SASL and default domain
brian
cyrus-list at logi.ca
Sun Aug 19 19:39:08 EDT 2012
I'm having some trouble configuring SASL for a new server. Specifically,
it seems, with realms. I'm now at the point where imtest works with the
virtual domains but not with the default domain.
I'm using sasldb through auxprop. In the past I've always done:
saslpasswd2 -c username at DOMAIN.TLD
But in order to get SASL working with Postfix this time I had to specify
the realm with -u and use a bare account name:
saslpasswd2 -c -u DEFAULT.TLD username
saslpasswd2 -c -u VDOMAIN1.TLD username
etc
After days of struggle, I've got Postfix responding well when testing
via telnet. The base64 hash was created with:
perl -MMIME::Base64 -e 'print
encode_base64("\000user\@DOMAIN.TLD\000password");'
I mention all that because it seems as if realms are the issue. Or it
was before and I suppose that's been resolved. Now it's just the default
domain that's giving me problems. It's been days and days now and I'm so
close that I'm reluctant to fiddle any more because I know that the
chances are good that I'll make things worse (as I've probably
repeatedly done already). I'd appreciate it if someone could suggest
something to save the rest of my hair.
FWIW, this server has no DNS records pointing to it yet. My goal is to
get Postfix & Cyrus working to the point where I can use imapsync, then
deal with DNS. This is what I've done in the past.
(And imapsync is working now with the virtual domains.)
$ hostname -f
poseidon.DEFAULT.TLD
$ imtest -v -m plain -a user at DEFAULT.TLD localhost
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN
AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] poseidon Cyrus IMAP
v2.4.12-Debian-2.4.12-2 server ready
Please enter your password:
C: A01 AUTHENTICATE PLAIN xxxxxxxxxxxxxxxxxxxxxxxx
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 0
The log says:
cyrus/imap[12036]: badlogin: localhost [::1] PLAIN [SASL(-13): user not
found: Password verification failed]
But sasldblistusers2 says otherwise. Again, it's only the accounts under
the default domain that are failing. If i separate out the realm with -a
user -r DEFAULT.TLD I get the same error in the log saying the user
wasn't found.
-----
/etc/imapd.conf:
loginrealms: DEFAULT.TLD VDOMAIN1.TLD VDOMAIN2.tld
virtdomains: userid
defaultdomain: DEFAULT.TLD # also tried this empty
allowplaintext: yes
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
sasl_mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5
sasl_auto_transition: no
configdirectory: /var/lib/cyrus
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
admins: cyrus
imap_admins: cyrus
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
tls_cert_file: /etc/ssl/certs/smtpd.crt
tls_key_file: /etc/ssl/private/smtpd.key
tls_ca_file: /etc/ssl/certs/cacert.pem
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
lmtpsocket: /var/run/cyrus/socket/lmtp
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
syslog_prefix: cyrus
-----
$ cat /etc/group | grep sasl
sasl:x:45:smmta,smmsp,cyrus,postfix
$ ls -l /etc/sasldb2
-rw-r----- 1 root sasl 12288 Aug 17 20:22 /etc/sasldb2
-----
/usr/lib/sasl2/saslpasswd.conf:
#auto_transition: true
pwcheck_method: auxprop
auxprop_plugin: sasldb
allowanonymouslogin: 0
allowplaintext: 1
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
-----
I have Cyrus 2.4 installed:
cyrus-admin-2.4 2.4.12-2
cyrus-clients-2.4 2.4.12-2
cyrus-common 2.4.12-2
cyrus-common-2.4 2.4.12-2
cyrus-imapd-2.2 2.4.12-2
cyrus-imapd-2.4 2.4.12-2
libcyrus-imap-perl24 2.4.12-2
-----
saslfinger - postfix Cyrus sasl configuration Sun Aug 19 17:47:11 EDT 2012
version: 1.0.4
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.9.3
System: Ubuntu 12.04 LTS \n \l
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2
(0x00007f5b2ed2a000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
-- listing of /usr/lib/sasl2 --
total 28
drwxr-xr-x 2 root root 4096 Aug 17 16:16 .
drwxr-xr-x 53 root root 12288 Jul 26 20:51 ..
-rw-r--r-- 1 root root 1 May 4 00:15 berkeley_db.txt
-rw-r----- 1 root root 698 Aug 17 16:16 saslpasswd.conf
-rw-r----- 1 smmta smmsp 885 Jul 24 15:07 Sendmail.conf
-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 Aug 17 15:34 .
drwxr-xr-x 3 root root 4096 Aug 17 15:41 ..
-rw-r--r-- 1 root root 125 Aug 17 15:34 smtpd.conf
-- content of /etc/postfix/sasl/smtpd.conf --
log_level: 2
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login DIGEST-MD5 CRAM-MD5
allow_plaintext: true
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
-- mechanisms on localhost --
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
-- end of saslfinger output --
Postfix is chrooted but I'm using /etc/sasldb2, which is copied to the
chroot when Postfix is started.
More information about the Info-cyrus
mailing list