Re: sasl fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Mi, den 24.08.2005 schrieb Anne Ramey um 20:40:

> I just cannot seem to get my smtp auth working.  I've read, and re-read 
> the sasl_readme with no luck...I've followed those instructions.  It 
> appears that sasl is trying to use sasldb2 (which it's not supposed to, 
> I'm trying to use pam).  I'm running on fedora core 3.  Someone on the 
> postfix list replied and said I can't use pwcheck_method: saslauthd on 
> FC3...is that true?  I need to use pam/my passwd/shadow info for smtp 
> auth, so if that is true, what is the work around?  Many thanks.

It isn't true. Of course you can use saslauthd.

> [root@hedwig readme]# ps aux|grep sasl
> root     29058  0.0  0.0 19912  844 ?        Ss   13:14   0:00 
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root     29059  0.0  0.0 20984 1264 ?        S    13:14   0:00 
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root     29060  0.0  0.0 19912  844 ?        S    13:14   0:00 
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root     29061  0.0  0.0 19912  844 ?        S    13:14   0:00 
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root     29062  0.0  0.0 19912  844 ?        S    13:14   0:00 
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root     29295  0.0  0.0 42400  668 pts/4    R+   13:59   0:00 grep sasl

Proper. PAM here means you let PAM call system accounts, I guess.

> [root@hedwig readme]# testsaslauthd -u anner -p mypass
> 0: OK "Success."

Looks good.

> [root@hedwig readme]# cat /usr/lib/sasl2/smtpd.conf
> pwcheck_method: saslauthd
If you don't offer MD5 mechs because of your auth backend, then exclude
them. Add

mech_list: plain login

to smtpd.conf.

> [root@hedwig readme]# postconf -n
[ ... ] 
> permit_sasl_authenticated, reject
> smtpd_sasl_auth_enable = yes
> transport_maps = mysql:/etc/postfix/transport.cf
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = mysql:/etc/postfix/virtual.cf

You should add

smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

Required is

smtpd_sasl_local_domain =

For use with saslauthd leave it empty.

> When I try and use it with a standard mail client I get:
> Aug 24 13:53:52 daredevil postfix/smtpd[29286]: connect from 
> h27.83.213.151.ip.alltel.net[151.213.83.27]
> Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL 
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
> file or directory

The client tries an MD5 mech as you offer it (see below). But as you use PAM
and probably system accounts you can't use MD5. So as I told you above remove
MD5 mechs.

> Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL 
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
> file or directory
> Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL 
> authentication failure: no secret in database
> Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: 
> h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5 
> authentication failed
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
> file or directory
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
> file or directory
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
> authentication failure: no secret in database
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: 
> h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
> file or directory
> Aug 24 13:53:57 daredevil last message repeated 4 times
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
> authentication failure: Password verification failed

The client tries the mechs you offer but which are not valid from your setup.

> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: 
> h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication 
> failed
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
> file or directory
> Aug 24 13:53:57 daredevil last message repeated 5 times
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: 
> h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication 
> failed

PLAIN and LOGIN fail too.

> When I try through telnet, my telnet session looks like this:
> [anner:~] anner% telnet 66.45.100.233 25
> Trying 66.45.100.233...
> Connected to 66.45.100.233.
> Escape character is '^]'.
> 220 hedwig.blast.com ESMTP Postfix
> EHLO anner.blast.com
> 250-hedwig.blast.com
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
> 250 8BITMIME
> AUTH PLAIN myEncodedUser&Pass
> 535 Error: authentication failed

It would be more helpful if you would create a test account and show real test data.
That would show us which format your user has (realm or not).

> [root@hedwig readme]# saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Wed Aug 24 14:02:36 EDT 2005
> version: 0.9.9.1
> mode: server-side SMTP AUTH
> 
> -- basics --
> Postfix: 2.2.5

Is that pasted or typed manually? The latest FC3 Postfix version is postfix-2.1.5-5.i386.rpm.

> System: Fedora Core release 3 (Heidelberg)
> 
> -- smtpd is linked to --
>          libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003c6db00000)
> 
> -- active SMTP AUTH and TLS parameters for smtpd --
> smtpd_sasl_auth_enable = yes
> 
> 
> -- listing of /usr/lib/sasl --

That does not matter: this is SASL version 1(.5).

> -- listing of /usr/lib/sasl2 --
> total 3052
> drwxr-xr-x   2 root root   4096 Aug 24 09:47 .
> drwxr-xr-x  94 root root  65536 Aug 24 09:53 ..
> -rwxr-xr-x   1 root root    875 Oct  7  2004 libanonymous.la
> -rwxr-xr-x   1 root root  12820 Oct  7  2004 libanonymous.so
> -rwxr-xr-x   1 root root  12820 Oct  7  2004 libanonymous.so.2
> -rwxr-xr-x   1 root root  12820 Oct  7  2004 libanonymous.so.2.0.19
> -rwxr-xr-x   1 root root    863 Oct  7  2004 libcrammd5.la
> -rwxr-xr-x   1 root root  15216 Oct  7  2004 libcrammd5.so
> -rwxr-xr-x   1 root root  15216 Oct  7  2004 libcrammd5.so.2
> -rwxr-xr-x   1 root root  15216 Oct  7  2004 libcrammd5.so.2.0.19
> 
> -rwxr-xr-x   1 root root    884 Oct  7  2004 libdigestmd5.la
> -rwxr-xr-x   1 root root  42964 Oct  7  2004 libdigestmd5.so
> -rwxr-xr-x   1 root root  42964 Oct  7  2004 libdigestmd5.so.2
> -rwxr-xr-x   1 root root  42964 Oct  7  2004 libdigestmd5.so.2.0.19
> -rwxr-xr-x   1 root root    911 Oct  7  2004 libgssapiv2.la
> -rwxr-xr-x   1 root root  22292 Oct  7  2004 libgssapiv2.so
> -rwxr-xr-x   1 root root  22292 Oct  7  2004 libgssapiv2.so.2
> -rwxr-xr-x   1 root root  22292 Oct  7  2004 libgssapiv2.so.2.0.19
> -rwxr-xr-x   1 root root    851 Oct  7  2004 liblogin.la
> -rwxr-xr-x   1 root root  13296 Oct  7  2004 liblogin.so
> -rwxr-xr-x   1 root root  13296 Oct  7  2004 liblogin.so.2
> -rwxr-xr-x   1 root root  13296 Oct  7  2004 liblogin.so.2.0.19
> -rwxr-xr-x   1 root root    854 Oct  7  2004 libntlm.la
> -rwxr-xr-x   1 root root  29104 Oct  7  2004 libntlm.so
> -rwxr-xr-x   1 root root  29104 Oct  7  2004 libntlm.so.2
> -rwxr-xr-x   1 root root  29104 Oct  7  2004 libntlm.so.2.0.19
> -rwxr-xr-x   1 root root    851 Oct  7  2004 libplain.la
> -rwxr-xr-x   1 root root  13360 Oct  7  2004 libplain.so
> -rwxr-xr-x   1 root root  13360 Oct  7  2004 libplain.so.2
> -rwxr-xr-x   1 root root  13360 Oct  7  2004 libplain.so.2.0.19
> -rwxr-xr-x   1 root root    931 Oct  7  2004 libsasldb.la
> -rwxr-xr-x   1 root root 784960 Oct  7  2004 libsasldb.so
> -rwxr-xr-x   1 root root 784960 Oct  7  2004 libsasldb.so.2
> -rwxr-xr-x   1 root root 784960 Oct  7  2004 libsasldb.so.2.0.19
> -rw-r--r--   1 root root     26 Aug 24 09:46 smtpd.conf

The required libs are installed.

> -- content of /usr/lib/sasl/smtpd.conf --
> pwcheck_method: saslauthd
> saslauthd_version: 2

Again SASL version 1.

> -- mechanisms on localhost --
> 250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN

Do not offer auth mechs which aren't provided by your auth backend.

> -- end of saslfinger output --

> Anne

Alexander


-- 
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp 
Serendipity 22:01:02 up 2 days, 18:44, load average: 0.15, 0.10, 0.12 

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux