howto use sasl

Patrick Ben Koetter p at state-of-mind.de
Sun Mar 5 16:34:07 EST 2006


* julius Junghans <julius.junghans at gmx.de>:
> Thx for the documents, but as mentioned on the first page its still 
> difficult.
> 
> 
> 
> /etc/sasl2/smtpd.conf
> #global
> pwcheck_method: sasldb
> log_level: 4
> mech_list: DIGEST-MD5

Cyrus-SASL.2.x doesn't know a pwcheck_method called sasldb.
Try this:

/etc/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/sasl2/sasldb2
# you can add all the following mechanisms if you want to:
mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5


BTW: Which system uses /etc/sasl2/ as path for smtpd.conf? Usually it's either
/usr/lib/sasl2/smtpd.conf or /etc/postfix/sasl/smtpd.conf (on Debian systems).

> #auxiliary plugin parameters
> #auxprop_plugin: sasldb
> sasldb_path: /etc/sasl2/sasldb2
> 
> #not safe, testing only
> ls -lh /etc/sasl2/
> insgesamt 392K
> lrwxrwxrwx  1 root root   10  5. Mär 20:40 sample.conf -> smtpd.conf
> -rwxrwxrwx  1 root root 385K  5. Mär 20:45 sasldb2
> -rwxrwxrwx  1 root root  265  5. Mär 20:52 smtpd.conf
> 
> 
> #my test user:
> saslpasswd2 -c sales -u schleppi.localdomain

Does this create sasldb2 in /etc/sasl2/?

> #/etc/hosts
> 192.168.10.66   schleppi.localdomain    schleppi
> 
> 
> sasldblistusers2
> sales at schleppi.localhost: userPassword
> 
> 
> 
> #client
> ./client -p 30000 localhost -m DIGEST-MD5
> receiving capability list... recv: {46}
> ANONYMOUS CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM
> ANONYMOUS CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM
> send: {10}
> DIGEST-MD5
> send: {1}
> N
> recv: {113}
> nonce="dSTaTSBVCxPa3ul0sopC+O856Eh7k2m5wronG5MJYmc=",realm="schleppi",qop="auth",charset=utf-8,algorithm=md5-sess
> please enter an authentication id: sales

Should be: sales at schleppi.localhost

> please enter an authorization id: sales

Should be: sales at schleppi.localhost

> Password:
> send: {231}
> username="sales",realm="schleppi",nonce="dSTaTSBVCxPa3ul0sopC+O856Eh7k2m5wronG5MJYmc=",cnonce="+/3GCg5O7oVdYW0PIEKX9t97CCUzbSRWoPbEMeHFk2s=",nc=00000001,qop=auth,digest-uri="rcmd/localhost",response=8bd84aa26eb1d8b2eabe91a67ae33dbb
> authentication failed
> closing connection
> 
> 
> #server
> ./server -s rcmd -p 30000 -m DIGEST-MD5         ### whats this rcmd 
> service? its used in vortrag_cyrus_SASL.pdf

rcmd = remote command
At least that's what I have been told. ;)

> trying 2, 1, 6
> trying 10, 1, 6
> socket: Address family not supported by protocol
> accepted new connection
> send: {10}
> DIGEST-MD5
> recv: {10}
> DIGEST-MD5
> recv: {1}
> N
> send: {113}
> nonce="xUDjZNEzv6FHtF3R8veYONSMFz1/ccwuHyCuWAfakFA=",realm="schleppi",qop="auth",charset=utf-8,algorithm=md5-sess
> recv: {231}
> username="sales",realm="schleppi",nonce="xUDjZNEzv6FHtF3R8veYONSMFz1/ccwuHyCuWAfakFA=",cnonce="YfLO87mIQCYN9MO2pegvY8oaFXk0xfMCT8Fuzxe/eJ8=",nc=00000001,qop=auth,digest-uri="rcmd/localhost",response=2c38b9309e288dd75d866c5d3892d118
> performing SASL negotiation: user not foundclosing connection
> 
> 
> okay, so the user isn't found, why?

Fix your configuration, check the path for smtpd.conf and post new output if
it still fails.

p at rick

-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>


More information about the Cyrus-sasl mailing list