Sasl Authentication Failure

Discussion in 'Server Operation' started by wigglez, Dec 1, 2012.

  1. wigglez

    wigglez New Member

    I'm not entirely sure if this is the place to post this but, I have a new error with postfix that popped up when using thunderbird.

    Code:
    warning: SASL authentication failure: Password verification failed
    Webmail works, just can't connect from outside.

    Which password is it referring to.

    I've double checked the password for user@domain.net with mysql

    Could it have something to do with this:
    Code:
    250-AUTH LOGIN NTLM DIGEST-MD5 PLAIN CRAM-MD5
    Instead of:
    Code:
    250-AUTH PLAIN LOGIN
    I can't change that. I did a grep for every mechlist that it found. Changing the values to plain login, didn't work.

    Edit: Oh, I should mention this is for sending mail, receiving it with courier and thunderbird works just fine.
     
    Last edited: Dec 1, 2012
  2. falko

    falko Super Moderator

    Which distribution do you use? Are there any errors in your mail log?
     
  3. wigglez

    wigglez New Member

    Ubuntu 8.04

    mail.log:
    Code:
    SASL authentication failure: Password verification failed
    SASL PLAIN authentication failed: authentication failure
    SASL LOGIN authentication failed: authentication failure
     
  4. wigglez

    wigglez New Member

    Was having an issue with testsaslauthd not working unless i specified a path in the command. Created a symlink, and was hoping fixing that would take care of it, but it didn't. It made testsaslauthd work without manually entering a path.

    Code:
    rm -rf /var/run/saslauthd
    ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd
    Code:
    testsaslauthd -s smtp -u user@domain.com -p password
     
    Last edited: Dec 3, 2012
  5. wigglez

    wigglez New Member

    I am getting quite suspicious that this is whats causing it:

    Code:
    250-AUTH LOGIN NTLM DIGEST-MD5 PLAIN CRAM-MD5
    It should read:
    Code:
    250-AUTH PLAIN LOGIN
    I only told it to use plain login, I don't know why it's still wanting to use the extras.

    I changed the name of anything that could intercede smtpd.conf

    In both directories /usr/lib/sasl2 and /usr/lib64/sasl2, I changed the names of Sendmail.conf, smtpd.conf, and saslpaswd.conf incase they were overriding /etc/postfix/sasl/smtpd.conf.

    Code:
    pwcheck_method: saslauthd
    mech_list: plain login
    log_level: 7
    allow plaintext: true
    auxprop_plugin: sql
    sql_engine: mysql
    sql_hostnames: 127.0.0.1
    sql_user: mail_admin
    sql_passwd: mail_admin_pass
    sql_database: mail
    sql_select: select password from users where email = '%u@%r'
    I can't figure out what is overriding this. It can't be overriding the whole file, or I imagine it would be more broken. It's just overriding the mech list.
     
    Last edited: Dec 4, 2012
  6. falko

    falko Super Moderator

    What's in /etc/postfix/main.cf?
     
  7. wigglez

    wigglez New Member

    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    readme_directory = no
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    #smtpd_tls_exclude_ciphers=RC4-MD5
    smtpd_sasl_path = /var/spool/postfix/var/run/saslauthd
    #smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = smtp.domain.net
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    #myorigin = /etc/mailname
    myorigin = domain.net
    mydestination = smtp.domain.net, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    mynetworks_style = host
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /home/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    
    #SASL
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain =
    smtpd_sasl_authenticated_header = yes
    
    smtpd_sender_restrictions=permit_sasl_authenticated, permit_mynetworks, warn_if_reject, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
    
    smtpd_recipient_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_relay_domains
    
    
    virtual_create_maildirsize = yes
    virtual_maildir_extended = yes
    virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
    virtual_mailbox_limit_override = yes
    virtual_maildir_limit_message = "The user you are trying to reach is over quota."
    virtual_overquota_bounce = yes
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $mynetworks $virtual_mailbox_limit_maps
    
     
  8. wigglez

    wigglez New Member

    Accidentally nuked everything except mysql by trying to purge libsasl packages

    It kept some of my config files intact, but redoing it. It fixed the plain login issue.

    From
    Code:
    250-AUTH LOGIN NTLM DIGEST-MD5 PLAIN CRAM-MD5
    To
    Code:
    250-AUTH LOGIN PLAIN
    Unfortunately it didn't fix the thunderbird issue.
     
  9. wigglez

    wigglez New Member

    It works now...

    It was different error. Whatever happened when I nuked it, fixed the first one.

    I noticed it wasn't even connecting in the logs.

    I changed the smtp server on thunderbird to 25, which I find strange because it connected before on the 587 port.


    Could someone explain the difference between the two ports and why thunderbird defaults to 587.


    So, anybody reading this and having the same problem where the mech list isn't updating right. Nuke it, and check your ports. haha
     

Share This Page