postfix saslauthd, Please! help (going nuts)

Discussion in 'HOWTO-Related Questions' started by telmathedog, Sep 1, 2010.

  1. telmathedog

    telmathedog New Member

    Hello all.

    This is driving me nuts...

    I have originally followed tutorial (not in all details) and succeeded in making a system work with virtual users and alias. The system could receive mail and only let inside the mail where they were addressed to some mailbox in the mailbox-table.
    Everything worked fine.

    Now, I wanted to add simple "LOGIN"/"PLAIN" smtp auth... (no TLS)

    I tried the first guide again but couldn't get it to work. Then I started reading Falkos guides (tnx), but same problems.

    I seem to have one general problem:

    The conf-file /etc/postfix/sasl/smtpd.conf does not seem to be used.

    I can put whatever inside it but gets no errors for this.

    When testing with testsaslauthd like:

    testsaslauthd -u [email protected] -p mailpassword -s smtp

    I get the following in auth.log:
    Sep 1 13:36:38 CR41539-1 saslauthd[3030]: pam_unix(smtp:auth): check pass; user unknown
    Sep 1 13:36:38 CR41539-1 saslauthd[3030]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
    Sep 1 13:36:40 CR41539-1 saslauthd[3030]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
    Sep 1 13:36:40 CR41539-1 saslauthd[3030]: do_auth : auth failure: [[email protected]] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

    I know that its reading the mailbox due to the mysql.log:
    100901 13:36:38 151 Connect [email protected] on db
    151 Init DB db
    151 Query SELECT password FROM mailbox WHERE username = '[email protected]'
    100901 13:36:40 151 Quit
    (Also, if I test and change the select in /etc/pam.d/smtp to a one that I know is not working, I get a line about that in auth.log, so it really seems to look into the mailbox table.)

    So something happens, but the auth in testsaslauthd does not succeed.

    Then, another strange thing is; when I test to telnet (from pc) to the system like

    telnet 2525

    the auth.log immediately states:
    Sep 1 13:39:11 CR41539-1 postfix/smtpd[6392]: sql_select option missing
    Sep 1 13:39:11 CR41539-1 postfix/smtpd[6392]: auxpropfunc error no mechanism available
    Sep 1 13:39:11 CR41539-1 postfix/smtpd[6392]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql

    Then, if I proceed the telnet session with AUTH LOGIN etc.:

    auth login
    334 VXNlcm5hbWU6
    334 UGFzc3dvcmQ6
    535 5.7.8 Error: authentication failed: authentication failure

    (I just entered some bogus base64 strings (actually Username: and Password:))
    there is _no more_ rows output in auth.log, and there is either nothing selected from the mysql-db. It doesn't seem to make any attempt to authenticate or even look up anything in db...? (Problem!)

    Please take some time and give me a hint. I have tried so many different things; tried to cp -p the /etc/postfix/sasl/smtpd.conf to /usr/lib/sasl2 because I did read about a bug making postfix not to read /etc/postfix/sasl/smtpd.conf by default; started out with etch and upgraded to lenny; tried to run postfix in non chrooted env., every attempt gives same log result as above.

    My system is upgraded to latest Lenny.

    Here comes the appropriate conf-files: (sorry if I put them in wrong format)
    (I have changed some host specific info. to more generel ones like etc.)

    # ==========================================================================
    # service type private unpriv chroot wakeup maxproc command + args
    # (yes) (yes) (yes) (never) (100)
    # ==========================================================================
    smtp inet n - - - - smtpd
    #submission inet n - - - - smtpd
    # -o smtpd_etrn_restrictions=reject
    #628 inet n - - - - qmqpd
    pickup fifo n - - 60 1 pickup
    cleanup unix n - - - 0 cleanup
    qmgr fifo n - - 300 1 qmgr
    #qmgr fifo n - - 300 1 oqmgr
    rewrite unix - - - - - trivial-rewrite
    bounce unix - - - - 0 bounce
    defer unix - - - - 0 bounce
    trace unix - - - - 0 bounce
    verify unix - - - - 1 verify
    flush unix n - - 1000? 0 flush
    proxymap unix - - n - - proxymap
    smtp unix - - - - - smtp
    relay unix - - - - - smtp
    # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
    showq unix n - - - - showq
    error unix - - - - - error
    local unix - n n - - local
    virtual unix - n n - - virtual
    lmtp unix - - n - - lmtp
    anvil unix - - n - 1 anvil
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    # maildrop. See the Postfix MAILDROP_README file for details.
    maildrop unix - n n - - pipe
    flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
    uucp unix - n n - - pipe
    flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail unix - n n - - pipe
    flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp unix - n n - - pipe
    flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
    scalemail-backend unix - n n - 2 pipe
    flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

    # only used by postfix-tls
    #tlsmgr fifo - - n 300 1 tlsmgr
    #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    #587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
    2525 inet n - n - - smtpd
    tlsmgr unix - - - 1000? 1 tlsmgr
    scache unix - - - - 1 scache
    discard unix - - - - - discard
    retry unix - - - - - error

    # See /usr/share/postfix/ for a commented, more complete version

    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    home_mailbox = Maildir/
    #myhostname = localhost
    myhostname =
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    relayhost =
    mynetworks =
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all

    debug_peer_list =
    debug_peer_level = 2

    virtual_mailbox_domains = /etc/postfix/vhosts
    virtual_mailbox_base = /home/vmail
    virtual_minimum_uid = 5000
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    virtual_alias_maps = mysql:/etc/postfix/
    virtual_mailbox_maps = mysql:/etc/postfix/
    virtual_mailbox_limit = 51200000
    virtual_transport = virtual

    # Additional for quota support

    virtual_create_maildirsize = yes
    virtual_mailbox_extended = yes
    virtual_mailbox_limit_maps = mysql:/etc/postfix/
    virtual_mailbox_limit_override = yes
    virtual_maildir_limit_message = Sorry, the your maildir has overdrawn your diskspace quota, please free up some of spaces of your mailbox try again.
    virtual_overquota_bounce = yes

    smtpd_recipient_restrictions = reject_unauth_pipelining, permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, permit

    smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit

    smtpd_sasl_type = cyrus
    cyrus_sasl_config_path = /etc/postfix/sasl
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain =
    smtpd_sasl_authenticated_header = yes

    smtpd_client_restrictions = permit_sasl_authenticated, rejectreadme_directory = /usr/share/doc/postfix
    html_directory = /usr/share/doc/postfix/html

    /etc/init.d/postfix (only added files to the FILES loop)
    #!/bin/sh -e

    # Start or stop Postfix
    # LaMont Jones <[email protected]>
    # based on sendmail's init.d script

    # Provides: postfix mail-transport-agent
    # Required-Start: $local_fs $remote_fs $syslog $named $network $time
    # Required-Stop: $local_fs $remote_fs $syslog $named $network
    # Should-Start: postgresql mysql clamav-daemon postgrey spamassassin
    # Should-Stop: postgresql mysql clamav-daemon postgrey spamassassin
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: start and stop the Postfix Mail Transport Agent
    # Description: postfix is a Mail Transport agent

    unset TZ

    # Defaults - don't touch, edit /etc/default/postfix

    test -f /etc/default/postfix && . /etc/default/postfix

    test -x $DAEMON && test -f /etc/postfix/ || exit 0

    . /lib/lsb/init-functions
    #DISTRO=$(lsb_release -is 2>/dev/null || echo Debian)

    running() {
    queue=$(postconf -h queue_directory 2>/dev/null || echo /var/spool/postfix)
    if [ -f ${queue}/pid/ ]; then
    pid=$(sed 's/ //g' ${queue}/pid/
    # what directory does the executable live in. stupid prelink systems.
    dir=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* -> //; s/\/[^\/]*$//')
    if [ "X$dir" = "X/usr/lib/postfix" ]; then
    echo y

    case "$1" in
    log_daemon_msg "Starting Postfix Mail Transport Agent" postfix
    if [ -n "$RUNNING" ]; then
    log_end_msg 0
    # if you set myorigin to '' or '', it's wrong, and annoys the admins of
    # those domains. See also sender_canonical_maps.

    MYORIGIN=$(postconf -h myorigin | tr 'A-Z' 'a-z')
    if [ "X${MYORIGIN#/}" != "X${MYORIGIN}" ]; then
    MYORIGIN=$(tr 'A-Z' 'a-z' < $MYORIGIN)
    if [ "X$MYORIGIN" = ] || [ "X$MYORIGIN" = ]; then
    log_failure_msg "Invalid \$myorigin ($MYORIGIN), refusing to start"
    log_end_msg 1
    exit 1

    # see if anything is running chrooted.
    NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/

    if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
    # Make sure that the chroot environment is set up correctly.
    umask 022
    cd $(postconf -h queue_directory)

    # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt.
    smtp_use_tls=$(postconf -h smtp_use_tls)
    smtpd_use_tls=$(postconf -h smtpd_use_tls)
    if [ "X$smtp_use_tls" = "Xyes" -o "X$smtpd_use_tls" = "Xyes" ]; then
    if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
    mkdir -p etc/ssl/certs
    cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/

    # if we're using unix:passwd.byname, then we need to add etc/passwd.
    local_maps=$(postconf -h local_recipient_maps)
    if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then
    if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then
    sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
    chmod a+r etc/passwd

    FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
    etc/nsswitch.conf etc/nss_mdns.config etc/postfix/sasl/smtpd.conf etc/sasldb2"
    for file in $FILES; do
    [ -d ${file%/*} ] || mkdir -p ${file%/*}
    if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi
    if [ -f ${file} ]; then chmod a+rX ${file}; fi
    rm -f usr/lib/zoneinfo/localtime
    mkdir -p usr/lib/zoneinfo
    ln -sf /etc/localtime usr/lib/zoneinfo/localtime
    rm -f lib/libnss_*so*
    tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
    umask $oldumask

    if start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start; then
    log_end_msg 0
    log_end_msg 1

    log_daemon_msg "Stopping Postfix Mail Transport Agent" postfix
    if [ -n "$RUNNING" ]; then
    if ${DAEMON} quiet-stop; then
    log_end_msg 0
    log_end_msg 1
    log_end_msg 0

    $0 stop
    $0 start

    log_action_begin_msg "Reloading Postfix configuration"
    if ${DAEMON} quiet-reload; then
    log_action_end_msg 0
    log_action_end_msg 1

    if [ -n "$RUNNING" ]; then
    log_success_msg "postfix is running"
    exit 0
    log_success_msg "postfix is not running"
    exit 3

    ${DAEMON} $1

    log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}"
    exit 1

    exit 0

    (As said above, I don't think there as any deamon reading this file...)
    pwcheck_method: saslauthd
    auxprop_plugin: sql
    log_level: 7
    allow_plaintext: true
    mech_list: plain login
    sql_engine: mysql
    sql_hostnames: localhost
    sql_user: dbuser
    sql_passwd: mypassword
    sql_database: db
    sql_select: select password from mailbox where username='%[email protected]%r' and active = 1

    # Should saslauthd run automatically on startup? (default: no)

    # Description of this saslauthd instance. Recommended.
    # (suggestion: SASL Authentication Daemon)
    DESC="SASL Authentication Daemon"

    # Short name of this saslauthd instance. Strongly recommended.
    # (suggestion: saslauthd)

    PARAMS="-m ${PWDIR}"

    # Which authentication mechanisms should saslauthd use? (default: pam)
    # Available options in this Debian package:
    # getpwent -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam -- use PAM
    # rimap -- use a remote IMAP server
    # shadow -- use the local shadow password file
    # sasldb -- use the local sasldb database file
    # ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    # Example: MECHANISMS="pam"

    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.

    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.

    # Other options (default: -c -m /var/run/saslauthd)
    # Note: You MUST specify the -m option or saslauthd won't run!
    # The -d option will cause saslauthd to run in the foreground instead of as
    # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
    # to run saslauthd in debug mode, please run it by hand to be safe.
    # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
    # See the saslauthd man page and the output of 'saslauthd -h' for general
    # information about these options.
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    #OPTIONS="-c -m /var/run/saslauthd"
    OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"

    /etc/pam.d/smtp (Originally, host was below, but that didn't work. localhost seems to work.)
    # /etc/pam.d/smtp
    # Copyright (c) 2000-2003 Richard Nelson. All Rights Reserved.
    # Version: 2.0.1
    # Time-stamp: <2003/05/06 12:00:00 cowboy>
    # PAM configuration file used by SASL to authenticate a PLAIN password.
    @include common-auth
    @include common-account
    #@include common-password
    auth required user=dbuser passwd=dbpassword host=localhost db=db table=mailbox usercolumn=username passwdcolumn=password crypt=0
    account sufficient user=dbuser passwd=dbpassword host=localhost db=db table=mailbox usercolumn=username passwdcolumn=password crypt=0

    bind-address =

  2. telmathedog

    telmathedog New Member

    No one having any clue...?

    An attempt to summarise/emphasize:

    1. Doing

    testsaslauthd -u dbuser -p bar -s smtp

    gives these lines in auth.log if I have the correct row in the mailbox table:

    Sep  2 09:23:10 CR41539-1 saslauthd[3036]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=dbuser
    Sep  2 09:23:11 CR41539-1 saslauthd[3036]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
    Sep  2 09:23:11 CR41539-1 saslauthd[3036]: do_auth         : auth failure: [user=dbuser] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
    and these lines if I mod. the db-row so that the select will not hit:

    Sep  2 09:23:31 CR41539-1 saslauthd[3033]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=dbuser
    Sep  2 09:23:31 CR41539-1 saslauthd[3033]: pam_mysql - SELECT returned no result.
    Sep  2 09:23:33 CR41539-1 saslauthd[3033]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
    Sep  2 09:23:33 CR41539-1 saslauthd[3033]: do_auth         : auth failure: [user=dbuser] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
    So, if it reads the table and finds the user, why does the authentication fail?

    2. System does not seem to use the config file smtpd.conf

    CR41539-1:~# l /etc/postfix/sasl/smtpd.conf
    -rwxr-xr-x 1 root root 475 Sep  2 09:22 /etc/postfix/sasl/smtpd.conf
    at all.

    3. Doing AUTH LOGIN test from an external telnet session does not seem to wake any saslauthd/pam at all, no rows in auth.log, except from

    Sep  2 09:31:40 CR41539-1 postfix/smtpd[4225]: sql_select option missing
    Sep  2 09:31:40 CR41539-1 postfix/smtpd[4225]: auxpropfunc error no mechanism available
    Sep  2 09:31:40 CR41539-1 postfix/smtpd[4225]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql
    who appears at the same moment the telnet connects to the server.
  3. Mark_NL

    Mark_NL Member

    [reason=PAM auth error]
    go after that one ..

    so check /etc/pam.d/smtp

    pam_mysql - SELECT returned no result.
    it cannot find the user you're trying to log in with.

    edit: put courier in debug and track the error logs .. more info to be found there when you do :)

    DEBUG_LOGIN=1 in /etc/courier/authdaemonrc

    then restart /etc/init.d/authdaemonrc restart

    check your mail logs
    Last edited: Sep 2, 2010
  4. telmathedog

    telmathedog New Member

    Thanks for reply.

    Yes, the log line

    pam_mysql - SELECT returned no result
    was an experiment, and I only got this result when I on purpose changed the row in the mailbox table so that there would be no hit. After changeing back, the error line disappeared.

    This was a test to see that pam really selected the line in the mailbox table, and the test revealed that it does.

    Even so, auth failes...
  5. Mark_NL

    Mark_NL Member

    turn on debugging and tail your mail logs .. the answer lies within! :)
  6. telmathedog

    telmathedog New Member

    I don't use courier on this server. I am actually not going to have any mail accounts for POP3/IMAP. Just letting some devices send incoming mails (who are processed by php) and then in some occassions let the server send outgoing mails.

    And the incoming and outgoing mail function with virtual users in mysql etc. works ok. I would very much now like to have the smtpd authenticate with at least LOGIN/PLAIN, and this is the problem.

    So, I can't turn on courier debug.

    Do I need courier to make smtpd authenticate?
  7. Mark_NL

    Mark_NL Member

    ah you're using cyrus? bleh ..

    dpkg-reconfigure postfix .. default stuff
    then use your /etc/aliases file to proces your mail with php


    or do you need virt users or smth? coz your install now looks like halve a ispconfig3 install with changed config settings (like cyrus usage f.e.)
  8. telmathedog

    telmathedog New Member

    Yes, Cyrus.

    But isn't Cyrus just the SASL implementation to Postfix SMTP?

    There is also Dovecot SASL as I can understand (

    If I should *not* need to auth incoming smtp, should I then need SASL (Curys/Dovecot) at all?
    Before bothering with smtp auth, I haven't really touched them...

    The only reason I use mysql virtual users is that my php scripts shall be able to add/remove users who have permissions to send mails to the server.

    I would like to have many different incoming mail addresses. One for each user/device. This is instead of having only smtp auth and one incoming mail address. If this one and only incoming mail address should get compromised, then one should have to change the mail address for all external users/devices. By having one address per user/device, this can not happen.

    The incoming mails are put in /home/vmail/... folders and are then processed by php (php scans the folders every 5 second).
    (I do also utilise the pam virtual framwork for vsftpd, same function, same reasons.)

    But then, I needed also smtp auth because some users/devices required this (and it also will slow down some spam attempts).
    And my problems really started...

Share This Page