Debian Etch Postfix Sasl2 issues

Discussion in 'HOWTO-Related Questions' started by switchtower, Apr 1, 2007.

  1. switchtower

    switchtower New Member

    I was curious is someone here could help me out with something. I've used howtoforge.net for some time and absolutely love all the information and howto's here, it's great. Usually when I work on something and have problems I'll check the logs and just Google my problem, but this time seems to be a little more difficult and I can't figure out what is wrong.

    I followed the "Virtual Users And Domains With Postfix, Courier And MySQL" by falko but used Debian Etch instead. I can send and receive email without a problem through roundcube, but I can't send mail out from an email client such as Ice Dove or Outlook.

    Here are some of my configuration files:

    /etc/postfix/main.cf

    Code:
    myhostname = mail.switchtower.org
    mydestination = mail.switchtower.org, localhost, localhost.localdomain
    mynetworks = 127.0.0.0/8
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /home/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_use_tls = yes
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    virtual_create_maildirsize = yes
    virtual_mailbox_extended = yes
    virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
    virtual_mailbox_limit_override = yes
    virtual_maildir_limit_message = "The user you are trying to reach is over quota."
    virtual_overquota_bounce = yes
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    inet_interfaces = all
    
    /etc/default/saslauthd

    Code:
    #
    # Settings for saslauthd daemon
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    
    MECHANISMS="pam"
    OPTIONS="-m /var/spool/postfix/var/run/saslauthd -r -c"
    
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c)
    # See the saslauthd man page for information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    # Note: See /usr/share/doc/sasl2-bin/README.Debian
    #OPTIONS="-c"
    
    /etc/postfix/sasl/smtpd.conf

    Code:
    pwcheck_method: saslauthd
    mech_list: plain login
    allow_plaintext: true
    auxprop_plugin: mysql
    sql_hostnames: 127.0.0.1
    sql_user: mail_admin
    sql_passwd: (password)
    sql_database: mail
    sql_select: select password from users where email = '%u'
    
    /etc/pam.d/smtp
    Code:
    auth    required   pam_mysql.so user=mail_admin passwd=password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
    account sufficient pam_mysql.so user=mail_admin passwd=password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
    
    tail -20 /var/log/mail.log
    Code:
    Apr  1 10:58:54 mail postfix/anvil[29009]: statistics: max connection count 1 for (smtp:24.11.146.57) at Apr  1 10:55:30
    Apr  1 10:58:54 mail postfix/anvil[29009]: statistics: max cache size 1 at Apr  1 10:55:30
    Apr  1 10:59:36 mail imapd: Connection, ip=[::ffff:127.0.0.1]
    Apr  1 10:59:36 mail authdaemond: received auth request, service=imap, authtype=login
    Apr  1 10:59:36 mail authdaemond: authmysql: trying this module
    Apr  1 10:59:36 mail authdaemond: SQL query: SELECT email, password, "", 5000, 5000, "/home/vmail", CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/'), quota, "", "" FROM users WHERE email = "nick@switchtower.org"
    Apr  1 10:59:36 mail authdaemond: password matches successfully
    Apr  1 10:59:36 mail authdaemond: authmysql: sysusername=<null>, sysuserid=5000, sysgroupid=5000, homedir=/home/vmail, address=nick@switchtower.org, fullname=<null>, maildir=switchtower.org/nick/, quota=2147483647, options=<null>
    Apr  1 10:59:36 mail authdaemond: Authenticated: sysusername=<null>, sysuserid=5000, sysgroupid=5000, homedir=/home/vmail, address=nick@switchtower.org, fullname=<null>, maildir=switchtower.org/nick/, quota=2147483647, options=<null>
    Apr  1 10:59:36 mail imapd: LOGIN, user=nick@switchtower.org, ip=[::ffff:127.0.0.1], protocol=IMAP
    Apr  1 10:59:36 mail imapd: LOGOUT, user=nick@switchtower.org, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=25, sent=180, time=0
    Apr  1 11:00:36 mail imapd: Connection, ip=[::ffff:127.0.0.1]
    Apr  1 11:00:36 mail authdaemond: received auth request, service=imap, authtype=login
    Apr  1 11:00:36 mail authdaemond: authmysql: trying this module
    Apr  1 11:00:36 mail authdaemond: SQL query: SELECT email, password, "", 5000, 5000, "/home/vmail", CONCAT(SUBSTRING_INDEX(email,'@',-1),'/',SUBSTRING_INDEX(email,'@',1),'/'), quota, "", "" FROM users WHERE email = "nick@switchtower.org"
    Apr  1 11:00:36 mail authdaemond: password matches successfully
    Apr  1 11:00:36 mail authdaemond: authmysql: sysusername=<null>, sysuserid=5000, sysgroupid=5000, homedir=/home/vmail, address=nick@switchtower.org, fullname=<null>, maildir=switchtower.org/nick/, quota=2147483647, options=<null>
    Apr  1 11:00:36 mail authdaemond: Authenticated: sysusername=<null>, sysuserid=5000, sysgroupid=5000, homedir=/home/vmail, address=nick@switchtower.org, fullname=<null>, maildir=switchtower.org/nick/, quota=2147483647, options=<null>
    Apr  1 11:00:36 mail imapd: LOGIN, user=nick@switchtower.org, ip=[::ffff:127.0.0.1], protocol=IMAP
    Apr  1 11:00:36 mail imapd: LOGOUT, user=nick@switchtower.org, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=25, sent=180, time=0
    
    Please let me know if you can help and also if you need anything else from me. Any help would be GREATLY appreciated :)

    Nick
     
  2. falko

    falko Super Moderator

    You must enable "Server requires authentication." in your email clients.
     
  3. switchtower

    switchtower New Member

    thank you falko for responding :) I tried enabling "Server requires authentication" in Ice Dove, but it just told me that the server didn't support it.

    Here is some updated log files from the server, maybe this will help better understand the problem:

    Code:
    Apr  2 13:04:48 mail imapd: LOGIN, user=nick@switchtower.org, ip=[::ffff:127.0.0.1], protocol=IMAP
    Apr  2 13:04:48 mail imapd: LOGOUT, user=nick@switchtower.org, ip=[::ffff:127.0.0.1], headers=0, body=0, rcvd=25, sent=180, time=0
    Apr  2 13:05:20 mail postfix/smtpd[3140]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
    Apr  2 13:05:21 mail postfix/smtpd[3140]: warning: 69.16.222.227: address not listed for hostname switchtower.liquidweb.com
    Apr  2 13:05:21 mail postfix/smtpd[3140]: connect from unknown[69.16.222.227]
    Apr  2 13:05:26 mail postfix/smtpd[3140]: warning: SASL authentication failure: Password verification failed
    Apr  2 13:05:26 mail postfix/smtpd[3140]: warning: unknown[69.16.222.227]: SASL PLAIN authentication failed: authentication failure
    Apr  2 13:05:26 mail postfix/smtpd[3140]: warning: unknown[69.16.222.227]: SASL LOGIN authentication failed: authentication failure
    
    
    Thanks again,

    Nick
     
  4. falko

    falko Super Moderator

  5. switchtower

    switchtower New Member

    thanks for you reply falko, I did use
    Code:
    OPTIONS="-m /var/spool/postfix/var/run/saslauthd -r -c"
    
    I'll look through the Ubuntu howto see if I can see any differences in what I did.

    Thanks again.
     
  6. wad

    wad New Member

    I'm trying to do the exact same thing. I'd like my mail users to be able to send mail through my postfix, but it needs to be secure. I don't care if I just have a single username/password for all users trying to send email, actually.

    Has anyone tried this using the rimap option in saskauthd for this purpose?
     
  7. switchtower

    switchtower New Member

    All is fixed :)

    Falko was right, i wasn't forcing my client to use TLS for SMTP connections. Thanks Falko, as usually, I've used your suggestion to fix my problem. :)

    Nick
     
  8. wad

    wad New Member

    Mine is working now too. Here's what I did, top to bottom, to get debian etch with postfix working to send SMTP mail securely with TLS:

    1. apt-get install libsasl2-modules sasl2-bin
    2. edited /etc/default/saslauthd like this:
    START=yes
    MECHANISMS="shadow"
    MECH_OPTIONS=""
    THREADS=5
    OPTIONS="-c"
    3. copied contents of /usr/share/postfix/main.cf.tls into /etc/postfix/main.cf, added these lines:
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    smtpd_tls_cert_file=/etc/ssl/certs/wadhome.org.pem
    smtpd_tls_key_file=/etc/ssl/private/wadhome.org.pem
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    4. put stuff into /etc/postfix/sasl/smtpd.conf:
    pwcheck_method: saslauthd
    mech_list: plain login
    5. Fixed problems with postfix ownership of the pipe:
    mkdir -p /var/spool/postfix/var/run/saslauthd
    Added this to /etc/fstab: /var/run/saslauthd /var/spool/postfix/var/run/saslauthd none bind 0 0
    mount /var/spool/postfix/var/run/saslauthd
    chmod 755 /var/spool/postfix/var/run/saslauthd
    6. /etc/init.d/saslauthd start
    7. /etc/init.d/postfix restart
     
  9. Stoneborn

    Stoneborn New Member

    I'm trying to setup SMTP authentication for my mail-server (DEBIAN ETCH) for the last 5 days but nothing i tried so far is really working. Perhaps anybody here can help me getting all running :)

    I created /var/spool/postfix/var/run/saslauthd/ by running:
    mkdir -p /var/spool/postfix/var/run/saslauthd/

    I followed /usr/share/doc/sasl2-bin/README.Debian and made:
    dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

    /etc/default/saslauthd
    Code:
    START=yes
    MECHANISMS="pam"
    MECH_OPTIONS=""
    THREADS=5
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
    
    /etc/pam.d/smtp
    Code:
    auth required pam_mysql.so user=mailuser passwd=mypasswd host=localhost db=mailusers table=mailbox usercolumn=user passwdcolumn=password crypt=1
    
    account sufficient pam_mysql.so user=mailuser passwd=mypasswd host=localhost db=mailusers table=mailbox usercolumn=user passwdcolumn=password crypt=1
    
    relevant information from /etc/postfix/main.cf
    Code:
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain = $myhostname
    broken_sasl_auth_clients = no
    
    smtpd_helo_required = yes
    smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_unauth_destination
    
    smtpd_sender_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_unauth_destination
    
    smtpd_helo_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_unauth_destination
    
    smtpd_use_tls = yes
    smtpd_tls_auth_only = yes
    
    smtpd_tls_key_file = /etc/postfix/smtpd.pem
    smtpd_tls_cert_file = /etc/postfix/smtpd.pem
    smtpd_tls_CAfile = /etc/postfix/smtpd.pem
    
    If I use this
    /etc/postfix/sasl/smtpd.conf
    Code:
    pwcheck_method: saslauthd
    mech_ist: PLAIN LOGIN
    
    then I'm getting the following error in /var/log/auth.log

    Code:
    May 23 20:56:41 servername postfix/smtpd[25836]: sql_select option missing
    May 23 20:56:41 servername postfix/smtpd[25836]: auxpropfunc error no mechanism available
    May 23 20:56:41 servername postfix/smtpd[25836]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
    
    If I use this version of /etc/postfix/sasl/smtpd.conf instead
    Code:
    pwcheck_method: saslauthd
    mech_ist: PLAIN LOGIN
    
    sasl_pwcheck_method: auxprop
    sasl_auxprop_plugin: mysql
    allow_plaintext: true
    password_format: crypt
    mech_list: plain login CRAM-MD5 DIGEST-MD5
    
    sql_engine: mysql
    sql_hostnames: 127.0.0.1
    sql_database: mailusers
    sql_user: mailuser
    sql_passwd: mypasswd
    sql_select: SELECT password FROM mailbox WHERE user='%u@%r
    
    I receive the following error
    Code:
    May 23 21:01:21 servername postfix/smtpd[26465]: warning: SASL authentication failure: incorrect digest response
    May 23 21:01:21 servername postfix/smtpd[26465]: warning: p54xxxxxx.dip.t-dialin.net[xx.xxx.xx.xxx]: SASL CRAM-MD5 authentication failed: authentication failure
    

    Hope I didn't forget to post one of these config-files :)
    If so please tell me I will give you the missing information.

    Thanks for your help in advance...
     
  10. falko

    falko Super Moderator

    Try this in /etc/postfix/sasl/smtpd.conf (from http://www.howtoforge.com/virtual_postfix_mysql_quota_courier_ubuntu_edgy_p3 ):

    Code:
    pwcheck_method: saslauthd
    mech_list: plain login
    allow_plaintext: true
    auxprop_plugin: mysql
    sql_hostnames: 127.0.0.1
    sql_user: mail_admin
    sql_passwd: mail_admin_password
    sql_database: mail
    sql_select: select password from users where email = '%u'
     
  11. Stoneborn

    Stoneborn New Member

    Thanks for your help. I tried it an now I'm getting another error message :)

    Code:
    May 24 19:05:24 servername postfix/smtpd[22417]: TLS connection established from p54xxxxxx.dip.t-dialin.net[XX.XX.XX.XX]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    
    May 24 19:05:24 servername postfix/smtpd[22417]: warning: p54xxxxxx.dip.t-dialin.net[XX.XX.XX.XX]: SASL CRAM-MD5 authentication failed: no mechanism available
    
    May 24 19:05:24 servername postfix/smtpd[22417]: disconnect from p54xxxxxx.dip.t-dialin.net[XX.XX.XX.XX]
    
     
  12. falko

    falko Super Moderator

    Can you post the output of
    Code:
    telnet localhost 25
    and then
    Code:
    ehlo localhost
    ?
     
  13. Stoneborn

    Stoneborn New Member

    That is the output of 'telnet localhost 25' and 'ehlo localhost':
    Code:
    250-server.domain.de
    250-PIPELINING
    250-SIZE 10240000
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    
     
  14. falko

    falko Super Moderator

    There are not AUTH lines at all, so something is wrong in your main.cf. Please compare your setup again with the tutorial.
     
  15. Stoneborn

    Stoneborn New Member

    I didn't find anything wrong in main.cf.
    Instead I found out that I have a problem starting saslauthd.

    In /etc/postfix/sasl/smtpd.conf i set the loglevel to 7 and then tried to start saslauthd by hand
    Code:
    /usr/sbin/saslauthd -dV -a pam -c -m /var/spool/postfix/var/run/saslauthd start
    What I get is this:

    Code:
     /usr/sbin/saslauthd -dV -a pam -c -m /var/spool/postfix/var/run/saslauthd start
    saslauthd[26345] :main            : num_procs  : 5
    saslauthd[26345] :main            : mech_option: NULL
    saslauthd[26345] :main            : run_path   : /var/spool/postfix/var/run/saslauthd
    saslauthd[26345] :main            : auth_mech  : pam
    saslauthd[26345] :cache_alloc_mm  : mmaped shared memory segment on file: /var/spool/postfix/var/run/saslauthd/cache.mmap
    saslauthd[26345] :cache_init      : bucket size: 92 bytes
    saslauthd[26345] :cache_init      : stats size : 36 bytes
    saslauthd[26345] :cache_init      : timeout    : 28800 seconds
    saslauthd[26345] :cache_init      : cache table: 944764 total bytes
    saslauthd[26345] :cache_init      : cache table: 1711 slots
    saslauthd[26345] :cache_init      : cache table: 10266 buckets
    saslauthd[26345] :cache_init_lock : flock file opened at /var/spool/postfix/var/run/saslauthd/cache.flock
    saslauthd[26345] :ipc_init        : using accept lock file: /var/spool/postfix/var/run/saslauthd/mux.accept
    saslauthd[26345] :detach_tty      : master pid is: 0
    saslauthd[26345] :ipc_init        : could not bind to socket: /var/spool/postfix/var/run/saslauthd/mux
    saslauthd[26345] :ipc_init        : bind: Address already in use
    So the daemon isn't startet at all. Any idea?
     
  16. Stoneborn

    Stoneborn New Member

    Thanks for your help. Server is running now.
    Had to delete the folder "mux" in /var/spool/postfix/var/run/saslauthd/.
     

Share This Page