SASL LOGIN authentication faliure via smtp client

[bbajmoczi]

Hi,

I followed instructions on The Perfect Server - Fedora 12 x86_64 [ISPConfig 3].
Everything works fine except smtp client auth. I switched on debug level logging in saslauth, and now I have the following error:

Anonymous TLS connection established from unknown[192.168.1.110]: TLSv1 with cipher RC4-MD5 (128/128 bits)
warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
warning: unknown[192.168.1.110]: SASL LOGIN authentication failed: authentication failure
SSL3 alert write:fatal:protocol version
warning: TLS library problem: 12957:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:338:
There is no /etc/sasldb2. This file does not exists in my computer.

here's my /usr/lib64/sasl2/smtpd.conf:
pwcheck_method: authdaemond
log_level: 4
mech_list: PLAIN LOGIN
authdaemond_path:/var/spool/authdaemon/socket

here's my /etc/sysconfig/saslauthd:
SOCKETDIR=/var/run/saslauthd
MECH=pam
FLAGS=

here's my /etc/postfix/main.cf:
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = all
mydestination = mail.test.domain, localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.5/samples
readme_directory = /usr/share/doc/postfix-2.6.5/README_FILES
myhostname = mail.test.domain
mynetworks = 127.0.0.0/8 [::1]/128
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /usr/lib64/sasl2/smtpd.conf
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
disable_vrfy_command = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/postfix/mail.test.domain.cer
smtpd_tls_key_file = /etc/postfix/mail.test.domain.key
smtpd_tls_loglevel = 3
tls_cipher_list = all
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
virtual_create_maildirsize = yes
virtual_maildir_extended = yes
virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_maildir_limit_message = "The user you are trying to reach is over quota."
virtual_overquota_bounce = yes
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = maildrop
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
relayhost =
mailbox_size_limit = 0
message_size_limit = 0

here's my /etc/postfix/master.cf:
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} ${extension} ${recipient} ${user} ${nexthop} ${sender}
amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,rej ect
-o mynetworks=127.0.0.0/8
-o strict_rfc821_envelopes=yes
-o receive_override_options=no_unknown_recipient_chec ks,no_header_body_checks
-o smtpd_bind_address=127.0.0.1

I changed the following things after the installation:
-replaced the certificates of postfix
-set up two new mail users via ispconfig web
-set up relayhost via ispconfig email routing : * smtp:[sms.test.domain] # brightmail

I use my Windows client with Outlook Express for testing, I can recive mail via POP3S. I cannot send with the error up (at client side it looks like wrong password).

The following versions I have:
postfix-2.6.5-2.fc12.x86_64
cyrus-sasl-2.1.23-8.fc12.x86_64
cyrus-sasl-lib-2.1.23-8.fc12.x86_64
cyrus-sasl-plain-2.1.23-8.fc12.x86_64
cyrus-sasl-devel-2.1.23-8.fc12.x86_64
courier-authlib-mysql-0.62.4-1.fc12.x86_64
courier-authlib-devel-0.62.4-1.fc12.x86_64
courier-imap-4.6.0-1.12.x86_64
courier-authlib-0.62.4-1.fc12.x86_64


many thanks for any idea

BB

[bbajmoczi]

Some more info:
# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap

/etc/pam.d/smtp

auth required pam_mysql.so user=ispconfig passwd=XXXXXXX host=127.0.0.1 db=dbispconfig table=mail_user usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=ispconfig passwd=XXXXXXX host=127.0.0.1 db=dbispconfig table=mail_user usercolumn=email passwdcolumn=password crypt=1

[bbajmoczi]

This error is really SSL3 related. I made the following tests:

openssl s_client -starttls smtp -connect localhost:25 -works fine
openssl s_client -ssl2 -state -debug -msg -connect localhost:25 - works fine
openssl s_client -ssl3 -state -debug -msg -connect localhost:25 - gives the same error

Please HELP!!!!

[bbajmoczi]

Please help me

[bbajmoczi]

Hello again

I changed the email client to Incredimail and the SSLv3 error has disappeared from my log. It's still not working, but reading these logs it's rather some authentication problem than SSL. (If I change back to Outlook Express I have still the same error)

Apr 17 17:40:12 mail postfix/smtpd[2835]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Apr 17 17:40:12 mail postfix/smtpd[2835]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Apr 17 17:40:12 mail postfix/smtpd[2835]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Apr 17 17:40:12 mail postfix/smtpd[2835]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Apr 17 17:40:12 mail postfix/smtpd[2835]: warning: unknown[192.168.7.110]: SASL LOGIN authentication failed: authentication failure

client's log is the following: 535 5.7.8 Error: authentication failed: authentication failure


Help still needed

[falko]

I wonder why it tries to access /etc/sasldb2 - this shouldn't be needed. What's the output of

Code:

uname -a

?

[bbajmoczi]

Hello!

# uname -a
Linux mail.domain.test 2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38 UTC 2010 x86_64 x86_64 x86_64 GNU/Linux

One friend looked to my config and made some changes:
1. stopped saslauthd - it is unnecessary -he told
2. moved the socket of authdaemond to /var/spool/postfix/var/spool/authdaeomn/socket (or created a link - it was totally not clear for me what he did actually)
3. copied the the file /usr/lib64/sasl2/smtpd.conf to /etc/postfix/sasl/smtpd.conf
4. the warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory error is a small bug and irrevelant. After placing an empty sasldb2 file to the /etc/ it disappeared - but again, it is irrevelant

Now it's woking fine except one thing. Microsoft email clients cannot send email. It works with thunderbird but with Outlook Express or Live Mail it gives me relaying denied error at client side. The server side error is the following:

Apr 19 13:00:49 mail postfix/smtpd[9557]: initializing the server-side TLS engine
Apr 19 13:00:53 mail postfix/smtpd[9557]: connect from unknown[192.168.1.197]
Apr 19 13:00:53 mail postfix/smtpd[9557]: setting up TLS connection from unknown[192.168.7.197]
Apr 19 13:00:53 mail postfix/smtpd[9557]: unknown[192.168.1.197]: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:before/accept initialization
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 read client hello B
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 write server hello A
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 write certificate A
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 write server done A
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 flush data
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 read client key exchange A
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 read finished A
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 write change cipher spec A
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 write finished A
Apr 19 13:00:53 mail postfix/smtpd[9557]: SSL_accept:SSLv3 flush data
Apr 19 13:00:53 mail postfix/smtpd[9557]: Anonymous TLS connection established from unknown[192.168.1.197]: TLSv1 with cipher AES128-SHA (128/128 bits)
Apr 19 13:00:54 mail postfix/smtpd[9557]: NOQUEUE: reject: RCPT from unknown[192.168.1.197]: 554 5.7.1 <unknown[192.168.1.197]>: Client host rejected: Access denied; from=<bbajmoczi@test.domain> to=<legal@external.email.address> proto=ESMTP helo=<BBAJMOCZI>
Apr 19 13:00:54 mail postfix/smtpd[9557]: disconnect from unknown[192.168.1.197]

Any idea for MS clients?

[bbajmoczi]

Hi all,

It finally works

Previos comment line 3 (copied the the file /usr/lib64/sasl2/smtpd.conf to /etc/postfix/sasl/smtpd.conf) does nothing. It uses the original /usr/lib64/sasl2/smtpd.conf file.
mech_list: PLAIN LOGIN
LOGIN was missing from there.

Thanks