Issues under FreeBSD 8.0

Dan White dwhite at olp.net
Thu Dec 3 01:37:40 EST 2009 

On 02/12/09 15:17 -0800, Corey Chandler wrote:
> Dan White wrote:
>> On 02/12/09 10:03 -0800, Corey Chandler wrote:
>>> I recently upgraded from FreeBSD 7.2 to 8.0.  This resulted in a  
>>> strange  error with authdaemond when used in conjunction with  
>>> postfix; I've  rebuilt all of the packages, but the config they're  
>>> using has worked  since the 6.0 days.
>>>
>>> I attempt to send a message using SASL and get the following in my  
>>> logs  (passwords and hashes have been consistently redacted; nothing  
>>> else has  been altered):
>>>
>>> -- content of /usr/local/lib/sasl2/smtpd.conf --
>>> pwcheck_method: authdaemond
>>> log_level: 7
>>> mech_list: PLAIN LOGIN
>>> authdaemond_path: /var/run/authdaemond/socket
>>
> Bloody hell, thought they were in the same logfile; my apologies.  The  
> issue is that while IMAP works correctly authenticating against  
> authdaemond, any attempt I make to authenticate via SASL fails according  
> to postfix, yet succeeds according to authdaemond.
>
> As to logs, here you go:
>
> Dec  2 15:10:03 alcatraz postfix/smtpd[16120]: warning: where.i.sit:  
> address not listed for hostname HOSTNAME
> Dec  2 15:10:03 alcatraz postfix/smtpd[16120]: connect from  
> unknown[where.i.sit]
> Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning: SASL  
> authentication failure: could not verify password
> Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning: SASL  
> authentication failure: Password verification failed
> Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning:  
> unknown[where.i.sit]: SASL PLAIN authentication failed: generic failure
> Dec  2 15:10:06 alcatraz authdaemond: Authenticated: sysusername=<null>,  
> sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,  
> address=jay at sequestered.net, fullname=Jay Chandler,  
> maildir=sequestered.net/jay at sequestered.net/, quota=1024000000S,  
> options=<null>
> Dec  2 15:10:06 alcatraz authdaemond: Authenticated:  
> clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1
> Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning: SASL  
> authentication failure: could not verify password
> Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning:  
> unknown[where.i.sit]: SASL LOGIN authentication failed: generic failure
> Dec  2 15:10:06 alcatraz authdaemond: Authenticated: sysusername=<null>,  
> sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,  
> address=jay at sequestered.net, fullname=Jay Chandler,  
> maildir=sequestered.net/jay at sequestered.net/, quota=1024000000S,  
> options=<null>
> Dec  2 15:10:06 alcatraz authdaemond: Authenticated:  
> clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1

Per cyrus sasl source in lib/pwcheck.c, function authdaemon_build_query,
the following gets sent to authdaemond:

AUTH <size>
<service>
login
<user>
<password>

e.g.

AUTH 33
smtp
login
dwhite at olp.net
secret

And expects to get a response which includes a line of 'FAIL\n' or '.\n'
(success). See function authdaemon_talk. e.g.:

USERNAME=dwhite at olp.net
GID=1001
HOME=/home/dwhite at olp.net
ADDRESS=dwhite at olp.net
NAME=
PASSWD=$1xxxxxxxxxxxx
PASSWD2=secret
.

I was able to successfully test authentication on my Debian system, using
the following versions:

courier-authdaemon 0.62.4-1
libsasl2-2 2.1.23.dfsg1-2
postfix 2.5.5-1.1

with an authdaemond configuration of:

authmodulelist="authpam"
authmodulelistorig="authuserdb authpam authpgsql authldap authmysql
authcustom authpipe"
daemons=5
authdaemonvar=/var/run/courier/authdaemon
DEBUG_LOGIN=2
DEFAULTOPTIONS=""
LOGGEROPTS=""

and a postfix smtpd.conf (sasl) config of:
pwcheck_method: authdaemond
log_level: 7
mech_list: PLAIN LOGIN
authdaemond_path: /var/run/courier/authdaemon/socket


Perhaps there's a code change within authdaemon or a config change that is
confusing the sasl library. I'm pasting a couple of perl scripts that might
help you troubleshoot your setup.

This script opens a unix domain socket and simply prints out whatever it
receives:



#!/usr/bin/perl
use strict; $|++;
use IO::Socket;

my $socketfile = $ARGV[0];

unlink $socketfile;
my $data;
my $server = IO::Socket::UNIX->new(Local => $socketfile,
                                    Type      => SOCK_STREAM,
                                    Listen    => 32 ) or die $!;
$server->autoflush(1);
while ( my $connection = $server->accept() ) {
   my $pid = fork();
   if ($pid == 0) { # child
     while (<$connection>) {
       print $_;
     }
   }
}
# Adapted from a script found at
# http://www.rexroof.com/blog/2005/09/unix-domain-sockets-in-perl.php


You could run on a specified socket file (such as /tmp/mysocket), and then
point authdaemond_path to it within Postfix to see what it's sending to
authdaemond.

This script opens a client unix domain connection to a specified socket,
and should allow you to speak directly to authdaemond and see what it is
returning:



#!/usr/bin/perl
use IO::Socket;             # new in 5.004

my $socket = shift || '/tmp/catsock';
$handle = IO::Socket::UNIX->new($socket)
         || die "can't connect to $socket: $!";
$handle->autoflush(1);
if (fork()) {               # XXX: undef means failure
     select($handle);
     print while <STDIN>;    # everything from stdin to socket
} else {
     print while <$handle>;  # everything from socket to stdout
}
close $handle;
exit;
# Adapted from a script found at
# http://www.perlmonks.org/?node=Can%20I%20use%20perl%20to%20run%20a%20telnet%20or%20ftp%20session%3F


-- 
Dan White

More information about the Cyrus-sasl mailing list