Am Mi, den 24.08.2005 schrieb Anne Ramey um 20:40: > I just cannot seem to get my smtp auth working. I've read, and re-read > the sasl_readme with no luck...I've followed those instructions. It > appears that sasl is trying to use sasldb2 (which it's not supposed to, > I'm trying to use pam). I'm running on fedora core 3. Someone on the > postfix list replied and said I can't use pwcheck_method: saslauthd on > FC3...is that true? I need to use pam/my passwd/shadow info for smtp > auth, so if that is true, what is the work around? Many thanks. It isn't true. Of course you can use saslauthd. > [root@hedwig readme]# ps aux|grep sasl > root 29058 0.0 0.0 19912 844 ? Ss 13:14 0:00 > /usr/sbin/saslauthd -m /var/run/saslauthd -a pam > root 29059 0.0 0.0 20984 1264 ? S 13:14 0:00 > /usr/sbin/saslauthd -m /var/run/saslauthd -a pam > root 29060 0.0 0.0 19912 844 ? S 13:14 0:00 > /usr/sbin/saslauthd -m /var/run/saslauthd -a pam > root 29061 0.0 0.0 19912 844 ? S 13:14 0:00 > /usr/sbin/saslauthd -m /var/run/saslauthd -a pam > root 29062 0.0 0.0 19912 844 ? S 13:14 0:00 > /usr/sbin/saslauthd -m /var/run/saslauthd -a pam > root 29295 0.0 0.0 42400 668 pts/4 R+ 13:59 0:00 grep sasl Proper. PAM here means you let PAM call system accounts, I guess. > [root@hedwig readme]# testsaslauthd -u anner -p mypass > 0: OK "Success." Looks good. > [root@hedwig readme]# cat /usr/lib/sasl2/smtpd.conf > pwcheck_method: saslauthd If you don't offer MD5 mechs because of your auth backend, then exclude them. Add mech_list: plain login to smtpd.conf. > [root@hedwig readme]# postconf -n [ ... ] > permit_sasl_authenticated, reject > smtpd_sasl_auth_enable = yes > transport_maps = mysql:/etc/postfix/transport.cf > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = mysql:/etc/postfix/virtual.cf You should add smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes Required is smtpd_sasl_local_domain = For use with saslauthd leave it empty. > When I try and use it with a standard mail client I get: > Aug 24 13:53:52 daredevil postfix/smtpd[29286]: connect from > h27.83.213.151.ip.alltel.net[151.213.83.27] > Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: No such > file or directory The client tries an MD5 mech as you offer it (see below). But as you use PAM and probably system accounts you can't use MD5. So as I told you above remove MD5 mechs. > Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: No such > file or directory > Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL > authentication failure: no secret in database > Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: > h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5 > authentication failed > Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: No such > file or directory > Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: No such > file or directory > Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL > authentication failure: no secret in database > Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: > h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed > Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: No such > file or directory > Aug 24 13:53:57 daredevil last message repeated 4 times > Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL > authentication failure: Password verification failed The client tries the mechs you offer but which are not valid from your setup. > Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: > h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication > failed > Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: No such > file or directory > Aug 24 13:53:57 daredevil last message repeated 5 times > Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: > h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication > failed PLAIN and LOGIN fail too. > When I try through telnet, my telnet session looks like this: > [anner:~] anner% telnet 66.45.100.233 25 > Trying 66.45.100.233... > Connected to 66.45.100.233. > Escape character is '^]'. > 220 hedwig.blast.com ESMTP Postfix > EHLO anner.blast.com > 250-hedwig.blast.com > 250-PIPELINING > 250-SIZE 10240000 > 250-VRFY > 250-ETRN > 250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN > 250 8BITMIME > AUTH PLAIN myEncodedUser&Pass > 535 Error: authentication failed It would be more helpful if you would create a test account and show real test data. That would show us which format your user has (realm or not). > [root@hedwig readme]# saslfinger -s > saslfinger - postfix Cyrus sasl configuration Wed Aug 24 14:02:36 EDT 2005 > version: 0.9.9.1 > mode: server-side SMTP AUTH > > -- basics -- > Postfix: 2.2.5 Is that pasted or typed manually? The latest FC3 Postfix version is postfix-2.1.5-5.i386.rpm. > System: Fedora Core release 3 (Heidelberg) > > -- smtpd is linked to -- > libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003c6db00000) > > -- active SMTP AUTH and TLS parameters for smtpd -- > smtpd_sasl_auth_enable = yes > > > -- listing of /usr/lib/sasl -- That does not matter: this is SASL version 1(.5). > -- listing of /usr/lib/sasl2 -- > total 3052 > drwxr-xr-x 2 root root 4096 Aug 24 09:47 . > drwxr-xr-x 94 root root 65536 Aug 24 09:53 .. > -rwxr-xr-x 1 root root 875 Oct 7 2004 libanonymous.la > -rwxr-xr-x 1 root root 12820 Oct 7 2004 libanonymous.so > -rwxr-xr-x 1 root root 12820 Oct 7 2004 libanonymous.so.2 > -rwxr-xr-x 1 root root 12820 Oct 7 2004 libanonymous.so.2.0.19 > -rwxr-xr-x 1 root root 863 Oct 7 2004 libcrammd5.la > -rwxr-xr-x 1 root root 15216 Oct 7 2004 libcrammd5.so > -rwxr-xr-x 1 root root 15216 Oct 7 2004 libcrammd5.so.2 > -rwxr-xr-x 1 root root 15216 Oct 7 2004 libcrammd5.so.2.0.19 > > -rwxr-xr-x 1 root root 884 Oct 7 2004 libdigestmd5.la > -rwxr-xr-x 1 root root 42964 Oct 7 2004 libdigestmd5.so > -rwxr-xr-x 1 root root 42964 Oct 7 2004 libdigestmd5.so.2 > -rwxr-xr-x 1 root root 42964 Oct 7 2004 libdigestmd5.so.2.0.19 > -rwxr-xr-x 1 root root 911 Oct 7 2004 libgssapiv2.la > -rwxr-xr-x 1 root root 22292 Oct 7 2004 libgssapiv2.so > -rwxr-xr-x 1 root root 22292 Oct 7 2004 libgssapiv2.so.2 > -rwxr-xr-x 1 root root 22292 Oct 7 2004 libgssapiv2.so.2.0.19 > -rwxr-xr-x 1 root root 851 Oct 7 2004 liblogin.la > -rwxr-xr-x 1 root root 13296 Oct 7 2004 liblogin.so > -rwxr-xr-x 1 root root 13296 Oct 7 2004 liblogin.so.2 > -rwxr-xr-x 1 root root 13296 Oct 7 2004 liblogin.so.2.0.19 > -rwxr-xr-x 1 root root 854 Oct 7 2004 libntlm.la > -rwxr-xr-x 1 root root 29104 Oct 7 2004 libntlm.so > -rwxr-xr-x 1 root root 29104 Oct 7 2004 libntlm.so.2 > -rwxr-xr-x 1 root root 29104 Oct 7 2004 libntlm.so.2.0.19 > -rwxr-xr-x 1 root root 851 Oct 7 2004 libplain.la > -rwxr-xr-x 1 root root 13360 Oct 7 2004 libplain.so > -rwxr-xr-x 1 root root 13360 Oct 7 2004 libplain.so.2 > -rwxr-xr-x 1 root root 13360 Oct 7 2004 libplain.so.2.0.19 > -rwxr-xr-x 1 root root 931 Oct 7 2004 libsasldb.la > -rwxr-xr-x 1 root root 784960 Oct 7 2004 libsasldb.so > -rwxr-xr-x 1 root root 784960 Oct 7 2004 libsasldb.so.2 > -rwxr-xr-x 1 root root 784960 Oct 7 2004 libsasldb.so.2.0.19 > -rw-r--r-- 1 root root 26 Aug 24 09:46 smtpd.conf The required libs are installed. > -- content of /usr/lib/sasl/smtpd.conf -- > pwcheck_method: saslauthd > saslauthd_version: 2 Again SASL version 1. > -- mechanisms on localhost -- > 250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN Do not offer auth mechs which aren't provided by your auth backend. > -- end of saslfinger output -- > Anne Alexander -- Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773 legal statement: http://www.uni-x.org/legal.html Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp Serendipity 22:01:02 up 2 days, 18:44, load average: 0.15, 0.10, 0.12
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil