1.0.2# saslfinger

root@mail:# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed Jul 9 23:38:16 EDT 2008
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.1
System: Ubuntu 8.04 \n \l

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cdb000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes


-- listing of /usr/lib/sasl2 --
total 800
drwxr-xr-x 2 root root 4096 2008-07-01 22:54 .
drwxr-xr-x 58 root root 20480 2008-07-07 18:14 ..
-rw-r--r-- 1 root root 13568 2008-04-09 17:50 libanonymous.a
-rw-r--r-- 1 root root 862 2008-04-09 17:49 libanonymous.la
-rw-r--r-- 1 root root 12984 2008-04-09 17:50 libanonymous.so
-rw-r--r-- 1 root root 12984 2008-04-09 17:50 libanonymous.so.2
-rw-r--r-- 1 root root 12984 2008-04-09 17:50 libanonymous.so.2.0.22
-rw-r--r-- 1 root root 15834 2008-04-09 17:50 libcrammd5.a
-rw-r--r-- 1 root root 848 2008-04-09 17:49 libcrammd5.la
-rw-r--r-- 1 root root 15320 2008-04-09 17:50 libcrammd5.so
-rw-r--r-- 1 root root 15320 2008-04-09 17:50 libcrammd5.so.2
-rw-r--r-- 1 root root 15320 2008-04-09 17:50 libcrammd5.so.2.0.22
-rw-r--r-- 1 root root 46332 2008-04-09 17:50 libdigestmd5.a
-rw-r--r-- 1 root root 871 2008-04-09 17:49 libdigestmd5.la
-rw-r--r-- 1 root root 43020 2008-04-09 17:50 libdigestmd5.so
-rw-r--r-- 1 root root 43020 2008-04-09 17:50 libdigestmd5.so.2
-rw-r--r-- 1 root root 43020 2008-04-09 17:50 libdigestmd5.so.2.0.22
-rw-r--r-- 1 root root 13574 2008-04-09 17:50 liblogin.a
-rw-r--r-- 1 root root 842 2008-04-09 17:49 liblogin.la
-rw-r--r-- 1 root root 13268 2008-04-09 17:50 liblogin.so
-rw-r--r-- 1 root root 13268 2008-04-09 17:50 liblogin.so.2
-rw-r--r-- 1 root root 13268 2008-04-09 17:50 liblogin.so.2.0.22
-rw-r--r-- 1 root root 30016 2008-04-09 17:50 libntlm.a
-rw-r--r-- 1 root root 836 2008-04-09 17:49 libntlm.la
-rw-r--r-- 1 root root 29236 2008-04-09 17:50 libntlm.so
-rw-r--r-- 1 root root 29236 2008-04-09 17:50 libntlm.so.2
-rw-r--r-- 1 root root 29236 2008-04-09 17:50 libntlm.so.2.0.22
-rw-r--r-- 1 root root 13798 2008-04-09 17:50 libplain.a
-rw-r--r-- 1 root root 842 2008-04-09 17:49 libplain.la
-rw-r--r-- 1 root root 13396 2008-04-09 17:50 libplain.so
-rw-r--r-- 1 root root 13396 2008-04-09 17:50 libplain.so.2
-rw-r--r-- 1 root root 13396 2008-04-09 17:50 libplain.so.2.0.22
-rw-r--r-- 1 root root 22126 2008-04-09 17:50 libsasldb.a
-rw-r--r-- 1 root root 873 2008-04-09 17:49 libsasldb.la
-rw-r--r-- 1 root root 18080 2008-04-09 17:50 libsasldb.so
-rw-r--r-- 1 root root 18080 2008-04-09 17:50 libsasldb.so.2
-rw-r--r-- 1 root root 18080 2008-04-09 17:50 libsasldb.so.2.0.22
-rw-r--r-- 1 root root 23696 2008-04-09 17:50 libsql.a
-rw-r--r-- 1 root root 971 2008-04-09 17:49 libsql.la
-rw-r--r-- 1 root root 23140 2008-04-09 17:50 libsql.so
-rw-r--r-- 1 root root 23140 2008-04-09 17:50 libsql.so.2
-rw-r--r-- 1 root root 23140 2008-04-09 17:50 libsql.so.2.0.22

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 2008-07-01 18:08 .
drwxr-xr-x 3 root root 4096 2008-06-30 21:48 ..
-rw-r--r-- 1 root root 360 2008-07-08 21:48 smtpd.conf




-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: postfix
sql_select: select password from mailbox where username='%u@%r' and active = 1
#sql_select: select password from mailbox where username='%u@%r'


-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - - - - smtpd -vv
smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

-- mechanisms on localhost --
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN


-- end of saslfinger output --


As I was attempting to track this down I also found that while using testsaslauthd I was getting the same failures, but then I tried to authenticate against a local user instead of one of the users setup via the mysql / postfixadmin stuff that it worked. I can't send mail to that user since the server is configured to accept only the virtual setup, but I'm not sure that it's actually talking to the database.

I also ran across some posting that seem to indicate that folks who had this working prior to the 8.04 release had it break when they upgraded. References to bugs filed, etc., but nothing I found seemed to give a resolution, although one reference seemed to infer they had found one. I thought I'd left that group of tabs open but apparently not. (It was late) I'll try to go back through history and dig them up again. (It's late again now and I've just gotten home.)

Thanks again for all your help so far. This has been a more esoteric pursuit than I first imagined. :)

dragonator
10th July 2008, 06:12
OK, I found the posting. It's from the mail.unix.cyrus-sasl newsgroup.


>> That is not the Postfix chroot!
>
> Apologies, here is the correct directory:
>
> root@collab:/var/spool/postfix/var/run/saslauthd# ls -al
> total 980
> drwxr-x--- 2 root postfix 4096 2008-06-16 13:05 .
> drwxr-xr-x 3 root root 4096 2008-06-16 13:05 ..
> -rw------- 1 root root 0 2008-06-16 13:05 cache.flock
> -rw------- 1 root root 986112 2008-06-16 13:05 cache.mmap
> srwxrwxrwx 1 root root 0 2008-06-16 13:05 mux
> -rw------- 1 root root 0 2008-06-16 13:05 mux.accept
> -rw------- 1 root root 6 2008-06-16 13:05 saslauthd.pid
>
> as you can see I have even set the ownership to postfix to make it
> easier, but no joy, I am getting the same old

> Jun 16 13:06:34 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied
> Jun 16 13:06:34 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: Password verification failed
> Jun 16 13:06:34 collab postfix/smtpd[31367]: warning:
> unknown[66.7.58.13]: SASL PLAIN authentication failed: generic failure
> Jun 16 13:06:36 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied
>
> and this worked bfore the upgrade. highly annoying this :(
>
> thanks

Hi,

I never understood why Debian thinks that the saslauthd_path needs to be defined in its configuration file (smtpd.conf) when it is even the default (compiled) path. Anyway, correct your path setting according to the documentation.

/usr/share/doc/cyrus-sasl-2.1.19/options.html

<TD>saslauthd_path</TD><TD>SASL Library</TD>
<TD>Path to saslauthd run directory (<b>including</b> the "/mux" named pipe)</TD>
<TD>system dependant (generally won't need to be changed)</TD>

In a former mail you had written:

I did change that to
saslauthd_path: /var/spool/postfix/var/run/saslauthd

I am pretty sure you will succeed then.

and the reply was:

and rightly so :)



Does it sound to you like he fixed it? I've sent him an email, so we'll see if he responds.

falko
11th July 2008, 11:43
What's in /etc/pam.d/smtp?

dragonator
11th July 2008, 17:11
auth required pam_mysql.so user=--replaced-- passwd=--replaced-- host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=--replaced-- passwd=--replaced-- host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1

falko
12th July 2008, 12:07
Can you connect to MySQL with the username and password from that file?

dragonator
12th July 2008, 18:35
Yes, it seems to fine. I can login from a command line client and query for things with no problem. I've got 3 different webmail interfaces running and working fine authenticating against that database so I started working with testsaslauthd to figure out what's up. After starting saslauthd in debug mode I'm getting this:


saslauthd[15484] :rel_accept_lock : released accept lock
saslauthd[15484] :cache_get_rlock : attempting a read lock on slot: 304
saslauthd[15484] :cache_lookup : [login=test@sleepydragon.com] [service=] [realm=imap]: not found, update pending
saslauthd[15484] :cache_un_lock : attempting to release lock on slot: 304
saslauthd[15484] :do_auth : auth failure: [user=test@sleepydragon.com] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
saslauthd[15484] :get_accept_lock : acquired accept lock
0: NO "authentication failed"

falko
13th July 2008, 13:17
Is the user test@sleepydragon.com existing in the database?

oramaavis
15th July 2008, 12:43
Hi Dragonator

I was in the same situation - tried to fight this problem for more than 3 days with no luck. Finally I gave up and went back to Ubuntu 7.10 and guess... Got it working all in less than 30 minutes.

This is definitely not the way forward, but probably may be used as the hint for Postfix and/or Ubuntu developers that something went wrong in 8.04

regards
Orama

dragonator
16th July 2008, 05:05
OK, new update. After playing with things in the database a bit manually with phpmyadmin I believe I've determined that the encryption method doesn't match when using saslauthd/pam as opposed to everything else. If I'm reading things correctly it appears that all the pieces I'm using so far, PostfixAdmin, Courier, etc., are all doing MD5 encryption, and that's what is stored in the mysql database. If I access the data using anything other than sasl/pam it works fine. I changed the encryption method to PASSWORD, MD5, and ENCRYPT. As long as it's set for ENCRYPT when I update the password testsaslauthd works ok. Once I found that I thought I was home free, but I still can't connect with my mail client though, so I'm kind of at a loss. One thing I haven't been able to find docs for is the meaning of some of the options in the /etc/pam.d/smtp file. At the end of both the ACCOUNT and AUTH lines there's an option of crypt=1

I've seen a couple of references that are also using MD5=1. I've tried both ways, together and independently with no success. I also found some reference to crypt=2 and crypt=3. Tried both of those as well, still no luck. Anyone out there who can point me to the details on that? I suspect that may be the underlying cause since nothing is using pam except the saslauthd.

dragonator
23rd July 2008, 01:43
Just a follow up to let folks know what I found. After waaay too much time trying to debug this I bit the bullet and dropped back to the 7.10 build. A few hours walking through the process and again and to quote one of my favorite movies, "Bingo, Bango, Bongo, nothing can go wrongo!"

Thanks for your patience through all this, particularly Falko for a great series of howto articles.

Now I'm off to integrate my webmail branding customizations, and integrate the ASSP filtering. Oh yes, and report what certainly appears to be a bug to our intrepid Ubuntu devs so they can have a look. ;)

punk_dam
25th September 2008, 10:52
sorry .. i want ask to falko
i finisheing configuration by your step
http://www.howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-ubuntu8.04
and now can you give me step by step..? how to configure your tutorial with postfixadmin on ubuntu 8.04 ..

thanx alot before

till
25th September 2008, 11:07
This setup is not for the use with postfixadmin. You will ahve to configure the domains and mailboxes with a mysql database frontend like phpmyadmin.