Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > HOWTO-Related Questions

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 1st September 2010, 14:20
telmathedog telmathedog is offline
Junior Member
 
Join Date: Sep 2010
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default postfix saslauthd, Please! help (going nuts)

Hello all.

This is driving me nuts...

I have originally followed tutorial https://help.ubuntu.com/community/Po...ailSystemHowto (not in all details) and succeeded in making a system work with virtual users and alias. The system could receive mail and only let inside the mail where they were addressed to some mailbox in the mailbox-table.
Everything worked fine.

Now, I wanted to add simple "LOGIN"/"PLAIN" smtp auth... (no TLS)

I tried the first guide again but couldn't get it to work. Then I started reading Falkos guides (tnx), but same problems.

I seem to have one general problem:

The conf-file /etc/postfix/sasl/smtpd.conf does not seem to be used.

I can put whatever inside it but gets no errors for this.

When testing with testsaslauthd like:

testsaslauthd -u user@mydomain.com -p mailpassword -s smtp

I get the following in auth.log:
================================================== ========
Sep 1 13:36:38 CR41539-1 saslauthd[3030]: pam_unix(smtp:auth): check pass; user unknown
Sep 1 13:36:38 CR41539-1 saslauthd[3030]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Sep 1 13:36:40 CR41539-1 saslauthd[3030]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Sep 1 13:36:40 CR41539-1 saslauthd[3030]: do_auth : auth failure: [user@mydomain.com] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
================================================== ========

I know that its reading the mailbox due to the mysql.log:
================================================== ========
100901 13:36:38 151 Connect dbuser@localhost on db
151 Init DB db
151 Query SELECT password FROM mailbox WHERE username = 'user@mydomain.com'
100901 13:36:40 151 Quit
================================================== ========
(Also, if I test and change the select in /etc/pam.d/smtp to a one that I know is not working, I get a line about that in auth.log, so it really seems to look into the mailbox table.)

So something happens, but the auth in testsaslauthd does not succeed.

Then, another strange thing is; when I test to telnet (from pc) to the system like

telnet mydomain.com 2525

the auth.log immediately states:
================================================== ========
Sep 1 13:39:11 CR41539-1 postfix/smtpd[6392]: sql_select option missing
Sep 1 13:39:11 CR41539-1 postfix/smtpd[6392]: auxpropfunc error no mechanism available
Sep 1 13:39:11 CR41539-1 postfix/smtpd[6392]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
================================================== ========

Then, if I proceed the telnet session with AUTH LOGIN etc.:

auth login
334 VXNlcm5hbWU6
VXNlcm5hbWU6
334 UGFzc3dvcmQ6
UGFzc3dvcmQ6
535 5.7.8 Error: authentication failed: authentication failure

(I just entered some bogus base64 strings (actually Username: and Password)
there is _no more_ rows output in auth.log, and there is either nothing selected from the mysql-db. It doesn't seem to make any attempt to authenticate or even look up anything in db...? (Problem!)

Please take some time and give me a hint. I have tried so many different things; tried to cp -p the /etc/postfix/sasl/smtpd.conf to /usr/lib/sasl2 because I did read about a bug making postfix not to read /etc/postfix/sasl/smtpd.conf by default; started out with etch and upgraded to lenny; tried to run postfix in non chrooted env., every attempt gives same log result as above.

My system is upgraded to latest Lenny.

Here comes the appropriate conf-files: (sorry if I put them in wrong format)
(I have changed some host specific info. to more generel ones like mydomain.com etc.)

/etc/postfix/master.cf:
================================================== ========
# ================================================== ========================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ================================================== ========================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
#
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# maildrop. See the Postfix MAILDROP_README file for details.
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

# only used by postfix-tls
#tlsmgr fifo - - n 300 1 tlsmgr
#smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
2525 inet n - n - - smtpd
tlsmgr unix - - - 1000? 1 tlsmgr
scache unix - - - - 1 scache
discard unix - - - - - discard
retry unix - - - - - error


/etc/postfix/main.cf:
================================================== ========
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

home_mailbox = Maildir/
#myhostname = localhost
myhostname = mail.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

debug_peer_list = 127.0.0.1
debug_peer_level = 2

virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_base = /home/vmail
virtual_minimum_uid = 5000
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_mailbox_limit = 51200000
virtual_transport = virtual

# Additional for quota support

virtual_create_maildirsize = yes
virtual_mailbox_extended = yes
virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = Sorry, the your maildir has overdrawn your diskspace quota, please free up some of spaces of your mailbox try again.
virtual_overquota_bounce = yes

smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit

smtpd_sasl_type = cyrus
cyrus_sasl_config_path = /etc/postfix/sasl
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes

smtpd_client_restrictions = permit_sasl_authenticated, rejectreadme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
================================================== ========

/etc/init.d/postfix (only added files to the FILES loop)
================================================== ========
#!/bin/sh -e

# Start or stop Postfix
#
# LaMont Jones <lamont@debian.org>
# based on sendmail's init.d script

### BEGIN INIT INFO
# Provides: postfix mail-transport-agent
# Required-Start: $local_fs $remote_fs $syslog $named $network $time
# Required-Stop: $local_fs $remote_fs $syslog $named $network
# Should-Start: postgresql mysql clamav-daemon postgrey spamassassin
# Should-Stop: postgresql mysql clamav-daemon postgrey spamassassin
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop the Postfix Mail Transport Agent
# Description: postfix is a Mail Transport agent
### END INIT INFO

PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/postfix
NAME=Postfix
TZ=
unset TZ

# Defaults - don't touch, edit /etc/default/postfix
SYNC_CHROOT="y"

test -f /etc/default/postfix && . /etc/default/postfix

test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0

. /lib/lsb/init-functions
#DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)

running() {
queue=$(postconf -h queue_directory 2>/dev/null || echo /var/spool/postfix)
if [ -f ${queue}/pid/master.pid ]; then
pid=$(sed 's/ //g' ${queue}/pid/master.pid)
# what directory does the executable live in. stupid prelink systems.
dir=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* -> //; s/\/[^\/]*$//')
if [ "X$dir" = "X/usr/lib/postfix" ]; then
echo y
fi
fi
}

case "$1" in
start)
log_daemon_msg "Starting Postfix Mail Transport Agent" postfix
RUNNING=$(running)
if [ -n "$RUNNING" ]; then
log_end_msg 0
else
# if you set myorigin to 'ubuntu.com' or 'debian.org', it's wrong, and annoys the admins of
# those domains. See also sender_canonical_maps.

MYORIGIN=$(postconf -h myorigin | tr 'A-Z' 'a-z')
if [ "X${MYORIGIN#/}" != "X${MYORIGIN}" ]; then
MYORIGIN=$(tr 'A-Z' 'a-z' < $MYORIGIN)
fi
if [ "X$MYORIGIN" = Xubuntu.com ] || [ "X$MYORIGIN" = Xdebian.org ]; then
log_failure_msg "Invalid \$myorigin ($MYORIGIN), refusing to start"
log_end_msg 1
exit 1
fi

# see if anything is running chrooted.
NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf)

if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
# Make sure that the chroot environment is set up correctly.
oldumask=$(umask)
umask 022
cd $(postconf -h queue_directory)

# if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt.
smtp_use_tls=$(postconf -h smtp_use_tls)
smtpd_use_tls=$(postconf -h smtpd_use_tls)
if [ "X$smtp_use_tls" = "Xyes" -o "X$smtpd_use_tls" = "Xyes" ]; then
if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
mkdir -p etc/ssl/certs
cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/
fi
fi

# if we're using unixasswd.byname, then we need to add etc/passwd.
local_maps=$(postconf -h local_recipient_maps)
if [ "X$local_maps" != "X${local_maps#*unixasswd.byname}" ]; then
if [ "X$local_maps" = "X${local_maps#*proxy:unixasswd.byname}" ]; then
sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
chmod a+r etc/passwd
fi
fi

FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
etc/nsswitch.conf etc/nss_mdns.config etc/postfix/sasl/smtpd.conf etc/sasldb2"
for file in $FILES; do
[ -d ${file%/*} ] || mkdir -p ${file%/*}
if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
if [ -f ${file} ]; then chmod a+rX ${file}; fi
done
rm -f usr/lib/zoneinfo/localtime
mkdir -p usr/lib/zoneinfo
ln -sf /etc/localtime usr/lib/zoneinfo/localtime
rm -f lib/libnss_*so*
tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
umask $oldumask
fi

if start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start; then
log_end_msg 0
else
log_end_msg 1
fi
fi
;;

stop)
RUNNING=$(running)
log_daemon_msg "Stopping Postfix Mail Transport Agent" postfix
if [ -n "$RUNNING" ]; then
if ${DAEMON} quiet-stop; then
log_end_msg 0
else
log_end_msg 1
fi
else
log_end_msg 0
fi
;;

restart)
$0 stop
$0 start
;;

force-reload|reload)
log_action_begin_msg "Reloading Postfix configuration"
if ${DAEMON} quiet-reload; then
log_action_end_msg 0
else
log_action_end_msg 1
fi
;;

status)
RUNNING=$(running)
if [ -n "$RUNNING" ]; then
log_success_msg "postfix is running"
exit 0
else
log_success_msg "postfix is not running"
exit 3
fi
;;

flush|check|abort)
${DAEMON} $1
;;

*)
log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
exit 1
;;
esac

exit 0
================================================== ========

/etc/postfix/sasl/smtpd.conf
(As said above, I don't think there as any deamon reading this file...)
================================================== ========
pwcheck_method: saslauthd
auxprop_plugin: sql
log_level: 7
allow_plaintext: true
mech_list: plain login
sql_engine: mysql
sql_hostnames: localhost
sql_user: dbuser
sql_passwd: mypassword
sql_database: db
sql_select: select password from mailbox where username='%u@%r' and active = 1
================================================== ========

/etc/default/saslauthd:
================================================== ========
# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"
================================================== ========

/etc/pam.d/smtp (Originally, host was 127.0.0.1 below, but that didn't work. localhost seems to work.)
================================================== ========
#%PAM-1.0
#------------------------------------------------------------------------
#
# /etc/pam.d/smtp
#
# Copyright (c) 2000-2003 Richard Nelson. All Rights Reserved.
# Version: 2.0.1
# Time-stamp: <2003/05/06 12:00:00 cowboy>
#
# PAM configuration file used by SASL to authenticate a PLAIN password.
#
#------------------------------------------------------------------------
@include common-auth
@include common-account
#@include common-password
auth required pam_mysql.so user=dbuser passwd=dbpassword host=localhost db=db table=mailbox usercolumn=username passwdcolumn=password crypt=0
account sufficient pam_mysql.so user=dbuser passwd=dbpassword host=localhost db=db table=mailbox usercolumn=username passwdcolumn=password crypt=0
================================================== ========

/etc/mysql/my.cnf
================================================== ========
.
.
.
bind-address = 127.0.0.1
.
.
.
================================================== ========

Tnx!!
Reply With Quote
Sponsored Links
 

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ERROR: Connection dropped by IMAP server. [Centos 5.4, courier imap,squirrel, etc] darevil HOWTO-Related Questions 7 9th June 2010 14:49
Undelivered Mail Returned to Sender Error202 General 5 7th May 2009 11:14
localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied g18c Installation/Configuration 4 24th March 2009 17:39
Centos 4.4 32bit Hangs, High Server load 3cwired_com Server Operation 11 16th November 2006 15:47
Verify email setup meekish Installation/Configuration 28 27th October 2006 15:36


All times are GMT +2. The time now is 04:30.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.