Hiya
this is the ongoing story after Steph put me on the right track with
my original prob :)
any help appreciated
---------- Forwarded message ----------
From: Bernhard Rohrer <bernhard.graylion at gmail.com>
Date: 2008/6/14
Subject: SASL authentication problem (postfix)
To: cyrus-sasl at lists.andrew.cmu.edu
Hi guys
I recently upgraded my mailserver from Ubuntu gutsy to hardy an
somehow SASL broke in the process:
I am using postfix with ldap for authentication and configuration. The
configuration part (aliases) works nicely, but when I try to submit to
port 587 which does an authentication via sasl/ldap I get:
mail.log shows this:
Jun 12 22:44:15 collab postfix/smtpd[10513]:
lionscage.local[192.168.1.8]: save session
C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submissio$
Jun 12 22:44:15 collab postfix/tlsmgr[10428]: put smtpd session
id=C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submission
[data 127 bytes]
Jun 12 22:44:15 collab postfix/tlsmgr[10428]: write smtpd TLS cache
entry C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submission:
time=121330$
Jun 12 22:44:15 collab postfix/smtpd[10513]: Anonymous TLS connection
established from lionscage.local[192.168.1.8]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 b$
Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
authentication failure: cannot connect to saslauthd server: Permission
denied
Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
authentication failure: Password verification failed
Jun 12 22:44:15 collab postfix/smtpd[10513]: warning:
lionscage.local[192.168.1.8]: SASL PLAIN authentication failed:
generic failure
master.cf:
root at collab:/etc/postfix# cat master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
policy unix - n n - - spawn
user=nobody argv=/usr/bin/perl /usr/share/perl5/Mail/postfix-policyd-spf.pl
#
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
smtp inet n - n - - smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=20
-o content_filter=dksign:[127.0.0.1]:10027
#
# After-filter SMTP server. Receive mail from the content filter on
# localhost port 10026.
#
127.0.0.1:10026 inet n - n - - smtpd
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8,192.168.0.0/16
-o receive_override_options=no_unknown_recipient_checks
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_enforce_tls=yes
# -o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#
# specify the location of the DomainKeys signing filter
#
dksign unix - - n - 10 smtp
-o smtp_send_xforward_command=yes
-o smtp_discard_ehlo_keywords=8bitmime
#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8,192.168.0.0/16
# -o smtpd_authorized_xforward_hosts=127.0.0.0/8
sublion inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_enforce_tls=no
-o content_filter=dksign:[127.0.0.1]:10027
-o receive_override_options=no_address_mappings
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
retry unix - - - - - error
given that the new version of SASL works differently I have 2
instances running now, this is the one for postfix
root at collab:/etc/default# cat saslauthd-postfix
#
# Settings for saslauthd daemon
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="ldap"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
NAME="saslauthd-postfix"
DESC="der fuer postfix"
root at collab:/etc/postfix/sasl# cat smtpd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd
mech_list: plain login
allow_plaintext: true
ldap_sasl: 1
ldap_servers: ldap://localhost/
ldap_base: dc=domain,dc=tld
ldap_group_base: ou=groups,dc=domain,dc=tld
ldap_group_filter: cn=%U
ldap_member_filter: dn=%U
ldap_group_scope: sub
ldap_member_method: filter
root at collab:/var/spool/postfix/var/run/saslauthd# ls -al
total 980
drwx--x--- 2 root sasl 4096 2008-06-12 22:20 .
drwxr-xr-x 3 root root 4096 2008-03-13 00:13 ..
-rw------- 1 root root 0 2008-06-12 22:20 cache.flock
-rw------- 1 root root 986112 2008-06-12 22:20 cache.mmap
srwxrwxrwx 1 root root 0 2008-06-12 22:20 mux
-rw------- 1 root root 0 2008-06-12 22:20 mux.accept
-rw------- 1 root root 6 2008-06-12 22:20 saslauthd.pid
I did the dpkg-statoverride --add root sasl 710
/var/spool/postfix/var/run/saslauthd
and to add insult to injury:
root at collab:# sudo -u postfix testsaslauthd -f
/var/spool/postfix/var/run/saslauthd/mux -u xxxxxxx -p xyz
0: OK "Success."
what am I missing?
this worked rather nicely before the upgrade from ubuntu gutsy to hardy
thanks
Bernhard
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
