postfix sasl2 pam_mysql on Debian Sarge
Patrick Ben Koetter
p at state-of-mind.de
Mon Mar 12 14:20:46 EST 2007
Can you resend using a mailer that can do plaintext?
* Nicolas <nicolas at skypro.be>:
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
> <title></title>
> </head>
> <body bgcolor="#ffffff" text="#000000">
> <div class="moz-text-html" lang="x-western"> Hello list,<br>
> <br>
> I am looking for a few pointers to make saslauthd authenticate over a
> pam mechanism against a mysql database. All packages in this setup are
> from Debian Sarge, they are <br>
> <br>
> <i>libsasl2 libsasl2-modules libsasl2-modules-sql sasl2-bin
> libpam-mysql </i><i>postfix postfix-mysql </i><i>mysql-client
> mysql-server</i> <i>openssl </i><i>libmysqlclient15</i> <br>
> <br>
> Though there's a wealth of "tutorials" that copy this setup from one
> another, documentation on how these mechanisms work seems very scarce,
> and I'm getting a bit stuck while trying to debug my config. Here are
> the facts:<br>
> <br>
> <br>
> Per advice of a zillion tutorials, /etc/default/saslauthd looks like
> this:<br>
> <br>
> START=yes<br>
> <br>
> PARAMS="-m /var/spool/postfix/var/run/saslauthd -r"<br>
> <br>
> MECHANISMS="pam<br>
> <br>
> <br>
> ... and in the same line of thought I modified the saslauthd pidfile in
> /etc/init.d/saslauthd as such<br>
> <br>
> PIDFILE="/var/spool/postfix/var/run/${NAME}/saslauthd.pid"<br>
> <br>
> <br>
> /etc/pam.d/smtp contains the following lines:<br>
> <br>
> auth required pam_mysql.so user=username passwd=password host=127.0.0.1
> db=mail table=postfix_users usercolumn=email passwdcolumn=clear crypt=1<br>
> <br>
> account sufficient pam_mysql.so user=username passwd=password
> host=127.0.0.1 db=mail table=postfix_users usercolumn=email
> passwdcolumn=clear crypt=1<br>
> <br>
> <br>
> <br>
> 1. The first thing I notice is that when I start the saslauth daemon
> (via # /etc/init.d/saslauthd start) the pid file is actually located in
> <br>
> <br>
> /var/run/saslauthd/saslauthd.pid<br>
> <br>
> <br>
> These are the running processes:<br>
> <br>
> igloo:/etc/postfix# ps aux|grep sasl<br>
> root 4666 0.0 1.1 7196 2212 pts/1 S 16:25 0:00
> /usr/sbin/saslauthd -d -a pam<br>
> root 4667 0.0 1.1 7196 2212 pts/1 S 16:25 0:00
> /usr/sbin/saslauthd -d -a pam<br>
> root 4668 0.0 1.1 7196 2212 pts/1 S 16:25 0:00
> /usr/sbin/saslauthd -d -a pam<br>
> root 4669 0.0 1.1 7196 2212 pts/1 S 16:25 0:00
> /usr/sbin/saslauthd -d -a pam<br>
> root 4670 0.0 1.1 7196 2212 pts/1 S 16:25 0:00
> /usr/sbin/saslauthd -d -a pam<br>
> <br>
> <br>
> The permissions of the folder in de postfix tree are:<br>
> <br>
> igloo:/etc/postfix# ls -l /var/spool/postfix/var/run/ total
> 4 drwxr-xr-x 2 root root 4096 2007-03-12 01:18 saslauthd<br>
> <br>
> I also pasted the result of saslfinger below, for not burrying my
> second question. So my first question is: how come the pid file is not
> in /var/spool/postfix/var/run/saslauthd? <br>
> <br>
> <br>
> <br>
> 2. Next, the pam mechanism that saslauthd invokes is returning an
> error. Here's what I get when I strace testsaslauthd:<br>
> <br>
> <br>
> igloo:/etc/postfix# strace /usr/sbin/testsaslauthd -u email at address -p <br>
> <br>
> password -f /var/run/saslauthd/mux -s smtp<br>
> execve("/usr/sbin/testsaslauthd", ["/usr/sbin/testsaslauthd", "-u",
> "email at address", "-p", "password", "-f", "/var/run/saslauthd/mux",
> "-s", "smtp"], [/* 17 vars */]) = 0<br>
> uname({sys="Linux", node="igloo", ...}) = 0<br>
> brk(0) = 0x804b000<br>
> access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
> directory)<br>
> mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0x40017000<br>
> access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
> directory)<br>
> open("/etc/ld.so.cache", O_RDONLY) = 3<br>
> fstat64(3, {st_mode=S_IFREG|0644, st_size=21217, ...}) = 0<br>
> mmap2(NULL, 21217, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40019000<br>
> close(3) = 0<br>
> access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
> directory)<br>
> open("/lib/tls/libresolv.so.2", O_RDONLY) = 3<br>
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\260$\0"...,
> 512) = 512<br>
> fstat64(3, {st_mode=S_IFREG|0644, st_size=67364, ...}) = 0<br>
> mmap2(NULL, 75976, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> 0) = 0x4001f000<br>
> mmap2(0x4002e000, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xf) = 0x4002e000<br>
> mmap2(0x40030000, 6344, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40030000<br>
> close(3) = 0<br>
> access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or
> directory)<br>
> open("/lib/tls/libc.so.6", O_RDONLY) = 3<br>
> read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240O\1"...,
> 512) = 512<br>
> fstat64(3, {st_mode=S_IFREG|0644, st_size=1241392, ...}) = 0<br>
> mmap2(NULL, 1251484, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3,
> 0) = 0x40032000<br>
> mmap2(0x4015a000, 28672, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x127) = 0x4015a000<br>
> mmap2(0x40161000, 10396, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40161000<br>
> close(3) = 0<br>
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0x40164000<br>
> mprotect(0x4015a000, 20480, PROT_READ) = 0<br>
> set_thread_area({entry_number:-1 -> 6, base_addr:0x401646c0,
> limit:1048575, seg_32bit:1, contents:0, read_exec_only:0,
> limit_in_pages:1, seg_not_present:0, useable:1}) = 0<br>
> munmap(0x40019000, 21217) = 0<br>
> fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 1), ...}) = 0<br>
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0x40019000<br>
> socket(PF_FILE, SOCK_STREAM, 0) = 3<br>
> connect(3, {sa_family=AF_FILE, path="/var/run/saslauthd/mux"},
> 110saslauthd[4666] :rel_accept_lock : released accept lock<br>
> saslauthd[4667] :get_accept_lock : acquired accept lock<br>
> ) = 0<br>
> writev(3, [{"\0\17email at address\0\10password\0\4smt"..., 35}], 1) = 35<br>
> read(3, saslauthd[4666] :do_auth : auth failure:
> [user=email at address] [service=smtp] [realm=] [mech=pam] [reason=PAM
> auth error]<br>
> "\0\21", 2) = 2<br>
> read(3, "NO PAM auth error", 17) = 17<br>
> close(3) = 0<br>
> write(1, "0: NO \"authentication failed\"\n", 300: NO "authentication
> failed"<br>
> ) = 30<br>
> munmap(0x40019000, 4096) = 0<br>
> exit_group(-1) = ?<br>
> Process 4691 detached<br>
> <br>
> <br>
> <br>
> same story in /var/log/auth.log...<br>
> <br>
> <br>
> igloo:/etc/postfix# tail /var/log/auth.log<br>
> <br>
> Mar 12 16:43:52 igloo saslauthd[4670]: rel_accept_lock : released
> accept lock<br>
> Mar 12 16:43:52 igloo saslauthd[4666]: get_accept_lock : acquired
> accept lock<br>
> Mar 12 16:43:52 igloo saslauthd[4670]: DEBUG: auth_pam:
> pam_authenticate failed: Authentication failure<br>
> Mar 12 16:43:52 igloo saslauthd[4670]: do_auth : auth failure:
> [user=email at address] [service=smtp] [realm=] [mech=pam] [reason=PAM
> auth error]<br>
> <br>
> <br>
> A correct mysql query is logged in mysql.log. The same query over
> courier's imap-ssl / authlib works just
> fine.<br>
> <br>
> igloo:/etc/postfix# tail /var/log/mysql/mysql.log<br>
> <br>
> 070312 16:43:52 21 Connect vmailuser at localhost on mail<br>
> 21 Init DB mail<br>
> 21 Query SELECT clear FROM postfix_users
> WHERE email = 'email at address'<br>
> 21 Quit <br>
> <br>
> <br>
> <br>
> So my second question is: since (I think) postfix is not involved when
> testsaslauthd in invoked, and a valid mysql query seems to be logged,
> can I assume that there is also a sasl/pam problem, and how should I
> debug it?<br>
> <br>
> <br>
> Here's the output I get from saslfinger, you will notice that postfix
> is chrooted:<br>
> <br>
> igloo:/etc/postfix# saslfinger -s<br>
> saslfinger - postfix Cyrus sasl configuration Mon Mar 12 17:41:02 CET
> 2007<br>
> version: 1.0.1<br>
> mode: server-side SMTP AUTH<br>
> <br>
> -- basics --<br>
> Postfix: 2.3.7<br>
> System: Debian GNU/Linux 4.0 \n \l<br>
> <br>
> -- smtpd is linked to --<br>
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x40205000)<br>
> <br>
> -- active SMTP AUTH and TLS parameters for smtpd --<br>
> broken_sasl_auth_clients = yes<br>
> smtpd_sasl_auth_enable = yes<br>
> smtpd_sasl_local_domain = <br>
> smtpd_sasl_security_options = noanonymous<br>
> smtpd_tls_cert_file = /etc/postfix/smtpd.cert<br>
> smtpd_tls_key_file = /etc/postfix/smtpd.key<br>
> smtpd_tls_loglevel = 3<br>
> smtpd_tls_received_header = yes<br>
> smtpd_tls_session_cache_timeout = 3600s<br>
> smtpd_use_tls = yes<br>
> <br>
> <br>
> -- listing of /usr/lib/sasl2 --<br>
> total 796<br>
> drwxr-xr-x 2 root root 4096 2007-03-12 10:06 .<br>
> drwxr-xr-x 58 root root 16384 2007-03-12 10:06 ..<br>
> -rw-r--r-- 1 root root 13304 2006-12-13 22:26 libanonymous.a<br>
> -rw-r--r-- 1 root root 855 2006-12-13 22:26 libanonymous.la<br>
> -rw-r--r-- 1 root root 12844 2006-12-13 22:26 libanonymous.so<br>
> -rw-r--r-- 1 root root 12844 2006-12-13 22:26 libanonymous.so.2<br>
> -rw-r--r-- 1 root root 12844 2006-12-13 22:26 libanonymous.so.2.0.22<br>
> -rw-r--r-- 1 root root 15502 2006-12-13 22:26 libcrammd5.a<br>
> -rw-r--r-- 1 root root 841 2006-12-13 22:26 libcrammd5.la<br>
> -rw-r--r-- 1 root root 15052 2006-12-13 22:26 libcrammd5.so<br>
> -rw-r--r-- 1 root root 15052 2006-12-13 22:26 libcrammd5.so.2<br>
> -rw-r--r-- 1 root root 15052 2006-12-13 22:26 libcrammd5.so.2.0.22<br>
> -rw-r--r-- 1 root root 46320 2006-12-13 22:26 libdigestmd5.a<br>
> -rw-r--r-- 1 root root 864 2006-12-13 22:26 libdigestmd5.la<br>
> -rw-r--r-- 1 root root 43040 2006-12-13 22:26 libdigestmd5.so<br>
> -rw-r--r-- 1 root root 43040 2006-12-13 22:26 libdigestmd5.so.2<br>
> -rw-r--r-- 1 root root 43040 2006-12-13 22:26 libdigestmd5.so.2.0.22<br>
> -rw-r--r-- 1 root root 13482 2006-12-13 22:26 liblogin.a<br>
> -rw-r--r-- 1 root root 835 2006-12-13 22:26 liblogin.la<br>
> -rw-r--r-- 1 root root 13384 2006-12-13 22:26 liblogin.so<br>
> -rw-r--r-- 1 root root 13384 2006-12-13 22:26 liblogin.so.2<br>
> -rw-r--r-- 1 root root 13384 2006-12-13 22:26 liblogin.so.2.0.22<br>
> -rw-r--r-- 1 root root 29300 2006-12-13 22:26 libntlm.a<br>
> -rw-r--r-- 1 root root 829 2006-12-13 22:26 libntlm.la<br>
> -rw-r--r-- 1 root root 28776 2006-12-13 22:26 libntlm.so<br>
> -rw-r--r-- 1 root root 28776 2006-12-13 22:26 libntlm.so.2<br>
> -rw-r--r-- 1 root root 28776 2006-12-13 22:26 libntlm.so.2.0.22<br>
> -rw-r--r-- 1 root root 13818 2006-12-13 22:26 libplain.a<br>
> -rw-r--r-- 1 root root 835 2006-12-13 22:26 libplain.la<br>
> -rw-r--r-- 1 root root 13992 2006-12-13 22:26 libplain.so<br>
> -rw-r--r-- 1 root root 13992 2006-12-13 22:26 libplain.so.2<br>
> -rw-r--r-- 1 root root 13992 2006-12-13 22:26 libplain.so.2.0.22<br>
> -rw-r--r-- 1 root root 21726 2006-12-13 22:26 libsasldb.a<br>
> -rw-r--r-- 1 root root 856 2006-12-13 22:25 libsasldb.la<br>
> -rw-r--r-- 1 root root 17980 2006-12-13 22:26 libsasldb.so<br>
> -rw-r--r-- 1 root root 17980 2006-12-13 22:26 libsasldb.so.2<br>
> -rw-r--r-- 1 root root 17980 2006-12-13 22:26 libsasldb.so.2.0.22<br>
> -rw-r--r-- 1 root root 23576 2006-12-13 22:26 libsql.a<br>
> -rw-r--r-- 1 root root 964 2006-12-13 22:26 libsql.la<br>
> -rw-r--r-- 1 root root 23072 2006-12-13 22:26 libsql.so<br>
> -rw-r--r-- 1 root root 23072 2006-12-13 22:26 libsql.so.2<br>
> -rw-r--r-- 1 root root 23072 2006-12-13 22:26 libsql.so.2.0.22<br>
> <br>
> <br>
> <br>
> <br>
> -- content of /etc/postfix/sasl/smtpd.conf --<br>
> pwcheck_method: saslauthd<br>
> mech_list: plain login<br>
> allow_plaintext: true<br>
> auxprop_plugin: sql<br>
> sql_hostnames: 127.0.0.1<br>
> sql_user: --- replaced ---<br>
> sql_passwd: --- replaced ---<br>
> sql_database: mail<br>
> sql_select: select password from users where email = '%u'<br>
> #saslauthd_path: /var/run/saslauthd<br>
> <br>
> <br>
> -- active services in /etc/postfix/master.cf --<br>
> # service type private unpriv chroot wakeup maxproc command + args<br>
> # (yes) (yes) (yes) (never) (100)<br>
> smtp inet n - - - - smtpd<br>
> pickup fifo n - - 60 1 pickup<br>
> cleanup unix n - - - 0 cleanup<br>
> qmgr fifo n - n 300 1 qmgr<br>
> tlsmgr unix - - - 1000? 1 tlsmgr<br>
> rewrite unix - - - - - trivial-rewrite<br>
> bounce unix - - - - 0 bounce<br>
> defer unix - - - - 0 bounce<br>
> trace unix - - - - 0 bounce<br>
> verify unix - - - - 1 verify<br>
> flush unix n - - 1000? 0 flush<br>
> proxymap unix - - n - - proxymap<br>
> smtp unix - - - - - smtp<br>
> relay unix - - - - - smtp<br>
> -o fallback_relay=<br>
> showq unix n - - - - showq<br>
> error unix - - - - - error<br>
> discard unix - - - - - discard<br>
> local unix - n n - - local<br>
> virtual unix - n n - - virtual<br>
> lmtp unix - - - - - lmtp<br>
> anvil unix - - - - 1 anvil<br>
> scache unix - - - - 1 scache<br>
> maildrop unix - n n - - pipe<br>
> flags=Rhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}<br>
> uucp unix - n n - - pipe<br>
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)<br>
> ifmail unix - n n - - pipe<br>
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)<br>
> bsmtp unix - n n - - pipe<br>
> flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
> $recipient<br>
> scalemail-backend unix - n n - 2 pipe<br>
> flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> ${nexthop} ${user} ${extension}<br>
> mailman unix - n n - - pipe<br>
> flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py<br>
> ${nexthop} ${user}<br>
> <br>
> -- mechanisms on localhost --<br>
> 250-AUTH PLAIN LOGIN<br>
> 250-AUTH=PLAIN LOGIN<br>
> <br>
> <br>
> <br>
> -- end of saslfinger output --<br>
> <br>
> <br>
> <br>
> <br>
> <br>
> <br>
> Thanks,<br>
> <br>
> <br>
> Nicolas<br>
> <br>
> <br>
> <br>
> <br>
> </div>
> </body>
> </html>
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
More information about the Cyrus-sasl
mailing list