smtp auth w/ sasl.

Discussion in 'HOWTO-Related Questions' started by marsvin, Sep 16, 2007.

  1. marsvin

    marsvin New Member

    I set up my mail server following the virtual users and domains with postfix debian etch tutorial.

    Everything seems to be working perfectly except smtp login (I can receive mail through pop no problem and local smtp delivery works.) Here's what the mail.log says:
    Code:
    Sep 16 19:57:32 my_hostname postfix/smtpd[20191]: connect from <my_ip>[<my_ip>]
    Sep 16 19:57:33 my_hostname postfix/smtpd[20191]: warning: SASL authentication failure: Password verification failed
    Sep 16 19:57:33 my_hostname postfix/smtpd[20191]: warning: <my_ip>[<my_ip>]: SASL PLAIN authentication failed: authentication failure
    Sep 16 19:57:33 my_hostname postfix/smtpd[20191]: warning: <my_ip>[<my_ip>]: SASL LOGIN authentication failed: authentication failure
    Sep 16 19:57:34 my_hostname postfix/smtpd[20191]: disconnect from <my_ip>[<my_ip>]
    
    auth.log says only this:
    Code:
    Sep 16 19:57:32 my_hostname postfix/smtpd[20191]: sql auxprop plugin using mysql engine
    
    I've seen a lot of authentication error threads on this forum but they all reported a specific error in the logs. I can't find anything besides 'authentication failed' so I don't know where to start looking for the problem.

    My /etc/default/saslauthd
    Code:
    root@my_hostname:~# cat /etc/default/saslauthd
    # This needs to be uncommented before saslauthd will be run automatically
    START=yes
    
    # You must specify the authentication mechanisms you wish to use.
    # This defaults to "pam" for PAM support, but may also include
    # "shadow" or "sasldb", like this:
    # MECHANISMS="pam shadow"
    
    MECHANISMS="pam"
    PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"
    
    /etc/pam.d/smtp:
    Code:
    root@my_hostname:~# cat /etc/pam.d/smtp
    auth    required   pam_mysql.so user=mail_admin passwd=<passwd> host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
    account sufficient pam_mysql.so user=mail_admin passwd=<passwd> host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
    
    /etc/postfix/main.cf:
    Code:
    root@my_hostname:~# cat /etc/postfix/main.cf
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version
    
    
    # Debian specific:  Specifying a file name will cause the first
    # line of that file to be used as the name.  The Debian default
    # is /etc/mailname.
    #myorigin = /etc/mailname
    
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    # TLS parameters
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_use_tls = yes
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    
    # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
    # information on enabling SSL in the smtp client.
    
    myhostname = mail.myhost.com
    mydomain = myhost.com
    alias_maps = hash:/etc/aliases
    alias_database = hash:/etc/aliases
    myorigin = /etc/mailname
    mydestination = mail.myhost.com, localhost, localhost.localdomain
    relayhost =
    mynetworks = 127.0.0.0/8
    mailbox_size_limit = 0
    recipient_delimiter = +
    inet_interfaces = all
    notify_classes = resource, software, delay
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_mailbox_base = /home/vmail
    virtual_uid_maps = static:5000
    virtual_gid_maps = static:5000
    smtpd_sasl_auth_enable = yes
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    virtual_create_maildirsize = yes
    virtual_mailbox_extended = yes
    virtual_mailbox_limit_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailbox_limit_maps.cf
    virtual_mailbox_limit_override = yes
    virtual_maildir_limit_message = "The user you are trying to reach is over quota."
    virtual_overquota_bounce = yes
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    content_filter = amavis:[127.0.0.1]:10024
    receive_override_options = no_address_mappings
    
    smtpd.conf:
    Code:
    root@my_hostname:~# cat /etc/postfix/sasl/smtpd.conf
    pwcheck_method: saslauthd
    mech_list: plain login
    log_level: 5
    allow_plaintext: true
    auxprop_plugin: mysql
    sql_hostnames: 127.0.0.1
    sql_user: mail_admin
    sql_passwd: <my password>
    sql_database: mail
    sql_select: select password from users where email = '%u'
    
    Everything looks the same as in the tutorial. I even re-generated my server certificate just to be sure. If anyone has any more ideas I'd be very grateful.
     
  2. falko

    falko Super Moderator ISPConfig Developer

  3. marsvin

    marsvin New Member

    The only significant difference I see there is the -c option (which enables caching.) The other two (MECH_OPTIONS="" and THREADS=5) are defaults.

    To be 100% sure I copied all the default options too so now my saslauthd looks like this:

    Code:
    root@my_host:~# cat /etc/default/saslauthd
    # This needs to be uncommented before saslauthd will be run automatically
    START=yes
    
    # You must specify the authentication mechanisms you wish to use.
    # This defaults to "pam" for PAM support, but may also include
    # "shadow" or "sasldb", like this:
    # MECHANISMS="pam shadow"
    
    MECHANISMS="pam"
    MECH_OPTIONS=""
    THREADS=5
    PARAMS="-c -m /var/spool/postfix/var/run/saslauthd -r"
    
    But the error reported is exactly the same:

    Code:
    Sep 17 18:56:04 my_host postfix/smtpd[24417]: warning: SASL authentication failure: Password verification failed
    Sep 17 18:56:04 my_host postfix/smtpd[24417]: warning: my_ip[my_ip]: SASL PLAIN authentication failed: authentication failure
    Sep 17 18:56:04 my_host postfix/smtpd[24417]: warning: my_ip[my_ip]: SASL LOGIN authentication failed: authentication failure
    
     
  4. falko

    falko Super Moderator ISPConfig Developer

    It must be OPTIONS, not PARAMS:

    Code:
    #
    # Settings for saslauthd daemon
    #
    
    # Should saslauthd run automatically on startup? (default: no)
    START=yes
    
    # Which authentication mechanisms should saslauthd use? (default: pam)
    #
    # Available options in this Debian package:
    # getpwent  -- use the getpwent() library function
    # kerberos5 -- use Kerberos 5
    # pam       -- use PAM
    # rimap     -- use a remote IMAP server
    # shadow    -- use the local shadow password file
    # sasldb    -- use the local sasldb database file
    # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
    #
    # Only one option may be used at a time. See the saslauthd man page
    # for more information.
    #
    # Example: MECHANISMS="pam"
    MECHANISMS="pam"
    
    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=""
    
    # How many saslauthd processes should we run? (default: 5)
    # A value of 0 will fork a new process for each connection.
    THREADS=5
    
    # Other options (default: -c)
    # See the saslauthd man page for information about these options.
    #
    # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
    # Note: See /usr/share/doc/sasl2-bin/README.Debian
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
     
  5. marsvin

    marsvin New Member

    I'm not sure that's correct for my installation.

    When I change it from PARAMS to OPTIONS, this happens:
    Code:
    root@my_host:~# ps aux | grep saslau
    root      3499  0.0  0.0  30412  1648 ?        Ss   00:47   0:00 /usr/sbin/saslauthd -a pam
    root      3500  0.0  0.0  30412  1640 ?        S    00:47   0:00 /usr/sbin/saslauthd -a pam
    root      3501  0.0  0.0  30412  1640 ?        S    00:47   0:00 /usr/sbin/saslauthd -a pam
    root      3502  0.0  0.0  30412  1640 ?        S    00:47   0:00 /usr/sbin/saslauthd -a pam
    root      3503  0.0  0.0  29344   672 ?        S    00:47   0:00 /usr/sbin/saslauthd -a pam
    
    And when I change it back to PARAMS:

    Code:
    root@my_host:~# ps aux | grep saslau
    root      3689  0.0  0.0  30312  1156 ?        Ss   00:50   0:00 /usr/sbin/saslauthd -c -m /var/spool/postfix/var/run/saslauthd -r -a pam
    root      3690  0.0  0.0  30312   672 ?        S    00:50   0:00 /usr/sbin/saslauthd -c -m /var/spool/postfix/var/run/saslauthd -r -a pam
    root      3691  0.0  0.0  30312   484 ?        S    00:50   0:00 /usr/sbin/saslauthd -c -m /var/spool/postfix/var/run/saslauthd -r -a pam
    root      3692  0.0  0.0  30312   484 ?        S    00:50   0:00 /usr/sbin/saslauthd -c -m /var/spool/postfix/var/run/saslauthd -r -a pam
    root      3693  0.0  0.0  30312   484 ?        S    00:50   0:00 /usr/sbin/saslauthd -c -m /var/spool/postfix/var/run/saslauthd -r -a pam
    
    And either way I'm not getting authenticated.
     
  6. falko

    falko Super Moderator ISPConfig Developer

    You are sure that this is Debian Etch?
     
  7. lindows2006

    lindows2006 New Member

Share This Page