SASL AUTH with postfix on Sarge

Discussion in 'Server Operation' started by keulu, Jan 23, 2006.

  1. keulu

    keulu New Member

    Hi,

    I'm desperately trying to authenticate via sasl2 through postfix installed on a Debian Sarge.
    I wanted to use sasldb authentication, so I created a test account : login:test password:test with no realm info.
    TLS support in postfix is not activated at the moment.

    Here's the output for a local telnet test:

    Code:
    # telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.localdomain.
    Escape character is '^]'.
    220 mysmtp.mydomain.tld ESMTP (Debian/GNU)
    ehlo localhost
    250-mysmtp.mydomain.tld
    250-PIPELINING PLAIN
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN
    250 8BITMIME
    AUTH PLAIN dGVzdAB0ZXN0AHRlc3Q=
    535 Error: authentication failed
    
    mail.log says :

    Code:
    warning: SASL authentication failure: Password verification failed
    warning: localhost.localdomain[127.0.0.1]: SASL PLAIN authentication failed
    
    The account has been tested OK as far as saslauthd is concerned:

    Code:
    # testsaslauthd -u test -p test -f /var/spool/postfix/var/run/saslauthd/mux
    0: OK "Success."
    
    Everything works fine in the chrooted postscript when configured to ask for shadow passwords (MECHANISMS="shadow" in /etc/default/saslauthd and pwcheck_method: saslauthd in /etc/postfix/sasl/smtpd.conf) but no way to make it work with MECHANISMS="sasldb" and pwcheck_method: auxprop.

    Thanks for any assistance to solve this problem.;)
    I already spent a couple of days tearing my hair off on this issue, but I could not find neither any valuable info on the internet nor any workaround on my own.:mad:
    Sorry for all the code provided...

    Here is my main.cf:

    Code:
    smtpd_banner = $myhostname ESMTP (Debian/GNU)
    biff = no
    
    # appending .domain is the MUA's job.
    append_dot_mydomain = no
    
    # Uncomment the next line to generate "delayed mail" warnings
    #delay_warning_time = 4h
    
    myhostname = mysmtp.mydomain.tld
    mydomain = mydomain.tld
    
    alias_maps = hash:/etc/postfix/aliases
    alias_database = hash:/etc/postfix/aliases
    
    myorigin = $mydomain
    mydestination = $myhostname, $mydomain, localhost
    
    relayhost =
    mynetworks = 127.0.0.0/8
    home_mailbox = Maildir/
    mailbox_command = procmail -a "$EXTENSION"
    mailbox_size_limit = 51200000
    recipient_delimiter = +
    inet_interfaces = $myhostname, localhost
    
    smtpd_helo_required = yes
    smtpd_helo_restrictions =
            permit_mynetworks,
            reject_invalid_hostname,
    smtpd_recipient_restrictions =
            permit_sasl_authenticated,
            permit_mynetworks,
            reject_unauth_destination
    smtpd_sender_restrictions =
            reject_unknown_sender_domain,
            reject_non_fqdn_sender
    
    # Use amavis filtering
    content_filter=smtp-amavis:[127.0.0.1]:10024
    
    # Reject exe attachement files
    header_checks = regexp:/etc/postfix/header_checks
    
    # SASL support (SMPTP AUTH)
    smtpd_sasl_local_domain =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    # smtpd_sasl_application_name = smtpd
    broken_sasl_auth_clients = yes
    
    # SSL / TLS identification key files
    # smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
    # smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
    # smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    
    # SSL / TLS support parameters
    # smtpd_tls_auth_only = no
    # smtpd_use_tls = yes
    # smtpd_tls_loglevel = 1
    # smtpd_tls_ask_ccert = yes
    # smtpd_tls_received_header = yes
    # smtpd_tls_session_cache_timeout = 3600s
    # tls_random_source = dev:/dev/urandom
    
    and my master.cf:

    Code:
    smtp                    inet  n       -       -       -       -       smtpd
    #submission             inet  n       -       -       -       -       smtpd
    #       -o      smtpd_etrn_restrictions=reject
    #628                    inet  n       -       -       -       -       qmqpd
    pickup                  fifo  n       -       -       60      1       pickup
    cleanup                 unix  n       -       -       -       0       cleanup
    qmgr                    fifo  n       -       -       300     1       qmgr
    #qmgr                   fifo  n       -       -       300     1       oqmgr
    rewrite                 unix  -       -       -       -       -       trivial-rewrite
    bounce                  unix  -       -       -       -       0       bounce
    defer                   unix  -       -       -       -       0       bounce
    trace                   unix  -       -       -       -       0       bounce
    verify                  unix  -       -       -       -       1       verify
    flush                   unix  n       -       -       1000?   0       flush
    proxymap                unix  -       -       n       -       -       proxymap
    smtp                    unix  -       -       -       -       -       smtp
    relay                   unix  -       -       -       -       -       smtp
    #       -o      smtp_helo_timeout=5
    #       -o      smtp_connect_timeout=5
    showq                   unix  n       -       -       -       -       showq
    error                   unix  -       -       -       -       -       error
    local                   unix  -       n       n       -       -       local
    virtual                 unix  -       n       n       -       -       virtual
    lmtp                    unix  -       -       n       -       -       lmtp
    anvil                   unix  -       -       n       -       1       anvil
    #
    # Interfaces to non-Postfix software. Be sure to examine the manual
    # pages of the non-Postfix software to find out what options it wants.
    #
    # maildrop. See the Postfix MAILDROP_README file for details.
    #
    maildrop                unix  -       n       n       -       -       pipe
      flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
    uucp                    unix  -       n       n       -       -       pipe
      flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
    ifmail                  unix  -       n       n       -       -       pipe
      flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
    bsmtp                   unix  -       n       n       -       -       pipe
      flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient
    scalemail-backend       unix    -       n       n       -       2       pipe
      flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
    
    # only used by postfix-tls
    tlsmgr                  fifo    -       -       n       300     1       tlsmgr
    smtps                   inet    n       -       y       -       -       smtpd -v
            -o      smtpd_tls_wrappermode=yes
            -o      smtpd_sasl_auth_enable=yes
    587                     inet    n       -       n       -       -       smtpd
            -o      smtpd_enforce_tls=yes
            -o      smtpd_sasl_auth_enable=yes
    
    smtp-amavis             unix    -       -       n       -       2       smtp
            -o      smtp_data_done_timeout=1200
            -o      smtp_send_xforward_command=yes
            -o      disable_dns_lookup=yes
    
    127.0.0.1:10025         inet    n       -       n       -       -       smtpd
            -o      content_filter=
            -o      local_recipient_maps=
            -o      relay_recipient_maps=
            -o      smtpd_restriction_classes=
            -o      smtpd_client_restrictions=
            -o      smtpd_helo_restrictions=
            -o      smtpd_sender_restrictions=
            -o      smtpd_recipient_restrictions=permit_mynetworks,reject
            -o      mynetworks=127.0.0.1/8
            -o      strict_rfc821_envelopes=yes
            -o      smtpd_error_sleep_time=0
            -o      smtpd_soft_error_limit=1001
            -o      smtpd_hard_error_limit=1000
    
    and finally my /etc/postfix/sasl/smtpd.conf:

    Code:
    pwcheck_method: auxprop
    mech_list: plain login
    auxprop_plugin: sasldb2
    
     
  2. falko

    falko Super Moderator Howtoforge Staff

    Did you create the user's password with saslpasswd2? See
    Code:
    man saslpasswd2
     
  3. keulu

    keulu New Member

    yes, exactly what I did...:)
     
  4. nibman

    nibman New Member

    Same problem as Keulu

    Hello!

    I have the same problem as Keulu here and I can't find any solution to the problem.

    I had a completely new installation of Debian 3.1 when starting to install according to the "Perfect Setup" for the correct version of Debian. I followed every step by copying and pasting, but still the SMTP AUTH functionality doesn't work. Everytime I try to connect with the client (Microsoft Outlook Express & others) the password isn't accepted.

    In the logfile I get the following error everytime I try to authenticate a user:

    Aug 28 09:57:10 postfix/smtpd[12365]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

    I have checked with testsaslauthd and it responds OK.

    I have set password with saslpasswd2 to no awail.

    What else can I try? Can I do other checks to see if everything is working? Since the logfile is referring to that smtpd is unable to connect to saslauthd is there anything I can do to make sure it is connecting? How does it connect? Is it using a pipe or a socket? If the pipe is known perhaps one can try that, manually?

    I am out of options right now. I have checked every place on Internet I can find that discuss this problem. It was so easy for version 3.0 of Debian. Everything worked directly.

    Please help!
     
  5. falko

    falko Super Moderator Howtoforge Staff

    Please make sure saslauthd is started. What's the output of
    Code:
    ps aux | grep saslauthd
    ? Also make sure saslauthd is chrooted correctly (as Postfix is running chrooted), as described in the tutorial. Compare your /etc/default/saslauthd and /etc/init.d/saslauthd with the ones from the tutorial.
     
  6. nibman

    nibman New Member

    Hello, thanks for the reply!

    I just got it working... I changed in my client from port 465 tcp to use port 25 tcp. In the earlier version I had to use port 465 and not 25 to get it working. Why is it different now??
     
  7. falko

    falko Super Moderator Howtoforge Staff

    I guess the process on port 465 isn't running chrooted, as is the process on port 25. You can check in /etc/postfix/master.cf.
     

Share This Page