SASL and default domain
Dan White
dwhite at olp.net
Mon Aug 20 15:29:19 EDT 2012
On 08/19/12 19:39 -0400, brian wrote:
>I'm having some trouble configuring SASL for a new server. Specifically,
>it seems, with realms. I'm now at the point where imtest works with the
>virtual domains but not with the default domain.
>
>I'm using sasldb through auxprop. In the past I've always done:
>
>saslpasswd2 -c username at DOMAIN.TLD
Does imtest authentication work if you leave out the domain?
>But in order to get SASL working with Postfix this time I had to specify
>the realm with -u and use a bare account name:
>
>saslpasswd2 -c -u DEFAULT.TLD username
>saslpasswd2 -c -u VDOMAIN1.TLD username
>etc
Will your postfix users be logging in with a fully qualified username? If
so, consider forgoing a defaultdomain within imapd.conf.
>After days of struggle, I've got Postfix responding well when testing
>via telnet. The base64 hash was created with:
>
>perl -MMIME::Base64 -e 'print
>encode_base64("\000user\@DOMAIN.TLD\000password");'
Use 'smtptest' to test your postfix authentication.
>I mention all that because it seems as if realms are the issue. Or it
>was before and I suppose that's been resolved. Now it's just the default
>domain that's giving me problems. It's been days and days now and I'm so
>close that I'm reluctant to fiddle any more because I know that the
>chances are good that I'll make things worse (as I've probably
>repeatedly done already). I'd appreciate it if someone could suggest
>something to save the rest of my hair.
>
>FWIW, this server has no DNS records pointing to it yet. My goal is to
>get Postfix & Cyrus working to the point where I can use imapsync, then
>deal with DNS. This is what I've done in the past.
>
>(And imapsync is working now with the virtual domains.)
>
>
>$ hostname -f
>poseidon.DEFAULT.TLD
>
>$ imtest -v -m plain -a user at DEFAULT.TLD localhost
>S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN
>AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] poseidon Cyrus IMAP
>v2.4.12-Debian-2.4.12-2 server ready
>Please enter your password:
>C: A01 AUTHENTICATE PLAIN xxxxxxxxxxxxxxxxxxxxxxxx
>S: A01 NO authentication failure
>Authentication failed. generic failure
>Security strength factor: 0
>
>
>The log says:
>cyrus/imap[12036]: badlogin: localhost [::1] PLAIN [SASL(-13): user not
>found: Password verification failed]
>
>But sasldblistusers2 says otherwise. Again, it's only the accounts under
>the default domain that are failing. If i separate out the realm with -a
>user -r DEFAULT.TLD I get the same error in the log saying the user
>wasn't found.
>
>-----
>
>/etc/imapd.conf:
>
>loginrealms: DEFAULT.TLD VDOMAIN1.TLD VDOMAIN2.tld
>virtdomains: userid
>defaultdomain: DEFAULT.TLD # also tried this empty
Note that if you created any mailboxes (in the default domain) while this
option was empty, they will likely be inaccessible now. You may need to
recreate them. They should show up in your filesystem without any domain
reference. And vice versa.
>allowplaintext: yes
>sasl_pwcheck_method: auxprop
>sasl_auxprop_plugin: sasldb
>sasl_mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5
>sasl_auto_transition: no
>configdirectory: /var/lib/cyrus
>proc_path: /run/cyrus/proc
>mboxname_lockpath: /run/cyrus/lock
>defaultpartition: default
>partition-default: /var/spool/cyrus/mail
>partition-news: /var/spool/cyrus/news
>newsspool: /var/spool/news
>altnamespace: no
>unixhierarchysep: no
>lmtp_downcase_rcpt: yes
>admins: cyrus
>imap_admins: cyrus
>allowanonymouslogin: no
>popminpoll: 1
>autocreatequota: 0
>umask: 077
>sieveusehomedir: false
>sievedir: /var/spool/sieve
>hashimapspool: true
>tls_cert_file: /etc/ssl/certs/smtpd.crt
>tls_key_file: /etc/ssl/private/smtpd.key
>tls_ca_file: /etc/ssl/certs/cacert.pem
>tls_ca_path: /etc/ssl/certs
>tls_session_timeout: 1440
>tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
>lmtpsocket: /var/run/cyrus/socket/lmtp
>idlesocket: /var/run/cyrus/socket/idle
>notifysocket: /var/run/cyrus/socket/notify
>syslog_prefix: cyrus
>
>-----
>
>$ cat /etc/group | grep sasl
>sasl:x:45:smmta,smmsp,cyrus,postfix
>
>$ ls -l /etc/sasldb2
>-rw-r----- 1 root sasl 12288 Aug 17 20:22 /etc/sasldb2
>
>-----
>
>/usr/lib/sasl2/saslpasswd.conf:
>
>#auto_transition: true
>pwcheck_method: auxprop
>auxprop_plugin: sasldb
>allowanonymouslogin: 0
>allowplaintext: 1
>mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
>
>-----
>
>I have Cyrus 2.4 installed:
>
>cyrus-admin-2.4 2.4.12-2
>cyrus-clients-2.4 2.4.12-2
>cyrus-common 2.4.12-2
>cyrus-common-2.4 2.4.12-2
>cyrus-imapd-2.2 2.4.12-2
>cyrus-imapd-2.4 2.4.12-2
>libcyrus-imap-perl24 2.4.12-2
>
>-----
>
>saslfinger - postfix Cyrus sasl configuration Sun Aug 19 17:47:11 EDT 2012
>version: 1.0.4
>mode: server-side SMTP AUTH
>
>-- basics --
>Postfix: 2.9.3
>System: Ubuntu 12.04 LTS \n \l
>
>-- smtpd is linked to --
> libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2
>(0x00007f5b2ed2a000)
>
>-- active SMTP AUTH and TLS parameters for smtpd --
>broken_sasl_auth_clients = yes
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_local_domain =
>smtpd_sasl_security_options = noanonymous
>
>
>-- listing of /usr/lib/sasl2 --
>total 28
>drwxr-xr-x 2 root root 4096 Aug 17 16:16 .
>drwxr-xr-x 53 root root 12288 Jul 26 20:51 ..
>-rw-r--r-- 1 root root 1 May 4 00:15 berkeley_db.txt
>-rw-r----- 1 root root 698 Aug 17 16:16 saslpasswd.conf
>-rw-r----- 1 smmta smmsp 885 Jul 24 15:07 Sendmail.conf
>
>-- listing of /etc/postfix/sasl --
>total 12
>drwxr-xr-x 2 root root 4096 Aug 17 15:34 .
>drwxr-xr-x 3 root root 4096 Aug 17 15:41 ..
>-rw-r--r-- 1 root root 125 Aug 17 15:34 smtpd.conf
>
>-- content of /etc/postfix/sasl/smtpd.conf --
>log_level: 2
>pwcheck_method: auxprop
>auxprop_plugin: sasldb
>mech_list: plain login DIGEST-MD5 CRAM-MD5
>allow_plaintext: true
>
>
>-- active services in /etc/postfix/master.cf --
># service type private unpriv chroot wakeup maxproc command + args
># (yes) (yes) (yes) (never) (100)
>smtp inet n - - - - smtpd
>pickup fifo n - - 60 1 pickup
>cleanup unix n - - - 0 cleanup
>qmgr fifo n - n 300 1 qmgr
>tlsmgr unix - - - 1000? 1 tlsmgr
>rewrite unix - - - - - trivial-rewrite
>bounce unix - - - - 0 bounce
>defer unix - - - - 0 bounce
>trace unix - - - - 0 bounce
>verify unix - - - - 1 verify
>flush unix n - - 1000? 0 flush
>proxymap unix - - n - - proxymap
>proxywrite unix - - n - 1 proxymap
>smtp unix - - - - - smtp
>relay unix - - - - - smtp
>showq unix n - - - - showq
>error unix - - - - - error
>retry unix - - - - - error
>discard unix - - - - - discard
>local unix - n n - - local
>virtual unix - n n - - virtual
>lmtp unix - - - - - lmtp
>anvil unix - - - - 1 anvil
>scache unix - - - - 1 scache
>maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
>uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
>($recipient)
>ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
>bsmtp unix - n n - - pipe
>scache unix - - - - 1 scache
>maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
>uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
>($recipient)
>ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
>bsmtp unix - n n - - pipe
> flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
>$recipient
>scalemail-backend unix - n n - 2 pipe
> flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
>${nexthop} ${user} ${extension}
>mailman unix - n n - - pipe
> flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
> ${nexthop} ${user}
>
>-- mechanisms on localhost --
>250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
>250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5
>
>-- end of saslfinger output --
>
>Postfix is chrooted but I'm using /etc/sasldb2, which is copied to the
>chroot when Postfix is started.
--
Dan White
More information about the Info-cyrus
mailing list