postfix does not authenticate through saslauthd

Discussion in 'Server Operation' started by openman, Nov 18, 2008.

Page 1 of 2
  1. openman

    openman New Member

    Hello,
    I have upgrade from ubuntu 6.06LTS to 8.01 LTS and after that it is impossible to authenticate through saslauthd thunderbird to send e-mail.

    The following command I believe leave the saslauthd without conf problems:
    Code:
    testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u user -p password.
0: OK "Success."
    The saslfinger gives the following:
    Code:
    saslfinger - postfix Cyrus sasl configuration Τρι 18 Νοέ 2008 08:13:00 μμ EET
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.4
System: Ubuntu 8.04.1 \n \l

-- smtpd is linked to --
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d23000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = /etc/postfix/sasl/
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes


-- listing of /usr/lib/sasl2 --
total 796
drwxr-xr-x  2 root root  4096 2008-11-06 09:04 .
drwxr-xr-x 59 root root 16384 2008-11-18 20:11 ..
-rw-r--r--  1 root root 13568 2008-04-10 00:50 libanonymous.a
-rw-r--r--  1 root root   862 2008-04-10 00:49 libanonymous.la
-rw-r--r--  1 root root 12984 2008-04-10 00:50 libanonymous.so
-rw-r--r--  1 root root 12984 2008-04-10 00:50 libanonymous.so.2
-rw-r--r--  1 root root 12984 2008-04-10 00:50 libanonymous.so.2.0.22
-rw-r--r--  1 root root 15834 2008-04-10 00:50 libcrammd5.a
-rw-r--r--  1 root root   848 2008-04-10 00:49 libcrammd5.la
-rw-r--r--  1 root root 15320 2008-04-10 00:50 libcrammd5.so
-rw-r--r--  1 root root 15320 2008-04-10 00:50 libcrammd5.so.2
-rw-r--r--  1 root root 15320 2008-04-10 00:50 libcrammd5.so.2.0.22
-rw-r--r--  1 root root 46332 2008-04-10 00:50 libdigestmd5.a
-rw-r--r--  1 root root   871 2008-04-10 00:49 libdigestmd5.la
-rw-r--r--  1 root root 43020 2008-04-10 00:50 libdigestmd5.so
-rw-r--r--  1 root root 43020 2008-04-10 00:50 libdigestmd5.so.2
-rw-r--r--  1 root root 43020 2008-04-10 00:50 libdigestmd5.so.2.0.22
-rw-r--r--  1 root root 13574 2008-04-10 00:50 liblogin.a
-rw-r--r--  1 root root   842 2008-04-10 00:49 liblogin.la
-rw-r--r--  1 root root 13268 2008-04-10 00:50 liblogin.so
-rw-r--r--  1 root root 13268 2008-04-10 00:50 liblogin.so.2
-rw-r--r--  1 root root 13268 2008-04-10 00:50 liblogin.so.2.0.22
-rw-r--r--  1 root root 30016 2008-04-10 00:50 libntlm.a
-rw-r--r--  1 root root   836 2008-04-10 00:49 libntlm.la
-rw-r--r--  1 root root 29236 2008-04-10 00:50 libntlm.so
-rw-r--r--  1 root root 29236 2008-04-10 00:50 libntlm.so.2
-rw-r--r--  1 root root 29236 2008-04-10 00:50 libntlm.so.2.0.22
-rw-r--r--  1 root root 13798 2008-04-10 00:50 libplain.a
-rw-r--r--  1 root root   842 2008-04-10 00:49 libplain.la
-rw-r--r--  1 root root 13396 2008-04-10 00:50 libplain.so
-rw-r--r--  1 root root 13396 2008-04-10 00:50 libplain.so.2
-rw-r--r--  1 root root 13396 2008-04-10 00:50 libplain.so.2.0.22
-rw-r--r--  1 root root 22126 2008-04-10 00:50 libsasldb.a
-rw-r--r--  1 root root   873 2008-04-10 00:49 libsasldb.la
-rw-r--r--  1 root root 18080 2008-04-10 00:50 libsasldb.so
-rw-r--r--  1 root root 18080 2008-04-10 00:50 libsasldb.so.2
-rw-r--r--  1 root root 18080 2008-04-10 00:50 libsasldb.so.2.0.22
-rw-r--r--  1 root root 23696 2008-04-10 00:50 libsql.a
-rw-r--r--  1 root root   971 2008-04-10 00:49 libsql.la
-rw-r--r--  1 root root 23140 2008-04-10 00:50 libsql.so
-rw-r--r--  1 root root 23140 2008-04-10 00:50 libsql.so.2
-rw-r--r--  1 root root 23140 2008-04-10 00:50 libsql.so.2.0.22

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 2007-06-25 13:30 .
drwxr-xr-x 4 root root 4096 2008-11-18 13:27 ..
-rw-r--r-- 1 root root   85 2008-11-08 09:09 smtpd.conf




-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
log_level: 10
allow_plaintext: true

-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
log_level: 10
allow_plaintext: true


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       -       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

amavis unix - - - - 2 smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes

127.0.0.1:10025 inet n - - - - smtpd
        -o content_filter=
        -o local_recipient_maps=
        -o relay_recipient_maps=
        -o smtpd_restriction_classes=
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject
        -o mynetworks=127.0.0.0/8
        -o strict_rfc821_envelopes=yes
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
        -o smtpd_bind_address=127.0.0.1
retry     unix  -       -       -       -       -       error

-- mechanisms on localhost --
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5


-- end of saslfinger output --
    The mail.info gives the following:
    Code:
    Nov 18 19:56:53 galinos postfix/master[1584]: daemon started -- version 2.5.4, configuration /etc/postfix
Nov 18 19:57:07 galinos postfix/tlsmgr[1591]: warning: request to update table btree:/var/spool/postfix/smtpd_scache in non-postfix directory /var/spool/postfix
Nov 18 19:57:07 galinos postfix/tlsmgr[1591]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
Nov 18 19:57:07 galinos postfix/tlsmgr[1591]: warning: request to update table btree:/var/spool/postfix/smtp_scache in non-postfix directory /var/spool/postfix
Nov 18 19:57:07 galinos postfix/tlsmgr[1591]: warning: redirecting the request to postfix-owned data_directory /var/lib/postfix
Nov 18 19:57:07 galinos postfix/smtpd[1589]: connect from unknown[195.167.65.109]
Nov 18 19:57:14 galinos postfix/smtpd[1589]: warning: SASL authentication failure: no secret in database
Nov 18 19:57:14 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL CRAM-MD5 authentication failed: authentication failure
Nov 18 19:57:15 galinos postfix/smtpd[1589]: warning: SASL authentication failure: no secret in database
Nov 18 19:57:15 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL NTLM authentication failed: authentication failure
Nov 18 19:57:15 galinos postfix/smtpd[1589]: warning: SASL authentication failure: Password verification failed
Nov 18 19:57:15 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL PLAIN authentication failed: authentication failure
Nov 18 19:57:16 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL LOGIN authentication failed: authentication failure
Nov 18 19:57:21 galinos postfix/smtpd[1589]: warning: SASL authentication failure: no secret in database
Nov 18 19:57:21 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL CRAM-MD5 authentication failed: authentication failure
Nov 18 19:57:22 galinos postfix/smtpd[1589]: warning: SASL authentication failure: no secret in database
Nov 18 19:57:22 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL NTLM authentication failed: authentication failure
Nov 18 19:57:22 galinos postfix/smtpd[1589]: warning: SASL authentication failure: Password verification failed
Nov 18 19:57:22 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL PLAIN authentication failed: authentication failure
Nov 18 19:57:23 galinos postfix/smtpd[1589]: warning: unknown[195.167.65.109]: SASL LOGIN authentication failed: authentication failure
Nov 18 19:57:25 galinos postfix/smtpd[1589]: disconnect from unknown[195.167.65.109]
    Except the above, I can not understand why the authentication methods are not limited in the ehlo command when in the smtpd.conf it is limited to "plain text"

    Any ideas?
     
    openman, Nov 18, 2008
    #1
  2. _X_

    _X_ New Member

    do you have:
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination

    in /etc/postfix/main.cf
     
    _X_, Nov 18, 2008
    #2
  3. openman

    openman New Member

    yes,
    Code:
    smtpd_recipient_restrictions =  permit_sasl_authenticated, permit_mynetworks ,  reject_unauth_destination
     
    openman, Nov 18, 2008
    #3
  4. _X_

    _X_ New Member

    _X_, Nov 18, 2008
    #4
  5. _X_

    _X_ New Member

    Last edited: Nov 18, 2008
    _X_, Nov 18, 2008
    #5
  6. openman

    openman New Member

    nothing of the above helped...

    Why does it present all authenticate methods even when it is limited to plain login in configuration?
     
    Last edited: Nov 18, 2008
    openman, Nov 18, 2008
    #6
  7. _X_

    _X_ New Member

    does mail auth works from other mail clients like Outlook (Express)?
     
    _X_, Nov 18, 2008
    #7
  8. openman

    openman New Member

    no, it does not.
     
    openman, Nov 18, 2008
    #8
  9. _X_

    _X_ New Member

    can you post main.cf?
     
    _X_, Nov 18, 2008
    #9
  10. openman

    openman New Member

    main.cf
    Code:
    # See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
delay_warning_time = 6h

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = 
smtpd_sasl_path = /etc/postfix/sasl/
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no

smtpd_recipient_restrictions =  permit_sasl_authenticated, permit_mynetworks ,  reject_unauth_destination

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = galinos.xxx.xxx
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = galinos.xxx.xxx
relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
content_filter = amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
home_mailbox = Maildir/

smtpd_helo_required = yes
disable_vrfy_command = yes
strict_rfc821_envelopes = yes
invalid_hostname_reject_code = 554
multi_recipient_bounce_reject_code = 554
non_fqdn_reject_code = 554
relay_domains_reject_code = 554
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_sender_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

readme_directory = /usr/share/doc/postfix
html_directory = /usr/share/doc/postfix/html
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
     
    openman, Nov 18, 2008
    #10
  11. falko

    falko Super Moderator Howtoforge Staff

    What's in /etc/default/saslauthd?
     
    falko, Nov 19, 2008
    #11
  12. openman

    openman New Member

    /etc/default/saslauthd
    Code:
    #
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="shadow"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page for general information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd" -r
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
     
    openman, Nov 19, 2008
    #12
  13. openman

    openman New Member

    Any suggestions?
     
    openman, Nov 20, 2008
    #13
  14. _X_

    _X_ New Member

    whats the result of:
    telnet localhost 25
    ehlo localhost
    ?
     
    _X_, Nov 20, 2008
    #14
  15. openman

    openman New Member

    Code:
    telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 galinos.xxx.xxx ESMTP Postfix (Ubuntu)
ehlo example.domain.com
250-galinos.xxx.xxx
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
    Why does it show all these authentication methods?
     
    openman, Nov 20, 2008
    #15
  16. _X_

    _X_ New Member

    just now i have noticed that on output of saslfinger on first post

    -- mechanisms on localhost --
    250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
    250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
     
    _X_, Nov 20, 2008
    #16
  17. _X_

    _X_ New Member

    check /etc/postfix/sasl/smtpd.conf
    for:
    pwcheck_method: saslauthd
    mech_list: plain login
     
    _X_, Nov 20, 2008
    #17
  18. openman

    openman New Member

    Code:
    root@galinos:~# more /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
log_level: 10
allow_plaintext: true
root@galinos:~#
    how can it be possible with the above?
     
    openman, Nov 20, 2008
    #18
  19. _X_

    _X_ New Member

    try to post result of:
    postconf -n
     
    _X_, Nov 20, 2008
    #19
  20. _X_

    _X_ New Member

    and
    postconf -d
     
    _X_, Nov 20, 2008
    #20
Page 1 of 2

Share This Page