Postfix SASL authentication

Discussion in 'Server Operation' started by spiffydudex, Jul 6, 2009.

  1. spiffydudex

    spiffydudex New Member

    I have setup a virtual user postfix server and I have one error holding me back from completion. Currently I cannot send an email out of the mail server with an email client. Authentication with sasl fails. I have been browsing forums for the better part of a few hours and trying different things. So its time to make a post.

    IMAP works via squirrelmail
    can send mail via telnet
    Can send test email to self with mail client (no SMTP sasl authentication)

    Installed with maybe a few others that I can't remember
    Code:
    Postfix
    courier-imap
    courier-pop3
    courier-imap-ssl
    courier-pop3-ssl
    squirrelmail
    clamav
    amavis
    spamassasin
    Mysql
    
    Here is the Error I am recieveing
    Code:
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_auth_response: uncoded server challenge: nonce="4cCeKDDhgQ8hlJFlxqPXv4h20q/4x8fJ6MA7RWp6WOI=",realm="esatech.com",qop="auth",charset=utf-8,algorithm=md5-sess
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 334 bm9uY2U9IjRjQ2VLRERoZ1E4aGxKRmx4cVBYdjRoMjBxLzR4OGZKNk1BN1JXcDZXT0k9IixyZWFsbT0iZXNhdGVjaC5jb20iLHFvcD0iYXV0aCIsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: < unknown[206.255.245.47]: dXNlcm5hbWU9ImFhbG9pYSIscmVhbG09ImVzYXRlY2guY29tIixub25jZT0iNGNDZUtERGhnUThobEpGbHhxUFh2NGgyMHEvNHg4Zko2TUE3UldwNldPST0iLGRpZ2VzdC11cmk9InNtdHAvc3VsdS5lc2F0ZWNoLmNvbSIsY25vbmNlPSJhMGE0ZGM0NzE5M2Q3M2U4ZmZjYTVkMzk4OWMxNTU5ZiIsbmM9MDAwMDAwMDEscmVzcG9uc2U9MWQ1ZjMwNTQ5NTY1MzMyY2I2ZGM2YjkxYzc2MjRiNGIscW9wPWF1dGgsY2hhcnNldD11dGYtOA==
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_next: decoded response: username="aaloia",realm="esatech.com",nonce="4cCeKDDhgQ8hlJFlxqPXv4h20q/4x8fJ6MA7RWp6WOI=",digest-uri="smtp/sulu.esatech.com",cnonce="a0a4dc47193d73e8ffca5d3989c1559f",nc=00000001,response=1d5f30549565332cb6dc6b91c7624b4b,qop=auth,charset=utf-8
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: warning: SASL authentication failure: client response doesn't match what we generated
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: warning: unknown[206.255.245.47]: SASL DIGEST-MD5 authentication failed: authentication failure
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 535 5.7.8 Error: authentication failed: authentication failure
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: < unknown[206.255.245.47]: AUTH LOGIN
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_first: sasl_method LOGIN
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username:
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 334 VXNlcm5hbWU6
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: < unknown[206.255.245.47]: YWFsb2lhQGVzYXRlY2guY29t
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_next: decoded response: [email protected]
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password:
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 334 UGFzc3dvcmQ6
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: < unknown[206.255.245.47]: YW5keWF0d29yaw==
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_next: decoded response: PASSWORD
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: warning: unknown[206.255.245.47]: SASL LOGIN authentication failed: authentication failure
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 535 5.7.8 Error: authentication failed: authentication failure
    Jul  6 16:08:14 sulu postfix/smtpd[6041]: smtp_get: EOF
    


    Main.cf
    Code:
    biff = no
    content_filter = amavis:[127.0.0.1]:10024
    append_dot_mydomain = no
    delay_warning_time = 4h
    maximal_queue_lifetime = 7d
    minimal_backoff_time = 1000s
    maximal_backoff_time = 8000s
    smtp_helo_timeout = 60s
    unknown_local_recipient_reject_code = 450
    
    readme_directory = no
    myhostname = sulu.esatech.com
    myorigin = /etc/mailname
    mydestination = esatech.com, sulu.esatech.com, localhost, localhost.localdomain
    local_recipient_maps =
    relayhost =
    mynetworks = 127.0.0.0/8, 192.168.42.0/24, 12.17.49.0/24
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    mynetworks_style = host
    disable_vrfy_command = yes
    
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_banner = $myhostname ESMTP $mail_name
    smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
    smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, permit
    smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
    smtpd_helo_required = yes
    smtpd_delay_reject = yes
    smtpd_recipient_limit = 16
    smtpd_soft_error_limit = 3
    smtpd_hard_error_limit = 12
    smtpd_sasl_path = smtpd
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain = esatech.com
    
    alias_maps = hash:/etc/postfix/aliases
    alias_database = hash:/etc/postfix/aliases
    
    virtual_mailbox_base = /var/spool/mail/virtual
    virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
    virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
    virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
    virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
    virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf
    
    # TLS parameters
    #smtp_use_tls = no
    smtp_tls_security_level = may
    #smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    smtpd_tls_loglevel = 1
    smtpd_tls_recieved_header = yes
    smtpd_tls_session_cache_timeout = 3600s 
    tls_random_source = dev:/dev/urandom 
    smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    smtpd_use_tls=yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    
    Master.cf
    Code:
    ==========================================================================
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    # ==========================================================================
    smtp	   inet  n       -       -       -       -       smtpd -v
    submission inet n       -       -       -       -       smtpd
      -o smtpd_sasl_auth_enable=yes
    #  -o smtpd_tls_security_level=encrypt
      -o smtpd_tls_auth_only=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination, reject
      -o smtpd_sasl_security_options=noanonymous,noplaintext
      -o smtpd_sasl_tls_security_options=noanonymous
    #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o smtpd_sasl_security_options=noanonymous,noplaintext
      -o smtpd_sasl_tls_security_options=noanonymous
    #  -o milter_macro_daemon_name=ORIGINATING
    #628      inet  n       -       -       -       -       qmqpd
    pickup    fifo  n       -       -       60      1       pickup
    	-o content_filter= 
    	-o receive_override_options=no_header_body_checks
    cleanup   unix  n       -       -       -       0       cleanup
    qmgr      fifo  n       -       n       300     1       qmgr
    #qmgr     fifo  n       -       -       300     1       oqmgr
    tlsmgr    unix  -       -       -       1000?   1       tlsmgr
    rewrite   unix  -       -       -       -       -       trivial-rewrite
    bounce    unix  -       -       -       -       0       bounce
    defer     unix  -       -       -       -       0       bounce
    trace     unix  -       -       -       -       0       bounce
    verify    unix  -       -       -       -       1       verify
    flush     unix  n       -       -       1000?   0       flush
    proxymap  unix  -       -       n       -       -       proxymap
    proxywrite unix -       -       n       -       1       proxymap
    smtp      unix  -       -       -       -       -       smtp
    # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
    relay     unix  -       -       -       -       -       smtp
    	-o smtp_fallback_relay=
    #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq     unix  n       -       -       -       -       showq
    error     unix  -       -       -       -       -       error
    retry     unix  -       -       -       -       -       error
    discard   unix  -       -       -       -       -       discard
    local     unix  -       n       n       -       -       local
    virtual   unix  -       n       n       -       -       virtual
    lmtp      unix  -       -       -       -       -       lmtp
    anvil     unix  -       -       -       -       1       anvil
    scache    unix  -       -       -       -       1       scache
    #
    # ====================================================================
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # Many of the following services use the Postfix pipe(8) delivery
    # agent.  See the pipe(8) man page for information about ${recipient}
    # and other message envelope options.
    # ====================================================================
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    # Also specify in main.cf: maildrop_destination_recipient_limit=1
    #
    maildrop  unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
    #
    # See the Postfix UUCP_README file for configuration details.
    #
    uucp      unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    #
    # Other external delivery methods.
    #
    ifmail    unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp     unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
    scalemail-backend unix	-	n	n	-	2	pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    mailman   unix  -       n       n       -       -       pipe
      flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
      ${nexthop} ${user}
    #
    amavis	unix	-	-	-	-	2	smtp 
    	-o smtp_data_done_timeout=1200 
    	-o smtp_send_xforward_command=yes 
    	-o disable_dns_lookups=yes 
    	-o max_use=20
    #
    127.0.0.1:10025	inet	n	-	-	-	-	smtpd
    	-o content_filter=
    	-o local_recipient_maps=
    	-o relay_recipient_maps=
    	-o smtpd_restriction_classes=
    	-o smtpd_delay_reject=no
    	-o smtpd_client_restrictions=permit_mynetworks,reject
    	-o smtpd_helo_restrictions=
    	-o smtpd_sender_restrictions=
    	-o smtpd_recipient_restrictions=permit_mynetworks,reject
    	-o smtpd_data_restrictions=reject_unauth_pipelining
    	-o smtpd_end_of_data_restrictions=
    	-o mynetworks=127.0.0.0/8
    	-o smtpd_error_sleep_time=0
    	-o smtpd_soft_error_limit=1001
    	-o smtpd_hard_error_limit=1000
    
    SASL smtpd.conf
    Code:
    pwcheck_method: auxprop
    auxprop_plugin: sql
    mech_list: plain login cram-md5 digest-md5
    sql_engine: mysql
    sql_hostnames: 127.0.0.1
    sql_user: mail
    sql_passwd: PASSWORD
    sql_database: mail
    sql_select: select crypt from users where id='%u@%r' and enabled = 1
    allowanonymouslogin: no
    allowplaintext: yes
    
    Any input would be very helpful, Thanks

    Andy
     
    Last edited: Jul 6, 2009
  2. bschultz

    bschultz Member

    I'm getting one too...while I tried to SEND from a different server to an account on my server...

    Code:
    Jul  6 21:34:44 mail postfix/smtpd[28254]: connect from ex18.ips.paulbunyan.net[myipaddress]
    Jul  6 21:34:44 mail postfix/smtpd[28254]: warning: SASL authentication problem: unknown password verifier 
    Jul  6 21:34:44 mail postfix/smtpd[28254]: warning: ex18.ips.paulbunyan.net[myipaddress]: SASL LOGIN authentication failed: no mechanism available
    Jul  6 21:34:44 mail postfix/smtpd[28254]: lost connection after AUTH from ex18.ips.paulbunyan.net[myipaddress]
    Jul  6 21:34:44 mail postfix/smtpd[28254]: disconnect from ex18.ips.paulbunyan.net[209.191.214.18]
    Jul  6 21:34:45 mail postfix/smtpd[28254]: connect from ex18.ips.paulbunyan.net[myipaddress]
    Jul  6 21:34:45 mail postfix/smtpd[28254]: warning: SASL authentication problem: unknown password verifier 
    Jul  6 21:34:45 mail postfix/smtpd[28254]: warning: ex18.ips.paulbunyan.net[209.191.214.18]: SASL LOGIN authentication failed: no mechanism available
    Jul  6 21:34:45 mail postfix/smtpd[28254]: lost connection after AUTH from ex18.ips.paulbunyan.net[209.191.214.18]
    Jul  6 21:34:45 mail postfix/smtpd[28254]: disconnect from ex18.ips.paulbunyan.net[myipaddress]
    Jul  6 21:34:46 mail postfix/smtpd[28254]: connect from ex18.ips.paulbunyan.net[myipaddress]
    Jul  6 21:34:46 mail postfix/smtpd[28254]: warning: SASL authentication problem: unknown password verifier 
    Jul  6 21:34:46 mail postfix/smtpd[28254]: warning: ex18.ips.paulbunyan.net[myipaddress]: SASL LOGIN authentication failed: no mechanism available
    Jul  6 21:34:46 mail postfix/smtpd[28254]: lost connection after AUTH from ex18.ips.paulbunyan.net[myipaddress]
    Jul  6 21:34:46 mail postfix/smtpd[28254]: disconnect from ex18.ips.paulbunyan.net[myipaddress]
    
     
  3. Mark_NL

    Mark_NL New Member

    what's in your /etc/postfix/sasl/smtpd.conf ?
     
  4. bschultz

    bschultz Member

    Code:
    pwcheck_method: saslauthd
    mech_list: plain login
    allow_plaintext: true
    auxprop_plugin: mysql
    sql_hostnames: 127.0.0.1
    sql_user: mail_admin
    sql_passwd: mysqlpassword
    sql_database: mail
    sql_select: select password from users where email = '%u'
    
    The account I saw the error on last night is getting emails...but I tried to send that account one (from my work webmail account) and the mail got bounced back with a "permanent error" account doesn't exist message.

    Thanks for the help!
     
  5. Mark_NL

    Mark_NL New Member

    Code:
    Jul  6 21:34:44 mail postfix/smtpd[28254]: warning: SASL authentication problem: unknown password verifier
    it doesn't recognise the pwcheck method you specified in smtpd.conf, so i don't think you've installed or have saslauthd running .. if you use auxprop you should specify it as pwcheck_method, so change that line to:

    pwcheck_method: auxprop

    and restart postfix and any other related service to it :)
     
  6. bschultz

    bschultz Member

    I followed the Falko tutorial on virtual users and domains using Postfix...and all files appear to be ok.

    Code:
    telnet localhost 25
    ehlo localhost
    
    produced this:

    But...I just noticed that the domain name there is NOT the domain name of the server. It it one of my domains...but it's not the server name. I'll do some digging.
     
  7. bschultz

    bschultz Member

    I changed the server name in /etc/postfix/main.cf and re-ran the telnet localhost 25 command. It now showed the server's name...but an email to this account still failed.
     
  8. Mark_NL

    Mark_NL New Member

    /etc/mailname should say the same as "sulu.esatech.com"

    but did you change the pwcheck_method ??
    or could you post the link of the how to you followed?
     
  9. bschultz

    bschultz Member

  10. spiffydudex

    spiffydudex New Member

    Yes, I double checked and the mailname is stated as sulu.esatech.com
    but to ensure that it is set, I have set the myorigin in the main.cf to be sulu.esatech.com.

    I have flatout rebooted the machine to ensure that all of the daemons are picking up the new config files.

    I used a different tutorial than the how-to forge one. I have seen this guy referred to several times on the Ubuntu forums.
    http://flurdy.com/docs/postfix/

    I really don't want to start over and use a new tutorial, as the only thing that is left is the SASL authentication for out of network users.

    After some more playing with the server. I now get this error I'm not really sure what it means.
    Code:
    warning: SASL authentication failure: realm changed: authentication aborted
    
     
    Last edited: Jul 7, 2009
  11. spiffydudex

    spiffydudex New Member

    Ok, I have gone through one of the tutorials here on howtoforge.

    now I am getting the error of

    Code:
     warning: xxx.xxx.xxx.xx: hostname hxxx.xxx.xxx.xxx.static.lngv.cablelynx.com verification failed: Name or service not known
    
    Can anyone shed some light on this?
     
    Last edited: Jul 9, 2009
  12. Mark_NL

    Mark_NL New Member

    The thing is, i've followed ALOT of howto's here on howtoforge, and they ALWAYS work ..
    when they didn't it was just something i overlooked in the how-to ..

    The most strange errors come up when that happens, and people tend to rush trough the how to again, and will miss it again .. and jump from one to another error.

    So i suggest you grab some coffee, and go through the how to step by step, take your time and triple check everyting :)

    btw. the above warning is normal .. when you do this you'll understand:

    host xxx.xxx.xxx.xx

    that'll return a hostname, but when you do:

    host <hostname>

    you'll get a not found :)
     
  13. spiffydudex

    spiffydudex New Member

    The thing is that I have a failing mail server on another box with about 300 addresess, using Postfixadmin. This is the 3rd tutorial I have tried..needless to say, my brain is fried.
    I ran through the tutorial for the Ubuntu 9.04.
    Copied and pasted all of the commands into putty, ran everything. Changing the postfix and mysql options for my server.

    http://www.howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-ubuntu9.04

    I'll look through the tutorial again and make sure that all of my conf files are as the tutorial suggests.


    That error happened when I was trying to send mail via smtp.
     
    Last edited: Jul 9, 2009
  14. Mark_NL

    Mark_NL New Member

    Hehe, i know the feeling .. i've just migrated an ispconfig2 server from running on a dirty pivot_root trick server to a fresh new server. Running a xen instance on a DRBD disc for HA .. but i did wanted to use the latest ispconfig version and ofc that db has minor changes, so had to move stuff around alot (manually) .. at some point you're just getting one brainfart after the other :)

    It's crucial that you don't mix how-to's up .. every author has it's own way of setting things up .. howtoforge how-to's are good, stick with them.

    good luck and let me know how it works out :)
     
  15. spiffydudex

    spiffydudex New Member

    Well all is working.

    I just re-copied all of the postfix -e commands by default. Then went back and changed what I needed to. Lo and behold it worked. Not entirely sure what caused the problem. Well, at least it works :)

    Yeah, as far as mixing tutorials, I completely scrapped the last install and started fresh with this tutorial.
     
    Last edited: Jul 9, 2009

Share This Page