Having an issue with postfix and sasl

Discussion in 'Server Operation' started by wigglez, Nov 22, 2012.

  1. wigglez

    wigglez New Member

    Hi,

    I've been following this howto
    http://www.howtoforge.com/virtual-u...urier-mysql-and-squirrelmail-ubuntu-12.04-lts

    I've searched quite extensively, but nothing seemed to be the right fix.


    This is the error:
    Code:
    Nov 22 02:59:07 host postfix/master[28492]: daemon started -- version 2.5.1, configuration 
    
    /etc/postfix
    Nov 22 03:25:16 host postfix/smtpd[21507]: warning: SASL per-process initialization failed: 
    
    generic failure
    Nov 22 03:25:16 host postfix/smtpd[21507]: fatal: SASL per-process initialization failed
    Nov 22 03:25:17 host postfix/master[28492]: warning: process /usr/lib/postfix/smtpd pid 21507 exit 
    
    status 1
    Nov 22 03:25:17 host postfix/master[28492]: warning: /usr/lib/postfix/smtpd: bad command startup 
    
    -- throttling
    Telnet would just hang. When I set smtpd_sasl_auth_enable to no, it worked, I could send mail and receive it.

    I then noticed that I could only receive mail that was sent with telnet and not from google. From searching I found I needed to add this:

    smtpd_tls_exclude_ciphers=RC4-MD5

    I could then receive mail from outside. That seems more of a patch than a fix. Any comments on this one?


    Here is my main.cf file
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = no
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_exclude_ciphers=RC4-MD5
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname =  domain.net
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    #myorigin = /etc/mailname
    myorigin = domain.net
    mydestination =
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, 
    
    mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /home/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    
    #SASL
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain=
    smtpd_sasl_authenticated_header = yes
    
    smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject, 
    
    reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
    
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
    
    reject_unauth_destination
    
    
    virtual_create_maildirsize = yes
    virtual_maildir_extended = yes
    virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
    virtual_mailbox_limit_override = yes
    virtual_maildir_limit_message = "The user you are trying to reach is over quota."
    virtual_overquota_bounce = yes
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains 
    
    $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains 
    
    $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $mynetworks 
    
    $virtual_mailbox_limit_maps

    /etc/default/saslauthd file
    Code:
    #
    # Settings for saslauthd daemon
    # Please read /usr/share/doc/sasl2-bin/README.Debian for details.
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    
    # Description of this saslauthd instance. Recommended.
    # (suggestion: SASL Authentication Daemon)
    DESC="SASL Authentication Daemon"
    
    # Short name of this saslauthd instance. Strongly recommended.
    # (suggestion: saslauthd)
    NAME="saslauthd"
    
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c -m /var/run/saslauthd)
    # Note: You MUST specify the -m option or saslauthd won't run!
    #
    # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
    # See the saslauthd man page for general information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

    /etc/postfix/sasl/smtpd.conf
    Code:
    /etc/postfix/sasl/smtpd.conf
    
    pwcheck_method: saslauthd
    mech_list: plain login cram-md5 digest-md5
    log_level: 7
    allow plaintext: true
    auxprop_plugin: mysql
    sql_engine: mysql
    sql_hostnames: 127.0.0.1
    sql_user: mail_admin
    sql_passwd: mail_admin_pass
    sql_database: mail
    sql_select: select password from users where email = '%u@%r'

    Thanks.
     
  2. wigglez

    wigglez New Member

    I figure this isn't part of it because it has to do with courier, but I'll just throw this out there to.

    When trying to add one of the email addresses to thunderbird. It pops up a warning that says
    "This site attempts to identify itself with invalid information."
     
  3. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Can you put these three directives in one line each instead of multiple lines?

    Code:
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, 
    
    mysql:/etc/postfix/mysql-virtual_email2email.cf
    Code:
    smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject, 
    
    reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
    
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
    
    reject_unauth_destination
    Code:
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains 
    
    $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains 
    
    $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $mynetworks 
    
    $virtual_mailbox_limit_maps
     
  4. wigglez

    wigglez New Member

    Sorry, probably because I didn't have terminal maximized when I copied them.

    Code:
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    Code:
    smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
    Code:
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $mynetworks $virtual_mailbox_limit_maps
    
     
  5. wigglez

    wigglez New Member

    results from testsaslauthd

    sudo testsaslauthd -u test -p test
    connect() : No such file or directory

    sudo testsaslauthd -u test -p test -f /var/spool/postfix/var/run/saslauthd/mux
    0: NO "authentication failed"
     
  6. wigglez

    wigglez New Member

    I seem to have finally stumbled on to a similar issue.

    The fix was to tell postfix directly the path to sasl in the main.cf file

    smtpd_sasl_path = /var/spool/postfix/var/run/saslauthd

    By doing that I was also able to remove the
    smtpd_tls_exclude_ciphers=RC4-MD5
    for google.
     

Share This Page