Re: sasl fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Alexander Dalloz wrote:

Am Mi, den 24.08.2005 schrieb Anne Ramey um 20:40:
I just cannot seem to get my smtp auth working. I've read, and re-read the sasl_readme with no luck...I've followed those instructions. It appears that sasl is trying to use sasldb2 (which it's not supposed to, I'm trying to use pam). I'm running on fedora core 3. Someone on the postfix list replied and said I can't use pwcheck_method: saslauthd on FC3...is that true? I need to use pam/my passwd/shadow info for smtp auth, so if that is true, what is the work around? Many thanks. 


It isn't true. Of course you can use saslauthd.


Thanks for replying...that's what I thought




[root@hedwig readme]# ps aux|grep sasl
root 29058 0.0 0.0 19912 844 ? Ss 13:14 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam root 29059 0.0 0.0 20984 1264 ? S 13:14 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam root 29060 0.0 0.0 19912 844 ? S 13:14 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam root 29061 0.0 0.0 19912 844 ? S 13:14 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam root 29062 0.0 0.0 19912 844 ? S 13:14 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a pam 
root     29295  0.0  0.0 42400  668 pts/4    R+   13:59   0:00 grep sasl



Proper. PAM here means you let PAM call system accounts, I guess.



[root@hedwig readme]# testsaslauthd -u anner -p mypass
0: OK "Success."



Looks good.



[root@hedwig readme]# cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd


If you don't offer MD5 mechs because of your auth backend, then exclude
them. Add

mech_list: plain login

to smtpd.conf.


I did, but it doesn't seem to have made any difference...
-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login

-- mechanisms on localhost --
250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
250-AUTH=CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN

logs of an attempt:
Aug 24 16:45:34 daredevil postfix/smtpd[29695]: connect from h27.83.213.151.ip.alltel.net[151.213.83.27] Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL authentication failure: no secret in database Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5 authentication failed Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL authentication failure: no secret in database Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory 
Aug 24 16:45:39 daredevil last message repeated 4 times
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL authentication failure: Password verification failed Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication failed Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory 
Aug 24 16:45:39 daredevil last message repeated 5 times
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication failed
Why would it be trying to open Berkeley db /etc/sasldb2--it should be using pam? 





[root@hedwig readme]# postconf -n
[ ... ] 
permit_sasl_authenticated, reject
smtpd_sasl_auth_enable = yes
transport_maps = mysql:/etc/postfix/transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/virtual.cf



You should add

smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

Required is

smtpd_sasl_local_domain =

For use with saslauthd leave it empty.

Had those first but removed them in testing.  Now I have:
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous





When I try and use it with a standard mail client I get:
Aug 24 13:53:52 daredevil postfix/smtpd[29286]: connect from h27.83.213.151.ip.alltel.net[151.213.83.27] Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory 


The client tries an MD5 mech as you offer it (see below). But as you use PAM
and probably system accounts you can't use MD5. So as I told you above remove
MD5 mechs.
Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL authentication failure: no secret in database Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5 authentication failed Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL authentication failure: no secret in database Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory 
Aug 24 13:53:57 daredevil last message repeated 4 times
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL authentication failure: Password verification failed 


The client tries the mechs you offer but which are not valid from your setup.
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication failed Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory 
Aug 24 13:53:57 daredevil last message repeated 5 times
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication failed 


PLAIN and LOGIN fail too.



When I try through telnet, my telnet session looks like this:
[anner:~] anner% telnet 66.45.100.233 25
Trying 66.45.100.233...
Connected to 66.45.100.233.
Escape character is '^]'.
220 hedwig.blast.com ESMTP Postfix
EHLO anner.blast.com
250-hedwig.blast.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
250 8BITMIME
AUTH PLAIN myEncodedUser&Pass
535 Error: authentication failed



It would be more helpful if you would create a test account and show real test data.
That would show us which format your user has (realm or not).



[root@hedwig readme]# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed Aug 24 14:02:36 EDT 2005
version: 0.9.9.1
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.2.5
It's pasted. I figured since I had to compile a new copy to include mysql and sasl support, I'd compile the most recent. 


Is that pasted or typed manually? The latest FC3 Postfix version is postfix-2.1.5-5.i386.rpm.



System: Fedora Core release 3 (Heidelberg)

-- smtpd is linked to --
        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003c6db00000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes


[...]




-- end of saslfinger output --




Anne



Alexander




Anne
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux