SASL authentication problem (postfix)
Patrick Ben Koetter
p at state-of-mind.de
Sat Jun 14 14:08:49 EDT 2008
* Bernhard Rohrer <bernhard.graylion at gmail.com>:
> Hi guys
>
> I recently upgraded my mailserver from Ubuntu gutsy to hardy an
> somehow SASL broke in the process:
>
> I am using postfix with ldap for authentication and configuration. The
> configuration part (aliases) works nicely, but when I try to submit to
> port 587 which does an authentication via sasl/ldap I get:
>
> mail.log shows this:
>
> Jun 12 22:44:15 collab postfix/smtpd[10513]:
> lionscage.local[192.168.1.8]: save session
> C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submissio$
> Jun 12 22:44:15 collab postfix/tlsmgr[10428]: put smtpd session
> id=C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submission
> [data 127 bytes]
> Jun 12 22:44:15 collab postfix/tlsmgr[10428]: write smtpd TLS cache
> entry C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submission:
> time=121330$
> Jun 12 22:44:15 collab postfix/smtpd[10513]: Anonymous TLS connection
> established from lionscage.local[192.168.1.8]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 b$
> Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied
You are running the smtpd process chrooted and libsasl cannot find the
saslauthd socket?
p at rick
> Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
> authentication failure: Password verification failed
> Jun 12 22:44:15 collab postfix/smtpd[10513]: warning:
> lionscage.local[192.168.1.8]: SASL PLAIN authentication failed:
> generic failure
>
> master.cf:
>
> root at collab:/etc/postfix# cat master.cf
> #
> # Postfix master process configuration file. For details on the format
> # of the file, see the Postfix master(5) manual page.
> #
> # ==========================================================================
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> # ==========================================================================
> smtp inet n - - - - smtpd
> #submission inet n - - - - smtpd
> # -o smtpd_etrn_restrictions=reject
> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #smtps inet n - - - - smtpd
> # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
> #submission inet n - - - - smtpd
> # -o smtpd_etrn_restrictions=reject
> # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #628 inet n - - - - qmqpd
> pickup fifo n - - 60 1 pickup
> cleanup unix n - - - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> #qmgr fifo n - - 300 1 oqmgr
> tlsmgr unix - - - 1000? 1 tlsmgr
> rewrite unix - - - - - trivial-rewrite
> bounce unix - - - - 0 bounce
> defer unix - - - - 0 bounce
> trace unix - - - - 0 bounce
> verify unix - - - - 1 verify
> flush unix n - - 1000? 0 flush
> proxymap unix - - n - - proxymap
> smtp unix - - - - - smtp
> # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
> relay unix - - - - - smtp
> -o fallback_relay=
> # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq unix n - - - - showq
> error unix - - - - - error
> discard unix - - - - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - - - 1 anvil
> scache unix - - - - 1 scache
> #
> # ====================================================================
> # Interfaces to non-Postfix software. Be sure to examine the manual
> # pages of the non-Postfix software to find out what options it wants.
> #
> # Many of the following services use the Postfix pipe(8) delivery
> # agent. See the pipe(8) man page for information about ${recipient}
> # and other message envelope options.
> # ====================================================================
> #
> # maildrop. See the Postfix MAILDROP_README file for details.
> # Also specify in main.cf: maildrop_destination_recipient_limit=1
> #
> #maildrop unix - n n - - pipe
> # flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
> #
> # See the Postfix UUCP_README file for configuration details.
> #
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
> #
> # Other external delivery methods.
> #
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
> scalemail-backend unix - n n - 2 pipe
> flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> ${nexthop} ${user} ${extension}
> mailman unix - n n - - pipe
> flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> ${nexthop} ${user}
> policy unix - n n - - spawn
> user=nobody argv=/usr/bin/perl /usr/share/perl5/Mail/postfix-policyd-spf.pl
> #
> # Before-filter SMTP server. Receive mail from the network and
> # pass it to the content filter on localhost port 10025.
> #
> smtp inet n - n - - smtpd
> -o smtpd_proxy_filter=127.0.0.1:10025
> -o smtpd_client_connection_count_limit=20
> -o content_filter=dksign:[127.0.0.1]:10027
> #
> # After-filter SMTP server. Receive mail from the content filter on
> # localhost port 10026.
> #
> 127.0.0.1:10026 inet n - n - - smtpd
> -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o smtpd_data_restrictions=
> -o mynetworks=127.0.0.0/8,192.168.0.0/16
> -o receive_override_options=no_unknown_recipient_checks
> #
> # modify the default submission service to specify a content filter
> # and restrict it to local clients and SASL authenticated clients only
> #
> submission inet n - n - - smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_enforce_tls=yes
> # -o content_filter=dksign:[127.0.0.1]:10027
> -o receive_override_options=no_address_mappings
> -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> #
> # specify the location of the DomainKeys signing filter
> #
> dksign unix - - n - 10 smtp
> -o smtp_send_xforward_command=yes
> -o smtp_discard_ehlo_keywords=8bitmime
> #
> # service for accepting messages FROM the DomainKeys signing filter
> #
> 127.0.0.1:10028 inet n - n - 10 smtpd
> -o content_filter=
> -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
> -o smtpd_helo_restrictions=
> -o smtpd_client_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks=127.0.0.0/8,192.168.0.0/16
> # -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>
> sublion inet n - n - - smtpd
> -o smtpd_etrn_restrictions=reject
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_enforce_tls=no
> -o content_filter=dksign:[127.0.0.1]:10027
> -o receive_override_options=no_address_mappings
> -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> retry unix - - - - - error
>
> given that the new version of SASL works differently I have 2
> instances running now, this is the one for postfix
>
> root at collab:/etc/default# cat saslauthd-postfix
> #
> # Settings for saslauthd daemon
> #
>
> # Should saslauthd run automatically on startup? (default: no)
> START=yes
>
> # Which authentication mechanisms should saslauthd use? (default: pam)
> #
> # Available options in this Debian package:
> # getpwent -- use the getpwent() library function
> # kerberos5 -- use Kerberos 5
> # pam -- use PAM
> # rimap -- use a remote IMAP server
> # shadow -- use the local shadow password file
> # sasldb -- use the local sasldb database file
> # ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
> #
> # Only one option may be used at a time. See the saslauthd man page
> # for more information.
> #
> # Example: MECHANISMS="pam"
> MECHANISMS="ldap"
>
> # Additional options for this mechanism. (default: none)
> # See the saslauthd man page for information about mech-specific options.
> MECH_OPTIONS=""
>
> # How many saslauthd processes should we run? (default: 5)
> # A value of 0 will fork a new process for each connection.
> THREADS=5
>
> # Other options (default: -c)
> # See the saslauthd man page for information about these options.
> #
> # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
> # Note: See /usr/share/doc/sasl2-bin/README.Debian
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
> NAME="saslauthd-postfix"
> DESC="der fuer postfix"
>
> root at collab:/etc/postfix/sasl# cat smtpd.conf
> pwcheck_method: saslauthd
> saslauthd_path: /var/run/saslauthd
> mech_list: plain login
> allow_plaintext: true
> ldap_sasl: 1
> ldap_servers: ldap://localhost/
> ldap_base: dc=domain,dc=tld
> ldap_group_base: ou=groups,dc=domain,dc=tld
> ldap_group_filter: cn=%U
> ldap_member_filter: dn=%U
> ldap_group_scope: sub
> ldap_member_method: filter
>
>
> root at collab:/var/spool/postfix/var/run/saslauthd# ls -al
> total 980
> drwx--x--- 2 root sasl 4096 2008-06-12 22:20 .
> drwxr-xr-x 3 root root 4096 2008-03-13 00:13 ..
> -rw------- 1 root root 0 2008-06-12 22:20 cache.flock
> -rw------- 1 root root 986112 2008-06-12 22:20 cache.mmap
> srwxrwxrwx 1 root root 0 2008-06-12 22:20 mux
> -rw------- 1 root root 0 2008-06-12 22:20 mux.accept
> -rw------- 1 root root 6 2008-06-12 22:20 saslauthd.pid
>
> I did the dpkg-statoverride --add root sasl 710
> /var/spool/postfix/var/run/saslauthd
>
> and to add insult to injury:
>
> root at collab:# sudo -u postfix testsaslauthd -f
> /var/spool/postfix/var/run/saslauthd/mux -u xxxxxxx -p xyz
> 0: OK "Success."
>
> what am I missing?
>
> this worked rather nicely before the upgrade from ubuntu gutsy to hardy
>
> thanks
>
> Bernhard
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
More information about the Cyrus-sasl
mailing list