SASL authentication problem (postfix)

Patrick Ben Koetter p at state-of-mind.de
Sat Jun 14 14:08:49 EDT 2008


* Bernhard Rohrer <bernhard.graylion at gmail.com>:
> Hi guys
> 
> I recently upgraded my mailserver from Ubuntu gutsy to hardy an
> somehow SASL broke in the process:
> 
> I am using postfix with ldap for authentication and configuration. The
> configuration part (aliases) works nicely, but when I try to submit to
> port 587 which does an authentication via sasl/ldap I get:
> 
> mail.log shows this:
> 
> Jun 12 22:44:15 collab postfix/smtpd[10513]:
> lionscage.local[192.168.1.8]: save session
> C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submissio$
> Jun 12 22:44:15 collab postfix/tlsmgr[10428]: put smtpd session
> id=C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submission
> [data 127 bytes]
> Jun 12 22:44:15 collab postfix/tlsmgr[10428]: write smtpd TLS cache
> entry C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submission:
> time=121330$
> Jun 12 22:44:15 collab postfix/smtpd[10513]: Anonymous TLS connection
> established from lionscage.local[192.168.1.8]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 b$
> Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied

You are running the smtpd process chrooted and libsasl cannot find the
saslauthd socket?

p at rick



> Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
> authentication failure: Password verification failed
> Jun 12 22:44:15 collab postfix/smtpd[10513]: warning:
> lionscage.local[192.168.1.8]: SASL PLAIN authentication failed:
> generic failure
> 
> master.cf:
> 
> root at collab:/etc/postfix# cat master.cf
> #
> # Postfix master process configuration file.  For details on the format
> # of the file, see the Postfix master(5) manual page.
> #
> # ==========================================================================
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> # ==========================================================================
> smtp      inet  n       -       -       -       -       smtpd
> #submission inet n      -       -       -       -        smtpd
> #       -o smtpd_etrn_restrictions=reject
> #       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #smtps    inet  n       -       -       -       -       smtpd
> #  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
> #submission inet n      -       -       -       -       smtpd
> #    -o smtpd_etrn_restrictions=reject
> #    -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
> #    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> #628      inet  n       -       -       -       -       qmqpd
> pickup    fifo  n       -       -       60      1       pickup
> cleanup   unix  n       -       -       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> #qmgr     fifo  n       -       -       300     1       oqmgr
> tlsmgr    unix  -       -       -       1000?   1       tlsmgr
> rewrite   unix  -       -       -       -       -       trivial-rewrite
> bounce    unix  -       -       -       -       0       bounce
> defer     unix  -       -       -       -       0       bounce
> trace     unix  -       -       -       -       0       bounce
> verify    unix  -       -       -       -       1       verify
> flush     unix  n       -       -       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> smtp      unix  -       -       -       -       -       smtp
> # When relaying mail as backup MX, disable fallback_relay to avoid MX loops
> relay     unix  -       -       -       -       -       smtp
>        -o fallback_relay=
> #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq     unix  n       -       -       -       -       showq
> error     unix  -       -       -       -       -       error
> discard   unix  -       -       -       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       -       -       1       anvil
> scache    unix  -       -       -       -       1       scache
> #
> # ====================================================================
> # Interfaces to non-Postfix software. Be sure to examine the manual
> # pages of the non-Postfix software to find out what options it wants.
> #
> # Many of the following services use the Postfix pipe(8) delivery
> # agent.  See the pipe(8) man page for information about ${recipient}
> # and other message envelope options.
> # ====================================================================
> #
> # maildrop. See the Postfix MAILDROP_README file for details.
> # Also specify in main.cf: maildrop_destination_recipient_limit=1
> #
> #maildrop  unix  -       n       n       -       -       pipe
> #  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
> #
> # See the Postfix UUCP_README file for configuration details.
> #
> uucp      unix  -       n       n       -       -       pipe
>  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
> #
> # Other external delivery methods.
> #
> ifmail    unix  -       n       n       -       -       pipe
>  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp     unix  -       n       n       -       -       pipe
>  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
> scalemail-backend unix  -       n       n       -       2       pipe
>  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
> ${nexthop} ${user} ${extension}
> mailman   unix  -       n       n       -       -       pipe
>  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
>  ${nexthop} ${user}
> policy  unix  -       n       n       -       -       spawn
>  user=nobody argv=/usr/bin/perl /usr/share/perl5/Mail/postfix-policyd-spf.pl
> #
> # Before-filter SMTP server. Receive mail from the network and
> # pass it to the content filter on localhost port 10025.
> #
> smtp      inet  n       -       n       -       -       smtpd
>    -o smtpd_proxy_filter=127.0.0.1:10025
>    -o smtpd_client_connection_count_limit=20
>    -o content_filter=dksign:[127.0.0.1]:10027
> #
> # After-filter SMTP server. Receive mail from the content filter on
> # localhost port 10026.
> #
> 127.0.0.1:10026 inet n  -       n       -        -      smtpd
>    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
>    -o smtpd_client_restrictions=
>    -o smtpd_helo_restrictions=
>    -o smtpd_sender_restrictions=
>    -o smtpd_recipient_restrictions=permit_mynetworks,reject
>    -o smtpd_data_restrictions=
>    -o mynetworks=127.0.0.0/8,192.168.0.0/16
>    -o receive_override_options=no_unknown_recipient_checks
> #
> # modify the default submission service to specify a content filter
> # and restrict it to local clients and SASL authenticated clients only
> #
> submission  inet  n     -       n       -       -       smtpd
>    -o smtpd_etrn_restrictions=reject
>    -o smtpd_sasl_auth_enable=yes
>    -o smtpd_enforce_tls=yes
> #    -o content_filter=dksign:[127.0.0.1]:10027
>    -o receive_override_options=no_address_mappings
>    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> #
> # specify the location of the DomainKeys signing filter
> #
> dksign    unix  -       -       n       -       10      smtp
>    -o smtp_send_xforward_command=yes
>    -o smtp_discard_ehlo_keywords=8bitmime
> #
> # service for accepting messages FROM the DomainKeys signing filter
> #
> 127.0.0.1:10028 inet  n  -      n       -       10      smtpd
>    -o content_filter=
>    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
>    -o smtpd_helo_restrictions=
>    -o smtpd_client_restrictions=
>    -o smtpd_sender_restrictions=
>    -o smtpd_recipient_restrictions=permit_mynetworks,reject
>    -o mynetworks=127.0.0.0/8,192.168.0.0/16
> #    -o smtpd_authorized_xforward_hosts=127.0.0.0/8
> 
> sublion inet  n     -       n       -       -       smtpd
>    -o smtpd_etrn_restrictions=reject
>    -o smtpd_sasl_auth_enable=yes
>    -o smtpd_enforce_tls=no
>    -o content_filter=dksign:[127.0.0.1]:10027
>    -o receive_override_options=no_address_mappings
>    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
> retry     unix  -       -       -       -       -       error
> 
> given that the new version of SASL works differently I have 2
> instances running now, this is the one for postfix
> 
> root at collab:/etc/default# cat saslauthd-postfix
> #
> # Settings for saslauthd daemon
> #
> 
> # Should saslauthd run automatically on startup? (default: no)
> START=yes
> 
> # Which authentication mechanisms should saslauthd use? (default: pam)
> #
> # Available options in this Debian package:
> # getpwent  -- use the getpwent() library function
> # kerberos5 -- use Kerberos 5
> # pam       -- use PAM
> # rimap     -- use a remote IMAP server
> # shadow    -- use the local shadow password file
> # sasldb    -- use the local sasldb database file
> # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
> #
> # Only one option may be used at a time. See the saslauthd man page
> # for more information.
> #
> # Example: MECHANISMS="pam"
> MECHANISMS="ldap"
> 
> # Additional options for this mechanism. (default: none)
> # See the saslauthd man page for information about mech-specific options.
> MECH_OPTIONS=""
> 
> # How many saslauthd processes should we run? (default: 5)
> # A value of 0 will fork a new process for each connection.
> THREADS=5
> 
> # Other options (default: -c)
> # See the saslauthd man page for information about these options.
> #
> # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
> # Note: See /usr/share/doc/sasl2-bin/README.Debian
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
> NAME="saslauthd-postfix"
> DESC="der fuer postfix"
> 
> root at collab:/etc/postfix/sasl# cat smtpd.conf
> pwcheck_method: saslauthd
> saslauthd_path: /var/run/saslauthd
> mech_list: plain login
> allow_plaintext: true
> ldap_sasl: 1
> ldap_servers: ldap://localhost/
> ldap_base: dc=domain,dc=tld
> ldap_group_base: ou=groups,dc=domain,dc=tld
> ldap_group_filter: cn=%U
> ldap_member_filter: dn=%U
> ldap_group_scope: sub
> ldap_member_method: filter
> 
> 
> root at collab:/var/spool/postfix/var/run/saslauthd# ls -al
> total 980
> drwx--x--- 2 root sasl   4096 2008-06-12 22:20 .
> drwxr-xr-x 3 root root   4096 2008-03-13 00:13 ..
> -rw------- 1 root root      0 2008-06-12 22:20 cache.flock
> -rw------- 1 root root 986112 2008-06-12 22:20 cache.mmap
> srwxrwxrwx 1 root root      0 2008-06-12 22:20 mux
> -rw------- 1 root root      0 2008-06-12 22:20 mux.accept
> -rw------- 1 root root      6 2008-06-12 22:20 saslauthd.pid
> 
> I did the dpkg-statoverride --add root sasl 710
> /var/spool/postfix/var/run/saslauthd
> 
> and to add insult to injury:
> 
> root at collab:# sudo -u postfix testsaslauthd -f
> /var/spool/postfix/var/run/saslauthd/mux -u xxxxxxx -p xyz
> 0: OK "Success."
> 
> what am I missing?
> 
> this worked rather nicely before the upgrade from ubuntu gutsy to hardy
> 
> thanks
> 
> Bernhard

-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>


More information about the Cyrus-sasl mailing list