SASL not working ""Virtual Users And Domains With Postfix, Courier, MySQL And Squirr"

Discussion in 'HOWTO-Related Questions' started by zeljko, Jun 4, 2010.

  1. zeljko

    zeljko New Member

    Hi all,

    I have setup mail server using this tutorial "Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail (Ubuntu 9.10)" but when I set SMTP server in e-mail client to use secure authentication I got "Login to server zm.gotdns.com failed." with those in /var/mail/mail.log :


    Jun 4 10:44:32 zm postfix/smtpd[20951]: warning: SASL authentication failure: no secret in database
    Jun 4 10:44:32 zm postfix/smtpd[20951]: warning: localhost.localdomain[127.0.0.1]: SASL CRAM-MD5 authentication failed: authentication failure
    Jun 4 10:44:32 zm postfix/smtpd[20951]: warning: SASL authentication failure: no secret in database
    Jun 4 10:44:32 zm postfix/smtpd[20951]: warning: localhost.localdomain[127.0.0.1]: SASL NTLM authentication failed: authentication failure
    Jun 4 10:44:35 zm postfix/smtpd[20951]: disconnect from localhost.localdomain[127.0.0.1]

    Please can you help me out with this ?

    Zeljko
     
  2. Mark_NL

    Mark_NL New Member

    is your smtpd running chrooted?

    Code:
    cat /etc/postfix/sasl/smtpd.conf
    grep smtpd /etc/postfix/master.cf
    cat /etc/postfix/main.cf
    
     
  3. zeljko

    zeljko New Member

    Those are the outputs :


    pwcheck_method: saslauthd
    mech_list: plain login
    allow_plaintext: true
    auxprop_plugin: mysql
    sql_hostnames: 127.0.0.1
    sql_user: *******
    sql_passwd: *******
    sql_database: mail
    sql_select: select password from users where email = '%u'
    ______----------------------------------------------------------------_______
    smtp inet n - - - - smtpd
    #submission inet n - - - - smtpd
    # -o smtpd_tls_security_level=encrypt
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    #smtps inet n - - - - smtpd
    # -o smtpd_tls_wrappermode=yes
    # -o smtpd_sasl_auth_enable=yes
    # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    127.0.0.1:10025 inet n - - - - smtpd
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_bind_address=127.0.0.1
    -----------------------------------------------------------------------------
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


    # Debian specific: Specifying a file name will cause the first
    # line of that file to be used as the name. The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname

    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    biff = no

    # appending .domain is the MUA's job.
    append_dot_mydomain = no

    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h

    readme_directory = /usr/share/doc/postfix

    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.

    myhostname = zm.gotdns.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    html_directory = /usr/share/doc/postfix/html
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /home/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_path = /etc/postfix/sasl
    broken_sasl_auth_clients = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    virtual_create_maildirsize = yes
    virtual_maildir_extended = yes
    virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
    virtual_mailbox_limit_override = yes
    virtual_maildir_limit_message = "The user you are trying to reach is over quota."
    virtual_overquota_bounce = yes
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    ---------------------------------------------------------------
     
  4. Mark_NL

    Mark_NL New Member

    and how does your /etc/default/saslauthd look like?

    Code:
    cat /etc/default/saslauthd
     
  5. zeljko

    zeljko New Member

    #
    # Settings for saslauthd daemon
    # Please read /usr/share/doc/sasl2-bin/README.Debian for details.
    #

    # Should saslauthd run automatically on startup? (default: no)
    START=yes

    # Description of this saslauthd instance. Recommended.
    # (suggestion: SASL Authentication Daemon)
    DESC="SASL Authentication Daemon"

    # Short name of this saslauthd instance. Strongly recommended.
    # (suggestion: saslauthd)
    NAME="saslauthd"

    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam -- use PAM
    # rimap -- use a remote IMAP server
    # shadow -- use the local shadow password file
    # sasldb -- use the local sasldb database file
    # ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"

    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""

    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5

    # Other options (default: -c -m /var/run/saslauthd)
    # Note: You MUST specify the -m option or saslauthd won't run!
    #
    # WARNING: DO NOT SPECIFY THE -d OPTION.
    # The -d option will cause saslauthd to run in the foreground instead of as
    # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
    # to run saslauthd in debug mode, please run it by hand to be safe.
    #
    # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
    # See the saslauthd man page and the output of 'saslauthd -h' for general
    # information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
     
  6. zeljko

    zeljko New Member

    Mark,

    Just to be clear what I am trying to do ... I am trying to make mail users who uses my SMTP server to authenticate them selfs when sending mail while using e-mail clients in my local network ( even from my server ), but for some reason this doesn't work ... I'm not an expert but it seems like SASL is not using mysql ( where users and passwords are stored ) to do authentication ...
     
  7. Mark_NL

    Mark_NL New Member

  8. zeljko

    zeljko New Member

    Mark,

    I did it dozen of times, but just in case did it once again now and it all looks exactly the same like in the tutorial ... I've googled everything but with no result :(
     
  9. Mark_NL

    Mark_NL New Member

    hehe, that sucks i know how you feel :)

    Only thing i can say about these how-to's .. if you read them from top to bottom and do EXACTLY what they say you should, then the solution works, period. If it's not working, you must've made an error somewhere in the process, changed a value, forgot a step or something.

    maybe some process is not running? maybe some persmissions aren't correct? maybe you missed a package that didn't got installed, i can go on and on like this ;)
     
  10. zeljko

    zeljko New Member

    Just find out that client side sasl authentication cannot work without smtp_sasl_password_maps parameter in main.cf. And really I don't have that parameter there. Does anybody know how this parameter should be set to work with mysql virtual users?
     
  11. Mark_NL

    Mark_NL New Member

    i noticed that
    Code:
    127.0.0.1:10025 inet n - - - - smtpd
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,rej ect
    -o smtpd_bind_address=127.0.0.1
    "re ject" @ smtpd_recipient_restriction=... ???

    and i've compared my working configs with yours and also noticed that i haven't set this variable: smtpd_sasl_path = /etc/postfix/sasl


    edit:
    /etc/pam.d/smtp contains
    Code:
    auth    required   pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
    account sufficient pam_mysql.so user=mail_admin passwd=mail_admin_password host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
    ?? check if you didn't mistakenly created a "smtpd" instead of "smtp" file :)

    /etc/courier/authdeamonrc
    authmodulelist="authmysql"

    and double check authmysqlrc
     
    Last edited: Jun 4, 2010
  12. zeljko

    zeljko New Member

    I have added that path parameter just to try if it helps, it's not working either ... and for re ject it must be copy/paste error, I have looked at main.cf now ant there is no space there ...
     
  13. Mark_NL

    Mark_NL New Member

    Well i'm kinda out of idea's .. and it's hard to go all options one by one ..
    i could have a look at your system, if you want, you can privmsg me with login data so i can have a look at your settings.
     
  14. zeljko

    zeljko New Member

    Dear Mark ,

    first of all thank you for all help! I don't know how and what I did ( I really don't know! ) but sasl seems to be working now in PLAIN and LOGIN when I set in thunderbird username for SMTP server, but when I check the "Use secure authentication" I got this from thunderbird:

    Sending of message failed.
    An error occurred sending mail: Unable to authenticate to SMTP server 127.0.0.1. The server does not support any compatible secure authentication mechanism but you have chosen secure authentication. Try switching off secure authentication or contact your service provider.

    Do you know what "Use secure authentication" means?
    And is it secure enough to use STARTTLS and sasl PLAIN ?
     
  15. Mark_NL

    Mark_NL New Member

    Code:
    spica:/etc/postfix# openssl s_client -connect zm.gotdns.com:25 -starttls smtp 
    CONNECTED(00000003)
    depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/emailAddress=[email protected]
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/emailAddress=[email protected]
    verify return:1
    ---
    Certificate chain
     0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/emailAddress=[email protected]
       i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/emailAddress=[email protected]
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEMzCCAxugAwIBAgIJAIf2MlBfiyEgMA0GCSqGSIb3DQEBBQUAMG4xCzAJBgNV
    BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
    aWRnaXRzIFB0eSBMdGQxJzAlBgkqhkiG9w0BCQEWGHBvc3RtYXN0ZXJAem0uZ290
    ZG5zLmNvbTAeFw0xMDA1MTMxNjIyNThaFw0xMTA1MTMxNjIyNThaMG4xCzAJBgNV
    BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
    aWRnaXRzIFB0eSBMdGQxJzAlBgkqhkiG9w0BCQEWGHBvc3RtYXN0ZXJAem0uZ290
    ZG5zLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANmT1LSYxrjp
    IettubpWa4djQfrswPYadhJzTBYlpEGirIbhPOIpPlkOpzvmZmiHNWPUpkoIwE20
    aLVKjXC6EvAVr4kP7p42T/YQm8KniOfbFOqyQw1mHb9bWUBWb111zGnqw5k/9Vb1
    y8jDjMgJyBm7X2uFn9Yd3J3zMuKmwL/jkvyxynXrjaCiqe20N6j/Jyoe+GISApsu
    nnLNCm/gE1ZKchLXtYg+Er4Hk0dg2YlWI+uRbxISxezvUKD+ZRehWJB+L85ueD+F
    7GjySlJ+jAewRrgr/BgznbWq+Acz+GUlXN8lNZerjdl2T/rIWaOe5bUV3qcBos3o
    psMNtKxNyhcCAwEAAaOB0zCB0DAdBgNVHQ4EFgQU9iTcpz11FdQdfnD39tNLFpU1
    V88wgaAGA1UdIwSBmDCBlYAU9iTcpz11FdQdfnD39tNLFpU1V8+hcqRwMG4xCzAJ
    BgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l
    dCBXaWRnaXRzIFB0eSBMdGQxJzAlBgkqhkiG9w0BCQEWGHBvc3RtYXN0ZXJAem0u
    Z290ZG5zLmNvbYIJAIf2MlBfiyEgMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
    BQADggEBAAJso0cJR9FYyeUaHekq4HtzG9GnXsTYO9DwlABrrE+AdGc164Pf77SI
    CLqc2k5XBFkFQ9wr4LfpNhKb6M2D65cfjcr+lMU94ad+RaRsdAa/nunSUmHuhBAQ
    lBFOLv6vAWNPvffWQdT+naL3zjHIClnwn0xwMbBeSepFrhmBxpl+FjUZ/9yF1QUa
    /VmEOY6B3otyKyYd3EMMchnYKuGyzw+cAljlNCM1zDHS+pinPPD+Dq6liWpOFgAa
    GR5LQyqTs5GBZoQNvvw23hHjPNys8jpQ3EEvEjGylwZJdXDz0FalZmXLWz+XCXsV
    T8fiRqE7jcESKs6bu328qW2Zhz1nm5I=
    -----END CERTIFICATE-----
    subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/emailAddress=[email protected]
    issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/emailAddress=[email protected]
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 2023 bytes and written 351 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 2048 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID: 25A6617F67E4A2ACC806A9DCF6D0EF68700D05C599308AFA197F92E09FBECF03
        Session-ID-ctx: 
        Master-Key: B9D2C5FD0CFC6E6B742221093180936FDF08BE4DEC4FDAEA99C82ED7FB51FD5B12A47D3FF4A64C7645A3153C51692CE7
        Key-Arg   : None
        Start Time: 1275659460
        Timeout   : 300 (sec)
        Verify return code: 18 (self signed certificate)
    ---
    250 DSN
    EHLO mark
    250-zm.gotdns.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    looks like TLS is working just fine, i think your client settings aren't correct.
    at least, i could make a TLS connection to your MTA .. i just didn't knew any mail accounts to send an email to ;)
     

Share This Page