<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN" "http://www.w3.org/TR/REC-html40/strict.dtd"><html><head><meta name="qrichtext" content="1" /><style type="text/css">p, li { white-space: pre-wrap; }</style></head><body style=" font-family:'Sans Serif'; font-size:10pt; font-weight:400; font-style:normal;">Am Montag 02 Februar 2009 17:49:32 schrieb Dave Della Costa:<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>> I've been using this tutorial:<br>
> http://www.gentoo.org/doc/en/virt-mail-howto.xml<br>
><br>
> It's a bit sparse on some details. Everything is working, except:<br>
><br>
> I cannot get authentication to work when I try to connect from my client<br>
> to send email via postfix. I can login to my courier imap server (on<br>
> port 993, although I just opened 143 too to make sure that wasn't a<br>
> problem) as well--I know I'm using valid credentials. I'll let the logs<br>
> speak for themselves:<br>
><br>
> Feb 2 15:54:27 host saslauthd[15778]: do_auth : auth failure:<br>
> [user=postmaster] [service=smtp] [realm=] [mech=rimap] [reason=remote<br>
> server rejected your credentials]<br>
><br>
> I don't believe postfix is the problem here (at this point at least).<br>
> If I run testsaslauthd I get:<br>
><br>
> host ~ # testsaslauthd -u postmaster -p thepassword<br>
> 0: NO "authentication failed"<br>
><br>
> and in the logs, again:<br>
><br>
> Feb 2 16:14:35 host saslauthd[15778]: do_auth : auth failure:<br>
> [user=postmaster] [service=imap] [realm=] [mech=rimap] [reason=remote<br>
> server rejected your credentials]<br>
><br>
> I've noted that the "service" field is different, but even if I run<br>
><br>
> host ~ # testsaslauthd -u postmaster -p thepassword -s smtp<br>
> 0: NO "authentication failed"<br>
><br>
> ...same thing:<br>
><br>
> Feb 2 16:16:09 host saslauthd[15774]: do_auth : auth failure:<br>
> [user=postmaster] [service=smtp] [realm=] [mech=rimap] [reason=remote<br>
> server rejected your credentials]<br>
><br>
> I'm just trying to wrap my head around the process now. I don't feel<br>
> like I even quite know how to debug this fully, but there are a few<br>
> other things I've determined:<br>
><br>
> 1) postfix appears to be working completely in every other way. So I<br>
> think it is not an issue, and it would seem that, as I can't even get<br>
> testsaslauthd to authenticate, my problems are unrelated to my postfix<br>
> configuration.<br>
><br>
> 2) As I said, I can login to IMAP successfully. I originally had only<br>
> 993 open (imaps), but it seemed like saslauthd wouldn't connect that<br>
> way, and I couldn't figure out how to configure this; but I figured I'd<br>
> leave that alone for now and figure it out later.<br>
><br>
> One thing I did notice was that when I logged in to IMAP directly from<br>
> my mail client, I'd see this sort of behavior in the logs:<br>
><br>
> Feb 2 16:20:37 host imapd-ssl: LOGIN, user=postmaster@host,<br>
> ip=[::ffff:x.x.x.x], protocol=IMAP<br>
> Feb 2 16:20:38 host imapd-ssl: Connection, ip=[::ffff:x.x.x.x]<br>
> Feb 2 16:20:38 host authdaemond: received auth request, service=imap,<br>
> authtype=login<br>
> Feb 2 16:20:38 host authdaemond: authmysql: trying this module<br>
> Feb 2 16:20:38 host authdaemond: SQL query: SELECT email ...(etc.)<br>
><br>
> So, IMAP login seems to successfully pass off authentication to<br>
> courier-auth. However, when I try using testsaslauthd, or connect to<br>
> send mail through postfix via my client, I only see this as far as IMAP<br>
> in the logs:<br>
><br>
> Feb 2 16:23:32 host imapd: Connection, ip=[::ffff:127.0.0.1]<br>
> Feb 2 16:23:32 host imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>I would guess your imapd does not support the LOGIN-Command without an established SSL Connection. And "rimap" is not able to setup a SSL Layer.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Show:<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>$ telnet your.imap.server 143<br>
...<br>
XX CAPABILITY<br>
...<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>Show the response to the CAPABILITY Command.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p><p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p><p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>> That's it. Obviously, it's not passing off to courier-auth. If I<br>
> understand what the rimap authentication mechanism is doing, it should<br>
> in fact look pretty much the same as the successful IMAP login, right?<br>
> So it seems like I must have misconfigured something for sasl so that it<br>
> is not speaking to the imap server in a way it expects; I noticed I<br>
> don't see the "LOGIN" message in the logs, for example.<br>
><br>
> However, I can't for the life of me figure out how I can get more<br>
> debugging data for this, or configure saslauthd differently. I've<br>
> enabled SQL logging in MySQL (where I am storing authentication info, as<br>
> you can see from the first IMAP log example) and it is clear that the<br>
> database is *not* being hit at all when I run testsaslauthd. And<br>
> courier auth debugging is set to 2 so that's coming out full force. Is<br>
> there any place I can specify higher levels of debugging for saslauthd?<br>
> Adding the '-d' flag to saslauthd wasn't helpful, unfortunately.<br>
><br>
> /etc/sasl2/smtpd.conf:<br>
><br>
> host ~ # cat /etc/sasl2/smtpd.conf<br>
> mech_list: PLAIN LOGIN<br>
> pwcheck_method: saslauthd<br>
> host ~ #<br>
><br>
> /etc/conf.d/saslauthd<br>
><br>
> host ~ # cat /etc/conf.d/saslauthd<br>
> # Config file for /etc/init.d/saslauthd<br>
><br>
> # Initial (empty) options.<br>
> SASLAUTHD_OPTS=""<br>
><br>
> # Specify the authentications mechanism.<br>
> # **NOTE** For a list see: saslauthd -v<br>
> # Since 2.1.19, add "-r" to options for old behavior,<br>
> # ie. reassemble user and realm to user@realm form.<br>
> #SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam -r"<br>
> #SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam"<br>
><br>
> # Specify the hostname for remote IMAP server.<br>
> # **NOTE** Only needed if rimap auth mechanism is used.<br>
> #SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"<br>
><br>
> # Specify the number of worker processes to create.<br>
> #SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5"<br>
><br>
> # Enable credential cache, set cache size and timeout.<br>
> # **NOTE** Size is measured in kilobytes.<br>
> # Timeout is measured in seconds.<br>
> #SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30"<br>
><br>
> # per http://www.gentoo.org/doc/en/virt-mail-howto.xml<br>
> SASLAUTHD_OPTS="${SASLAUTH_MECH} -a rimap -r"<br>
> SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"<br>
> host ~ #<br>
><br>
> Any help--even just pointers as to where to look--would be greatly<br>
> appreciated...if you need more info for diagnosis let me know. And if<br>
> I'm barking up the wrong tree and need to investigate my IMAP config (or<br>
> something else entirely) instead, my apologies.<br>
<p style="-qt-paragraph-type:empty; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px; -qt-user-state:0;"><br></p>--<br>
Andreas</p></body></html>