postfix does not authenticate through saslauthd

Discussion in 'Server Operation' started by openman, Nov 18, 2008.

  1. openman

    openman New Member

    Hello,
    I have upgrade from ubuntu 6.06LTS to 8.01 LTS and after that it is impossible to authenticate through saslauthd thunderbird to send e-mail.

    The following command I believe leave the saslauthd without conf problems:
    Code:
    testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user -p password.
    0: OK "Success."
    The saslfinger gives the following:
    Code:
    saslfinger - postfix Cyrus sasl configuration Τρι 18 Νοέ 2008 08:13:00 μμ EET
    version: 1.0.4
    mode: server-side SMTP AUTH
    
    -- basics --
    Postfix: 2.5.4
    System: Ubuntu 8.04.1 \n \l
    
    -- smtpd is linked to --
            libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d23000)
    
    -- active SMTP AUTH and TLS parameters for smtpd --
    broken_sasl_auth_clients = yes
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_path = /etc/postfix/sasl/
    smtpd_sasl_security_options = noanonymous
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_tls_loglevel = 0
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes
    
    
    -- listing of /usr/lib/sasl2 --
    total 796
    drwxr-xr-x  2 root root  4096 2008-11-06 09:04 .
    drwxr-xr-x 59 root root 16384 2008-11-18 20:11 ..
    -rw-r--r--  1 root root 13568 2008-04-10 00:50 libanonymous.a
    -rw-r--r--  1 root root   862 2008-04-10 00:49 libanonymous.la
    -rw-r--r--  1 root root 12984 2008-04-10 00:50 libanonymous.so
    -rw-r--r--  1 root root 12984 2008-04-10 00:50 libanonymous.so.2
    -rw-r--r--  1 root root 12984 2008-04-10 00:50 libanonymous.so.2.0.22
    -rw-r--r--  1 root root 15834 2008-04-10 00:50 libcrammd5.a
    -rw-r--r--  1 root root   848 2008-04-10 00:49 libcrammd5.la
    -rw-r--r--  1 root root 15320 2008-04-10 00:50 libcrammd5.so
    -rw-r--r--  1 root root 15320 2008-04-10 00:50 libcrammd5.so.2
    -rw-r--r--  1 root root 15320 2008-04-10 00:50 libcrammd5.so.2.0.22
    -rw-r--r--  1 root root 46332 2008-04-10 00:50 libdigestmd5.a
    -rw-r--r--  1 root root   871 2008-04-10 00:49 libdigestmd5.la
    -rw-r--r--  1 root root 43020 2008-04-10 00:50 libdigestmd5.so
    -rw-r--r--  1 root root 43020 2008-04-10 00:50 libdigestmd5.so.2
    -rw-r--r--  1 root root 43020 2008-04-10 00:50 libdigestmd5.so.2.0.22
    -rw-r--r--  1 root root 13574 2008-04-10 00:50 liblogin.a
    -rw-r--r--  1 root root   842 2008-04-10 00:49 liblogin.la
    -rw-r--r--  1 root root 13268 2008-04-10 00:50 liblogin.so
    -rw-r--r--  1 root root 13268 2008-04-10 00:50 liblogin.so.2
    -rw-r--r--  1 root root 13268 2008-04-10 00:50 liblogin.so.2.0.22
    -rw-r--r--  1 root root 30016 2008-04-10 00:50 libntlm.a
    -rw-r--r--  1 root root   836 2008-04-10 00:49 libntlm.la
    -rw-r--r--  1 root root 29236 2008-04-10 00:50 libntlm.so
    -rw-r--r--  1 root root 29236 2008-04-10 00:50 libntlm.so.2
    -rw-r--r--  1 root root 29236 2008-04-10 00:50 libntlm.so.2.0.22
    -rw-r--r--  1 root root 13798 2008-04-10 00:50 libplain.a
    -rw-r--r--  1 root root   842 2008-04-10 00:49 libplain.la
    -rw-r--r--  1 root root 13396 2008-04-10 00:50 libplain.so
    -rw-r--r--  1 root root 13396 2008-04-10 00:50 libplain.so.2
    -rw-r--r--  1 root root 13396 2008-04-10 00:50 libplain.so.2.0.22
    -rw-r--r--  1 root root 22126 2008-04-10 00:50 libsasldb.a
    -rw-r--r--  1 root root   873 2008-04-10 00:49 libsasldb.la
    -rw-r--r--  1 root root 18080 2008-04-10 00:50 libsasldb.so
    -rw-r--r--  1 root root 18080 2008-04-10 00:50 libsasldb.so.2
    -rw-r--r--  1 root root 18080 2008-04-10 00:50 libsasldb.so.2.0.22
    -rw-r--r--  1 root root 23696 2008-04-10 00:50 libsql.a
    -rw-r--r--  1 root root   971 2008-04-10 00:49 libsql.la
    -rw-r--r--  1 root root 23140 2008-04-10 00:50 libsql.so
    -rw-r--r--  1 root root 23140 2008-04-10 00:50 libsql.so.2
    -rw-r--r--  1 root root 23140 2008-04-10 00:50 libsql.so.2.0.22
    
    -- listing of /etc/postfix/sasl --
    total 12
    drwxr-xr-x 2 root root 4096 2007-06-25 13:30 .
    drwxr-xr-x 4 root root 4096 2008-11-18 13:27 ..
    -rw-r--r-- 1 root root   85 2008-11-08 09:09 smtpd.conf
    
    
    
    
    -- content of /etc/postfix/sasl/smtpd.conf --
    pwcheck_method: saslauthd
    mech_list: plain login
    log_level: 10
    allow_plaintext: true
    
    -- content of /etc/postfix/sasl/smtpd.conf --
    pwcheck_method: saslauthd
    mech_list: plain login
    log_level: 10
    allow_plaintext: true
    
    
    -- active services in /etc/postfix/master.cf --
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    smtp      inet  n       -       -       -       -       smtpd
    pickup    fifo  n       -       -       60      1       pickup
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      fifo  n       -       n       300     1       qmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    smtp      unix  -       -       -       -       -       smtp
    relay     unix  -       -       -       -       -       smtp
            -o fallback_relay=
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix  -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    
    amavis unix - - - - 2 smtp
            -o smtp_data_done_timeout=1200
            -o smtp_send_xforward_command=yes
    
    127.0.0.1:10025 inet n - - - - smtpd
            -o content_filter=
            -o local_recipient_maps=
            -o relay_recipient_maps=
            -o smtpd_restriction_classes=
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o mynetworks=127.0.0.0/8
            -o strict_rfc821_envelopes=yes
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
            -o smtpd_bind_address=127.0.0.1
    retry     unix  -       -       -       -       -       error
    
    -- mechanisms on localhost --
    250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
    250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
    
    
    -- end of saslfinger output --
    The mail.info gives the following:
    Code:
    Nov 18 19:56:53 galinos postfix/master[1584]: daemon started -- version 2.5.4, configuration /etc/postfix
    Nov 18 19:57:07 galinos postfix/tlsmgr[1591]: warning: request to update table btree:/var/spool/postfix/smtpd_scache in non-postfix directory /var/spool/postfix
    Nov 18 19:57:07 galinos postfix/tlsmgr[1591]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
    Nov 18 19:57:07 galinos postfix/tlsmgr[1591]: warning: request to update table btree:/var/spool/postfix/smtp_scache in non-postfix directory /var/spool/postfix
    Nov 18 19:57:07 galinos postfix/tlsmgr[1591]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
    Nov 18 19:57:07 galinos postfix/smtpd[1589]: connect from unknown[195.167.65.109]
    Nov 18 19:57:14 galinos postfix/smtpd[1589]: warning: SASL authentication failure: no secret in database
    Nov 18 19:57:14 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL CRAM-MD5 authentication failed: authentication failure
    Nov 18 19:57:15 galinos postfix/smtpd[1589]: warning: SASL authentication failure: no secret in database
    Nov 18 19:57:15 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL NTLM authentication failed: authentication failure
    Nov 18 19:57:15 galinos postfix/smtpd[1589]: warning: SASL authentication failure: Password verification failed
    Nov 18 19:57:15 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL PLAIN authentication failed: authentication failure
    Nov 18 19:57:16 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL LOGIN authentication failed: authentication failure
    Nov 18 19:57:21 galinos postfix/smtpd[1589]: warning: SASL authentication failure: no secret in database
    Nov 18 19:57:21 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL CRAM-MD5 authentication failed: authentication failure
    Nov 18 19:57:22 galinos postfix/smtpd[1589]: warning: SASL authentication failure: no secret in database
    Nov 18 19:57:22 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL NTLM authentication failed: authentication failure
    Nov 18 19:57:22 galinos postfix/smtpd[1589]: warning: SASL authentication failure: Password verification failed
    Nov 18 19:57:22 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL PLAIN authentication failed: authentication failure
    Nov 18 19:57:23 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL LOGIN authentication failed: authentication failure
    Nov 18 19:57:25 galinos postfix/smtpd[1589]: disconnect from unknown[195.167.65.109]
    
    Except the above, I can not understand why the authentication methods are not limited in the ehlo command when in the smtpd.conf it is limited to "plain text"

    Any ideas?
     
  2. _X_

    _X_ New Member

    do you have:
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination

    in /etc/postfix/main.cf
     
  3. openman

    openman New Member

    yes,
    Code:
    smtpd_recipient_restrictions =  permit_sasl_authenticated, permit_mynetworks ,  reject_unauth_destination
    
     
  4. _X_

    _X_ New Member

  5. _X_

    _X_ New Member

  6. openman

    openman New Member

    nothing of the above helped...

    Why does it present all authenticate methods even when it is limited to plain login in configuration?
     
    Last edited: Nov 18, 2008
  7. _X_

    _X_ New Member

    does mail auth works from other mail clients like Outlook (Express)?
     
  8. openman

    openman New Member

    no, it does not.
     
  9. _X_

    _X_ New Member

    can you post main.cf?
     
  10. openman

    openman New Member

    main.cf
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    delay_warning_time = 6h
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_tls_auth_only = no
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_loglevel = 0
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    
    
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain = 
    smtpd_sasl_path = /etc/postfix/sasl/
    broken_sasl_auth_clients = yes
    smtpd_tls_auth_only = no
    
    smtpd_recipient_restrictions =  permit_sasl_authenticated, permit_mynetworks ,  reject_unauth_destination
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = galinos.xxx.xxx
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = galinos.xxx.xxx
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    home_mailbox = Maildir/
    
    smtpd_helo_required = yes
    disable_vrfy_command = yes
    strict_rfc821_envelopes = yes
    invalid_hostname_reject_code = 554
    multi_recipient_bounce_reject_code = 554
    non_fqdn_reject_code = 554
    relay_domains_reject_code = 554
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_sender_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    
    readme_directory = /usr/share/doc/postfix
    html_directory = /usr/share/doc/postfix/html
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    
     
  11. falko

    falko Super Moderator ISPConfig Developer

    What's in /etc/default/saslauthd?
     
  12. openman

    openman New Member

    /etc/default/saslauthd
    Code:
    #
    # Settings for saslauthd daemon
    # Please read /usr/share/doc/sasl2-bin/README.Debian for details.
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    
    # Description of this saslauthd instance. Recommended.
    # (suggestion: SASL Authentication Daemon)
    DESC="SASL Authentication Daemon"
    
    # Short name of this saslauthd instance. Strongly recommended.
    # (suggestion: saslauthd)
    NAME="saslauthd"
    
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="shadow"
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c -m /var/run/saslauthd)
    # Note: You MUST specify the -m option or saslauthd won't run!
    #
    # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
    # See the saslauthd man page for general information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    #OPTIONS="-c -m /var/run/saslauthd" -r
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
    
     
  13. openman

    openman New Member

    Any suggestions?
     
  14. _X_

    _X_ New Member

    whats the result of:
    telnet localhost 25
    ehlo localhost
    ?
     
  15. openman

    openman New Member

    Code:
    telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220 galinos.xxx.xxx ESMTP Postfix (Ubuntu)
    ehlo example.domain.com
    250-galinos.xxx.xxx
    250-PIPELINING
    250-SIZE 10240000
    250-ETRN
    250-STARTTLS
    250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
    250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    
    Why does it show all these authentication methods?
     
  16. _X_

    _X_ New Member

    just now i have noticed that on output of saslfinger on first post

    -- mechanisms on localhost --
    250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
    250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
     
  17. _X_

    _X_ New Member

    check /etc/postfix/sasl/smtpd.conf
    for:
    pwcheck_method: saslauthd
    mech_list: plain login
     
  18. openman

    openman New Member

    Code:
    root@galinos:~# more /etc/postfix/sasl/smtpd.conf
    pwcheck_method: saslauthd
    mech_list: plain login
    log_level: 10
    allow_plaintext: true
    root@galinos:~#
    
    how can it be possible with the above?
     
  19. _X_

    _X_ New Member

    try to post result of:
    postconf -n
     
  20. _X_

    _X_ New Member

    and
    postconf -d
     

Share This Page