can't get smtp auth/testsaslauthd to work, auth mechanism rimap

Dave Della Costa dfd94 at hampshire.edu
Mon Feb 2 11:49:32 EST 2009 

Hi folks,

I've been using this tutorial: 
http://www.gentoo.org/doc/en/virt-mail-howto.xml

It's a bit sparse on some details.  Everything is working, except:

I cannot get authentication to work when I try to connect from my client 
to send email via postfix.  I can login to my courier imap server (on 
port 993, although I just opened 143 too to make sure that wasn't a 
problem) as well--I know I'm using valid credentials.  I'll let the logs 
speak for themselves:

Feb  2 15:54:27 host saslauthd[15778]: do_auth         : auth failure: 
[user=postmaster] [service=smtp] [realm=] [mech=rimap] [reason=remote 
server rejected your credentials]

I don't believe postfix is the problem here (at this point at least). 
If I run testsaslauthd I get:

host ~ # testsaslauthd -u postmaster -p thepassword
0: NO "authentication failed"

and in the logs, again:

Feb  2 16:14:35 host saslauthd[15778]: do_auth         : auth failure: 
[user=postmaster] [service=imap] [realm=] [mech=rimap] [reason=remote 
server rejected your credentials]

I've noted that the "service" field is different, but even if I run

host ~ # testsaslauthd -u postmaster -p thepassword -s smtp
0: NO "authentication failed"

...same thing:

Feb  2 16:16:09 host saslauthd[15774]: do_auth         : auth failure: 
[user=postmaster] [service=smtp] [realm=] [mech=rimap] [reason=remote 
server rejected your credentials]

I'm just trying to wrap my head around the process now.  I don't feel 
like I even quite know how to debug this fully, but there are a few 
other things I've determined:

1) postfix appears to be working completely in every other way.  So I 
think it is not an issue, and it would seem that, as I can't even get 
testsaslauthd to authenticate, my problems are unrelated to my postfix 
configuration.

2) As I said, I can login to IMAP successfully.  I originally had only 
993 open (imaps), but it seemed like saslauthd wouldn't connect that 
way, and I couldn't figure out how to configure this; but I figured I'd 
leave that alone for now and figure it out later.

One thing I did notice was that when I logged in to IMAP directly from 
my mail client, I'd see this sort of behavior in the logs:

Feb  2 16:20:37 host imapd-ssl: LOGIN, user=postmaster at host, 
ip=[::ffff:x.x.x.x], protocol=IMAP
Feb  2 16:20:38 host imapd-ssl: Connection, ip=[::ffff:x.x.x.x]
Feb  2 16:20:38 host authdaemond: received auth request, service=imap, 
authtype=login
Feb  2 16:20:38 host authdaemond: authmysql: trying this module
Feb  2 16:20:38 host authdaemond: SQL query: SELECT email ...(etc.)

So, IMAP login seems to successfully pass off authentication to 
courier-auth.  However, when I try using testsaslauthd, or connect to 
send mail through postfix via my client, I only see this as far as IMAP 
in the logs:

Feb  2 16:23:32 host imapd: Connection, ip=[::ffff:127.0.0.1]
Feb  2 16:23:32 host imapd: Disconnected, ip=[::ffff:127.0.0.1], time=0

That's it.  Obviously, it's not passing off to courier-auth.  If I 
understand what the rimap authentication mechanism is doing, it should 
in fact look pretty much the same as the successful IMAP login, right? 
So it seems like I must have misconfigured something for sasl so that it 
is not speaking to the imap server in a way it expects; I noticed I 
don't see the "LOGIN" message in the logs, for example.

However, I can't for the life of me figure out how I can get more 
debugging data for this, or configure saslauthd differently.  I've 
enabled SQL logging in MySQL (where I am storing authentication info, as 
you can see from the first IMAP log example) and it is clear that the 
database is *not* being hit at all when I run testsaslauthd.  And 
courier auth debugging is set to 2 so that's coming out full force.  Is 
there any place I can specify higher levels of debugging for saslauthd? 
  Adding the '-d' flag to saslauthd wasn't helpful, unfortunately.

/etc/sasl2/smtpd.conf:

host ~ # cat /etc/sasl2/smtpd.conf
mech_list: PLAIN LOGIN
pwcheck_method: saslauthd
host ~ #

/etc/conf.d/saslauthd

host ~ # cat /etc/conf.d/saslauthd
# Config file for /etc/init.d/saslauthd

# Initial (empty) options.
SASLAUTHD_OPTS=""

# Specify the authentications mechanism.
# **NOTE** For a list see: saslauthd -v
# Since 2.1.19, add "-r" to options for old behavior,
# ie. reassemble user and realm to user at realm form.
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam -r"
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam"

# Specify the hostname for remote IMAP server.
# **NOTE** Only needed if rimap auth mechanism is used.
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

# Specify the number of worker processes to create.
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5"

# Enable credential cache, set cache size and timeout.
# **NOTE** Size is measured in kilobytes.
#          Timeout is measured in seconds.
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30"

# per http://www.gentoo.org/doc/en/virt-mail-howto.xml
SASLAUTHD_OPTS="${SASLAUTH_MECH} -a rimap -r"
SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"
host ~ #

Any help--even just pointers as to where to look--would be greatly 
appreciated...if you need more info for diagnosis let me know.  And if 
I'm barking up the wrong tree and need to investigate my IMAP config (or 
something else entirely) instead, my apologies.

Thank you!

Best,
Dave

More information about the Cyrus-sasl mailing list