SASL failures - postfix/sasl/postfixadmin/mysql

Hi folks,

I'm closing in on what I thought should be pretty straight forward, but my eyes are crossed from wading through all the HowTos and the Googled links to links to links, etc., so hopefully someone here can point me in the right direction.

I've configure an Ubuntu 8.04 server to run Postfix with postfixadmin, mysql, smtp-auth using sasl, courier for imap and pop, and multiple webmail interfaces. I seem to have almost everything working since I can receive mail OK, send mail fine via the webmail interfaces, create new domains/users, etc. The one thing I can't seem to do is send email normally through TBird or c/l telnet methods.

When I try to send mail I'm getting the following error:

warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied

How do I track down what it's being denied permission to access?

 

Please try this:

Code:

adduser postfix sasl
/etc/init.d/postfix restart
/etc/init.d/saslauthd start

 

I'd already checked that. System response indicates that postfix is already a member of the sasl group.

Code:

root@mail:/etc/postfix# adduser postfix sasl
The user `postfix' is already a member of `sasl'.

Any guidance on how to track the particular file(s) it's trying to access? I could (and have) spent hours trying to check all the permissions on things, but they all seem correct/reasonable. I've always found that if I can track the process through one step at a time and see where the failure is I have a much better chance of finding why it fails.

Here's an excerpt from the mail.log in case that helps point to a particular piece of the puzzle.

Code:

postfix/smtpd[8545]: < dragon.sleepydragon.local[192.168.16.101]: EHLO [127.0.0.1]
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-mail.sleepydragon.net
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-PIPELINING
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-SIZE 10240000
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-ETRN
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-AUTH PLAIN LOGIN
postfix/smtpd[8545]: match_list_match: dragon.sleepydragon.local: no match
postfix/smtpd[8545]: match_list_match: 192.168.16.101: no match
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-AUTH=PLAIN LOGIN
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-ENHANCEDSTATUSCODES
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250-8BITMIME
postfix/smtpd[8545]: > dragon.sleepydragon.local[192.168.16.101]: 250 DSN
postfix/smtpd[8545]: < dragon.sleepydragon.local[192.168.16.101]: AUTH PLAIN *replaced*
postfix/smtpd[8545]: xsasl_cyrus_server_first: sasl_method PLAIN, init_response *replaced*
postfix/smtpd[8545]: xsasl_cyrus_server_first: decoded initial response
postfix/smtpd[8545]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
postfix/smtpd[8545]: warning: SASL authentication failure: Password verification failed

 

What's in /etc/default/saslauthd and /etc/postfix/master.cf?

 

More details

/etc/default/saslauthd

Code:

START=yes
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR} -r"
PIDFILE="${PWDIR}/saslauthd.pid"
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

/etc/postfix/master.cf

Code:

smtp      inet  n       -       -       -       -       smtpd -vv
smtps     inet  n       -       -       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

 

I also tried adding the postfix user to the root group to see if it was a file access related but it didn't seem to help so I removed it.

 

/etc/default/saslauthd should look as follows:

Code:

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page for general information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

 

That's what it did look like until my last attempt to resolve this. I added the entries for

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR} -r"
PIDFILE="${PWDIR}/saslauthd.pid"

They had no apparent effect. I've taken them out again, still the same results.

 

What's the output of

Code:

ls -la /var/spool/postfix/var/run/saslauthd

?

 

Rather than bounce back and forth, here's the output from saslfinger also.

Code:

root@mail:# ls -la /var/spool/postfix/var/run/saslauthd/
total 940
drwxr-xr-x 2 root    sasl   4096 2008-07-08 22:48 .
drwxr-xr-x 3 postfix root   4096 2008-06-23 19:20 ..
-rw------- 1 root    root      0 2008-07-08 22:48 cache.flock
-rw------- 1 root    root 945152 2008-07-08 22:48 cache.mmap
srwxrwxrwx 1 root    root      0 2008-07-08 22:48 mux
-rw------- 1 root    root      0 2008-07-08 22:48 mux.accept
-rw------- 1 root    root      6 2008-07-08 22:48 saslauthd.pid
root@mail:/tmp/saslfinger-1.0.2# saslfinger

root@mail:# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed Jul  9 23:38:16 EDT 2008
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.1
System: Ubuntu 8.04 \n \l

-- smtpd is linked to --
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7cdb000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/postfix/postfix.cert
smtpd_tls_key_file = /etc/postfix/postfix.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes


-- listing of /usr/lib/sasl2 --
total 800
drwxr-xr-x  2 root root  4096 2008-07-01 22:54 .
drwxr-xr-x 58 root root 20480 2008-07-07 18:14 ..
-rw-r--r--  1 root root 13568 2008-04-09 17:50 libanonymous.a
-rw-r--r--  1 root root   862 2008-04-09 17:49 libanonymous.la
-rw-r--r--  1 root root 12984 2008-04-09 17:50 libanonymous.so
-rw-r--r--  1 root root 12984 2008-04-09 17:50 libanonymous.so.2
-rw-r--r--  1 root root 12984 2008-04-09 17:50 libanonymous.so.2.0.22
-rw-r--r--  1 root root 15834 2008-04-09 17:50 libcrammd5.a
-rw-r--r--  1 root root   848 2008-04-09 17:49 libcrammd5.la
-rw-r--r--  1 root root 15320 2008-04-09 17:50 libcrammd5.so
-rw-r--r--  1 root root 15320 2008-04-09 17:50 libcrammd5.so.2
-rw-r--r--  1 root root 15320 2008-04-09 17:50 libcrammd5.so.2.0.22
-rw-r--r--  1 root root 46332 2008-04-09 17:50 libdigestmd5.a
-rw-r--r--  1 root root   871 2008-04-09 17:49 libdigestmd5.la
-rw-r--r--  1 root root 43020 2008-04-09 17:50 libdigestmd5.so
-rw-r--r--  1 root root 43020 2008-04-09 17:50 libdigestmd5.so.2
-rw-r--r--  1 root root 43020 2008-04-09 17:50 libdigestmd5.so.2.0.22
-rw-r--r--  1 root root 13574 2008-04-09 17:50 liblogin.a
-rw-r--r--  1 root root   842 2008-04-09 17:49 liblogin.la
-rw-r--r--  1 root root 13268 2008-04-09 17:50 liblogin.so
-rw-r--r--  1 root root 13268 2008-04-09 17:50 liblogin.so.2
-rw-r--r--  1 root root 13268 2008-04-09 17:50 liblogin.so.2.0.22
-rw-r--r--  1 root root 30016 2008-04-09 17:50 libntlm.a
-rw-r--r--  1 root root   836 2008-04-09 17:49 libntlm.la
-rw-r--r--  1 root root 29236 2008-04-09 17:50 libntlm.so
-rw-r--r--  1 root root 29236 2008-04-09 17:50 libntlm.so.2
-rw-r--r--  1 root root 29236 2008-04-09 17:50 libntlm.so.2.0.22
-rw-r--r--  1 root root 13798 2008-04-09 17:50 libplain.a
-rw-r--r--  1 root root   842 2008-04-09 17:49 libplain.la
-rw-r--r--  1 root root 13396 2008-04-09 17:50 libplain.so
-rw-r--r--  1 root root 13396 2008-04-09 17:50 libplain.so.2
-rw-r--r--  1 root root 13396 2008-04-09 17:50 libplain.so.2.0.22
-rw-r--r--  1 root root 22126 2008-04-09 17:50 libsasldb.a
-rw-r--r--  1 root root   873 2008-04-09 17:49 libsasldb.la
-rw-r--r--  1 root root 18080 2008-04-09 17:50 libsasldb.so
-rw-r--r--  1 root root 18080 2008-04-09 17:50 libsasldb.so.2
-rw-r--r--  1 root root 18080 2008-04-09 17:50 libsasldb.so.2.0.22
-rw-r--r--  1 root root 23696 2008-04-09 17:50 libsql.a
-rw-r--r--  1 root root   971 2008-04-09 17:49 libsql.la
-rw-r--r--  1 root root 23140 2008-04-09 17:50 libsql.so
-rw-r--r--  1 root root 23140 2008-04-09 17:50 libsql.so.2
-rw-r--r--  1 root root 23140 2008-04-09 17:50 libsql.so.2.0.22

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 2008-07-01 18:08 .
drwxr-xr-x 3 root root 4096 2008-06-30 21:48 ..
-rw-r--r-- 1 root root  360 2008-07-08 21:48 smtpd.conf




-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: postfix
sql_select: select password from mailbox where username='%u@%r' and active = 1
#sql_select: select password from mailbox where username='%u@%r'


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       -       -       -       smtpd -vv
smtps     inet  n       -       -       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

-- mechanisms on localhost --
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN


-- end of saslfinger output --

As I was attempting to track this down I also found that while using testsaslauthd I was getting the same failures, but then I tried to authenticate against a local user instead of one of the users setup via the mysql / postfixadmin stuff that it worked. I can't send mail to that user since the server is configured to accept only the virtual setup, but I'm not sure that it's actually talking to the database.

I also ran across some posting that seem to indicate that folks who had this working prior to the 8.04 release had it break when they upgraded. References to bugs filed, etc., but nothing I found seemed to give a resolution, although one reference seemed to infer they had found one. I thought I'd left that group of tabs open but apparently not. (It was late) I'll try to go back through history and dig them up again. (It's late again now and I've just gotten home.)

Thanks again for all your help so far. This has been a more esoteric pursuit than I first imagined.

 

OK, I found the posting. It's from the mail.unix.cyrus-sasl newsgroup.

Code:

>> That is not the Postfix chroot!
>
> Apologies, here is the correct directory:
>
> root@collab:/var/spool/postfix/var/run/saslauthd# ls -al
> total 980
> drwxr-x--- 2 root postfix   4096 2008-06-16 13:05 .
> drwxr-xr-x 3 root root      4096 2008-06-16 13:05 ..
> -rw------- 1 root root         0 2008-06-16 13:05 cache.flock
> -rw------- 1 root root    986112 2008-06-16 13:05 cache.mmap
> srwxrwxrwx 1 root root         0 2008-06-16 13:05 mux
> -rw------- 1 root root         0 2008-06-16 13:05 mux.accept
> -rw------- 1 root root         6 2008-06-16 13:05 saslauthd.pid
>
> as you can see I have even set the ownership to postfix to make it
> easier, but no joy, I am getting the same old

> Jun 16 13:06:34 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied
> Jun 16 13:06:34 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: Password verification failed
> Jun 16 13:06:34 collab postfix/smtpd[31367]: warning:
> unknown[66.7.58.13]: SASL PLAIN authentication failed: generic failure
> Jun 16 13:06:36 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied
>
> and this worked bfore the upgrade. highly annoying this :(
>
> thanks

Hi,

I never understood why Debian thinks that the saslauthd_path needs to be defined in its configuration file (smtpd.conf) when it is even the default (compiled) path. Anyway, correct your path setting according to the documentation.

/usr/share/doc/cyrus-sasl-2.1.19/options.html

<TD>saslauthd_path</TD><TD>SASL Library</TD>
<TD>Path to saslauthd run directory (<b>including</b> the "/mux" named pipe)</TD>
<TD>system dependant (generally won't need to be changed)</TD>

In a former mail you had written:

I did change that to
saslauthd_path: /var/spool/postfix/var/run/saslauthd

I am pretty sure you will succeed then.

and the reply was:

and rightly so :)

Does it sound to you like he fixed it? I've sent him an email, so we'll see if he responds.

 

What's in /etc/pam.d/smtp?

 

Code:

auth    required   pam_mysql.so user=--replaced-- passwd=--replaced-- host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=--replaced-- passwd=--replaced-- host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1

 

Can you connect to MySQL with the username and password from that file?

 

Yes, it seems to fine. I can login from a command line client and query for things with no problem. I've got 3 different webmail interfaces running and working fine authenticating against that database so I started working with testsaslauthd to figure out what's up. After starting saslauthd in debug mode I'm getting this:

Code:

saslauthd[15484] :rel_accept_lock : released accept lock
saslauthd[15484] :cache_get_rlock : attempting a read lock on slot: 304
saslauthd[15484] :cache_lookup    : [[email protected]] [service=] [realm=imap]: not found, update pending
saslauthd[15484] :cache_un_lock   : attempting to release lock on slot: 304
saslauthd[15484] :do_auth         : auth failure: [[email protected]] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
saslauthd[15484] :get_accept_lock : acquired accept lock
0: NO "authentication failed"

 

Is the user [email protected] existing in the database?

 

Hi Dragonator

I was in the same situation - tried to fight this problem for more than 3 days with no luck. Finally I gave up and went back to Ubuntu 7.10 and guess... Got it working all in less than 30 minutes.

This is definitely not the way forward, but probably may be used as the hint for Postfix and/or Ubuntu developers that something went wrong in 8.04

regards
Orama

 

OK, new update. After playing with things in the database a bit manually with phpmyadmin I believe I've determined that the encryption method doesn't match when using saslauthd/pam as opposed to everything else. If I'm reading things correctly it appears that all the pieces I'm using so far, PostfixAdmin, Courier, etc., are all doing MD5 encryption, and that's what is stored in the mysql database. If I access the data using anything other than sasl/pam it works fine. I changed the encryption method to PASSWORD, MD5, and ENCRYPT. As long as it's set for ENCRYPT when I update the password testsaslauthd works ok. Once I found that I thought I was home free, but I still can't connect with my mail client though, so I'm kind of at a loss. One thing I haven't been able to find docs for is the meaning of some of the options in the /etc/pam.d/smtp file. At the end of both the ACCOUNT and AUTH lines there's an option of crypt=1

I've seen a couple of references that are also using MD5=1. I've tried both ways, together and independently with no success. I also found some reference to crypt=2 and crypt=3. Tried both of those as well, still no luck. Anyone out there who can point me to the details on that? I suspect that may be the underlying cause since nothing is using pam except the saslauthd.

 

Just a follow up to let folks know what I found. After waaay too much time trying to debug this I bit the bullet and dropped back to the 7.10 build. A few hours walking through the process and again and to quote one of my favorite movies, "Bingo, Bango, Bongo, nothing can go wrongo!"

Thanks for your patience through all this, particularly Falko for a great series of howto articles.

Now I'm off to integrate my webmail branding customizations, and integrate the ASSP filtering. Oh yes, and report what certainly appears to be a bug to our intrepid Ubuntu devs so they can have a look.

 

postfixadmin ubuntu 8.04

sorry .. i want ask to falko
i finisheing configuration by your step
http://www.howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-ubuntu8.04
and now can you give me step by step..? how to configure your tutorial with postfixadmin on ubuntu 8.04 ..

thanx alot before