Postfix SASL authentication

I have setup a virtual user postfix server and I have one error holding me back from completion. Currently I cannot send an email out of the mail server with an email client. Authentication with sasl fails. I have been browsing forums for the better part of a few hours and trying different things. So its time to make a post.

IMAP works via squirrelmail
can send mail via telnet
Can send test email to self with mail client (no SMTP sasl authentication)

Installed with maybe a few others that I can't remember

Code:

Postfix
courier-imap
courier-pop3
courier-imap-ssl
courier-pop3-ssl
squirrelmail
clamav
amavis
spamassasin
Mysql

Here is the Error I am recieveing

Code:

Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_auth_response: uncoded server challenge: nonce="4cCeKDDhgQ8hlJFlxqPXv4h20q/4x8fJ6MA7RWp6WOI=",realm="esatech.com",qop="auth",charset=utf-8,algorithm=md5-sess
Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 334 bm9uY2U9IjRjQ2VLRERoZ1E4aGxKRmx4cVBYdjRoMjBxLzR4OGZKNk1BN1JXcDZXT0k9IixyZWFsbT0iZXNhdGVjaC5jb20iLHFvcD0iYXV0aCIsY2hhcnNldD11dGYtOCxhbGdvcml0aG09bWQ1LXNlc3M=
Jul  6 16:08:14 sulu postfix/smtpd[6041]: < unknown[206.255.245.47]: dXNlcm5hbWU9ImFhbG9pYSIscmVhbG09ImVzYXRlY2guY29tIixub25jZT0iNGNDZUtERGhnUThobEpGbHhxUFh2NGgyMHEvNHg4Zko2TUE3UldwNldPST0iLGRpZ2VzdC11cmk9InNtdHAvc3VsdS5lc2F0ZWNoLmNvbSIsY25vbmNlPSJhMGE0ZGM0NzE5M2Q3M2U4ZmZjYTVkMzk4OWMxNTU5ZiIsbmM9MDAwMDAwMDEscmVzcG9uc2U9MWQ1ZjMwNTQ5NTY1MzMyY2I2ZGM2YjkxYzc2MjRiNGIscW9wPWF1dGgsY2hhcnNldD11dGYtOA==
Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_next: decoded response: username="aaloia",realm="esatech.com",nonce="4cCeKDDhgQ8hlJFlxqPXv4h20q/4x8fJ6MA7RWp6WOI=",digest-uri="smtp/sulu.esatech.com",cnonce="a0a4dc47193d73e8ffca5d3989c1559f",nc=00000001,response=1d5f30549565332cb6dc6b91c7624b4b,qop=auth,charset=utf-8
Jul  6 16:08:14 sulu postfix/smtpd[6041]: warning: SASL authentication failure: client response doesn't match what we generated
Jul  6 16:08:14 sulu postfix/smtpd[6041]: warning: unknown[206.255.245.47]: SASL DIGEST-MD5 authentication failed: authentication failure
Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 535 5.7.8 Error: authentication failed: authentication failure
Jul  6 16:08:14 sulu postfix/smtpd[6041]: < unknown[206.255.245.47]: AUTH LOGIN
Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_first: sasl_method LOGIN
Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username:
Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 334 VXNlcm5hbWU6
Jul  6 16:08:14 sulu postfix/smtpd[6041]: < unknown[206.255.245.47]: YWFsb2lhQGVzYXRlY2guY29t
Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_next: decoded response: [email protected]
Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password:
Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 334 UGFzc3dvcmQ6
Jul  6 16:08:14 sulu postfix/smtpd[6041]: < unknown[206.255.245.47]: YW5keWF0d29yaw==
Jul  6 16:08:14 sulu postfix/smtpd[6041]: xsasl_cyrus_server_next: decoded response: PASSWORD
Jul  6 16:08:14 sulu postfix/smtpd[6041]: warning: unknown[206.255.245.47]: SASL LOGIN authentication failed: authentication failure
Jul  6 16:08:14 sulu postfix/smtpd[6041]: > unknown[206.255.245.47]: 535 5.7.8 Error: authentication failed: authentication failure
Jul  6 16:08:14 sulu postfix/smtpd[6041]: smtp_get: EOF

Main.cf

Code:

biff = no
content_filter = amavis:[127.0.0.1]:10024
append_dot_mydomain = no
delay_warning_time = 4h
maximal_queue_lifetime = 7d
minimal_backoff_time = 1000s
maximal_backoff_time = 8000s
smtp_helo_timeout = 60s
unknown_local_recipient_reject_code = 450

readme_directory = no
myhostname = sulu.esatech.com
myorigin = /etc/mailname
mydestination = esatech.com, sulu.esatech.com, localhost, localhost.localdomain
local_recipient_maps =
relayhost =
mynetworks = 127.0.0.0/8, 192.168.42.0/24, 12.17.49.0/24
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
mynetworks_style = host
disable_vrfy_command = yes

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_pipelining, permit
smtpd_client_restrictions = reject_rbl_client sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl, reject_rbl_client dnsbl.njabl.org
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_recipient_limit = 16
smtpd_soft_error_limit = 3
smtpd_hard_error_limit = 12
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = esatech.com

alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases

virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_maps = mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps = mysql:/etc/postfix/mysql_uid.cf
virtual_gid_maps = mysql:/etc/postfix/mysql_gid.cf
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql_domains.cf

# TLS parameters
#smtp_use_tls = no
smtp_tls_security_level = may
#smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_recieved_header = yes
smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom 
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Master.cf

Code:

==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp	   inet  n       -       -       -       -       smtpd -v
submission inet n       -       -       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_auth_only=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination, reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous
#  -o milter_macro_daemon_name=ORIGINATING
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
	-o content_filter= 
	-o receive_override_options=no_header_body_checks
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
#
amavis	unix	-	-	-	-	2	smtp 
	-o smtp_data_done_timeout=1200 
	-o smtp_send_xforward_command=yes 
	-o disable_dns_lookups=yes 
	-o max_use=20
#
127.0.0.1:10025	inet	n	-	-	-	-	smtpd
	-o content_filter=
	-o local_recipient_maps=
	-o relay_recipient_maps=
	-o smtpd_restriction_classes=
	-o smtpd_delay_reject=no
	-o smtpd_client_restrictions=permit_mynetworks,reject
	-o smtpd_helo_restrictions=
	-o smtpd_sender_restrictions=
	-o smtpd_recipient_restrictions=permit_mynetworks,reject
	-o smtpd_data_restrictions=reject_unauth_pipelining
	-o smtpd_end_of_data_restrictions=
	-o mynetworks=127.0.0.0/8
	-o smtpd_error_sleep_time=0
	-o smtpd_soft_error_limit=1001
	-o smtpd_hard_error_limit=1000

SASL smtpd.conf

Code:

pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: mail
sql_passwd: PASSWORD
sql_database: mail
sql_select: select crypt from users where id='%u@%r' and enabled = 1
allowanonymouslogin: no
allowplaintext: yes

Any input would be very helpful, Thanks

Andy

 

I'm getting one too...while I tried to SEND from a different server to an account on my server...

Code:

Jul  6 21:34:44 mail postfix/smtpd[28254]: connect from ex18.ips.paulbunyan.net[myipaddress]
Jul  6 21:34:44 mail postfix/smtpd[28254]: warning: SASL authentication problem: unknown password verifier 
Jul  6 21:34:44 mail postfix/smtpd[28254]: warning: ex18.ips.paulbunyan.net[myipaddress]: SASL LOGIN authentication failed: no mechanism available
Jul  6 21:34:44 mail postfix/smtpd[28254]: lost connection after AUTH from ex18.ips.paulbunyan.net[myipaddress]
Jul  6 21:34:44 mail postfix/smtpd[28254]: disconnect from ex18.ips.paulbunyan.net[209.191.214.18]
Jul  6 21:34:45 mail postfix/smtpd[28254]: connect from ex18.ips.paulbunyan.net[myipaddress]
Jul  6 21:34:45 mail postfix/smtpd[28254]: warning: SASL authentication problem: unknown password verifier 
Jul  6 21:34:45 mail postfix/smtpd[28254]: warning: ex18.ips.paulbunyan.net[209.191.214.18]: SASL LOGIN authentication failed: no mechanism available
Jul  6 21:34:45 mail postfix/smtpd[28254]: lost connection after AUTH from ex18.ips.paulbunyan.net[209.191.214.18]
Jul  6 21:34:45 mail postfix/smtpd[28254]: disconnect from ex18.ips.paulbunyan.net[myipaddress]
Jul  6 21:34:46 mail postfix/smtpd[28254]: connect from ex18.ips.paulbunyan.net[myipaddress]
Jul  6 21:34:46 mail postfix/smtpd[28254]: warning: SASL authentication problem: unknown password verifier 
Jul  6 21:34:46 mail postfix/smtpd[28254]: warning: ex18.ips.paulbunyan.net[myipaddress]: SASL LOGIN authentication failed: no mechanism available
Jul  6 21:34:46 mail postfix/smtpd[28254]: lost connection after AUTH from ex18.ips.paulbunyan.net[myipaddress]
Jul  6 21:34:46 mail postfix/smtpd[28254]: disconnect from ex18.ips.paulbunyan.net[myipaddress]

 

what's in your /etc/postfix/sasl/smtpd.conf ?

 

Code:

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: mail_admin
sql_passwd: mysqlpassword
sql_database: mail
sql_select: select password from users where email = '%u'

The account I saw the error on last night is getting emails...but I tried to send that account one (from my work webmail account) and the mail got bounced back with a "permanent error" account doesn't exist message.

Thanks for the help!

 

Code:

Jul  6 21:34:44 mail postfix/smtpd[28254]: warning: SASL authentication problem: unknown password verifier

it doesn't recognise the pwcheck method you specified in smtpd.conf, so i don't think you've installed or have saslauthd running .. if you use auxprop you should specify it as pwcheck_method, so change that line to:

pwcheck_method: auxprop

and restart postfix and any other related service to it

 

I followed the Falko tutorial on virtual users and domains using Postfix...and all files appear to be ok.

Code:

telnet localhost 25
ehlo localhost

produced this:

But...I just noticed that the domain name there is NOT the domain name of the server. It it one of my domains...but it's not the server name. I'll do some digging.

 

I changed the server name in /etc/postfix/main.cf and re-ran the telnet localhost 25 command. It now showed the server's name...but an email to this account still failed.

 

/etc/mailname should say the same as "sulu.esatech.com"

but did you change the pwcheck_method ??
or could you post the link of the how to you followed?

 

/etc/mailname is my server's name

I did NOT change pwcheck_method

This is the tutorial:

http://www.howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-debian-lenny

 

Yes, I double checked and the mailname is stated as sulu.esatech.com
but to ensure that it is set, I have set the myorigin in the main.cf to be sulu.esatech.com.

I have flatout rebooted the machine to ensure that all of the daemons are picking up the new config files.

I used a different tutorial than the how-to forge one. I have seen this guy referred to several times on the Ubuntu forums.
http://flurdy.com/docs/postfix/

I really don't want to start over and use a new tutorial, as the only thing that is left is the SASL authentication for out of network users.

After some more playing with the server. I now get this error I'm not really sure what it means.

Code:

warning: SASL authentication failure: realm changed: authentication aborted

 

Ok, I have gone through one of the tutorials here on howtoforge.

now I am getting the error of

Code:

 warning: xxx.xxx.xxx.xx: hostname hxxx.xxx.xxx.xxx.static.lngv.cablelynx.com verification failed: Name or service not known

Can anyone shed some light on this?

 

The thing is, i've followed ALOT of howto's here on howtoforge, and they ALWAYS work ..
when they didn't it was just something i overlooked in the how-to ..

The most strange errors come up when that happens, and people tend to rush trough the how to again, and will miss it again .. and jump from one to another error.

So i suggest you grab some coffee, and go through the how to step by step, take your time and triple check everyting

btw. the above warning is normal .. when you do this you'll understand:

host xxx.xxx.xxx.xx

that'll return a hostname, but when you do:

host <hostname>

you'll get a not found

 

The thing is that I have a failing mail server on another box with about 300 addresess, using Postfixadmin. This is the 3rd tutorial I have tried..needless to say, my brain is fried.
I ran through the tutorial for the Ubuntu 9.04.
Copied and pasted all of the commands into putty, ran everything. Changing the postfix and mysql options for my server.

http://www.howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-ubuntu9.04

I'll look through the tutorial again and make sure that all of my conf files are as the tutorial suggests.


That error happened when I was trying to send mail via smtp.

 

Hehe, i know the feeling .. i've just migrated an ispconfig2 server from running on a dirty pivot_root trick server to a fresh new server. Running a xen instance on a DRBD disc for HA .. but i did wanted to use the latest ispconfig version and ofc that db has minor changes, so had to move stuff around alot (manually) .. at some point you're just getting one brainfart after the other

It's crucial that you don't mix how-to's up .. every author has it's own way of setting things up .. howtoforge how-to's are good, stick with them.

good luck and let me know how it works out

 

Well all is working.

I just re-copied all of the postfix -e commands by default. Then went back and changed what I needed to. Lo and behold it worked. Not entirely sure what caused the problem. Well, at least it works

Yeah, as far as mixing tutorials, I completely scrapped the last install and started fresh with this tutorial.