Alexander Dalloz wrote:
Am Mi, den 24.08.2005 schrieb Anne Ramey um 20:40:
I just cannot seem to get my smtp auth working. I've read, and re-read
the sasl_readme with no luck...I've followed those instructions. It
appears that sasl is trying to use sasldb2 (which it's not supposed to,
I'm trying to use pam). I'm running on fedora core 3. Someone on the
postfix list replied and said I can't use pwcheck_method: saslauthd on
FC3...is that true? I need to use pam/my passwd/shadow info for smtp
auth, so if that is true, what is the work around? Many thanks.
It isn't true. Of course you can use saslauthd.
Thanks for replying...that's what I thought
[root@hedwig readme]# ps aux|grep sasl
root 29058 0.0 0.0 19912 844 ? Ss 13:14 0:00
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 29059 0.0 0.0 20984 1264 ? S 13:14 0:00
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 29060 0.0 0.0 19912 844 ? S 13:14 0:00
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 29061 0.0 0.0 19912 844 ? S 13:14 0:00
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 29062 0.0 0.0 19912 844 ? S 13:14 0:00
/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
root 29295 0.0 0.0 42400 668 pts/4 R+ 13:59 0:00 grep sasl
Proper. PAM here means you let PAM call system accounts, I guess.
[root@hedwig readme]# testsaslauthd -u anner -p mypass
0: OK "Success."
Looks good.
[root@hedwig readme]# cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
If you don't offer MD5 mechs because of your auth backend, then exclude
them. Add
mech_list: plain login
to smtpd.conf.
I did, but it doesn't seem to have made any difference...
-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
-- mechanisms on localhost --
250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
250-AUTH=CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
logs of an attempt:
Aug 24 16:45:34 daredevil postfix/smtpd[29695]: connect from
h27.83.213.151.ip.alltel.net[151.213.83.27]
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication failure: no secret in database
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5
authentication failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication failure: no secret in database
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil last message repeated 4 times
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication failure: Password verification failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication
failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil last message repeated 5 times
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication
failed
Why would it be trying to open Berkeley db /etc/sasldb2--it should be
using pam?
[root@hedwig readme]# postconf -n
[ ... ]
permit_sasl_authenticated, reject
smtpd_sasl_auth_enable = yes
transport_maps = mysql:/etc/postfix/transport.cf
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/virtual.cf
You should add
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
Required is
smtpd_sasl_local_domain =
For use with saslauthd leave it empty.
Had those first but removed them in testing. Now I have:
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
When I try and use it with a standard mail client I get:
Aug 24 13:53:52 daredevil postfix/smtpd[29286]: connect from
h27.83.213.151.ip.alltel.net[151.213.83.27]
Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
The client tries an MD5 mech as you offer it (see below). But as you use PAM
and probably system accounts you can't use MD5. So as I told you above remove
MD5 mechs.
Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL
authentication failure: no secret in database
Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5
authentication failed
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
authentication failure: no secret in database
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 13:53:57 daredevil last message repeated 4 times
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
authentication failure: Password verification failed
The client tries the mechs you offer but which are not valid from your setup.
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication
failed
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 13:53:57 daredevil last message repeated 5 times
Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication
failed
PLAIN and LOGIN fail too.
When I try through telnet, my telnet session looks like this:
[anner:~] anner% telnet 66.45.100.233 25
Trying 66.45.100.233...
Connected to 66.45.100.233.
Escape character is '^]'.
220 hedwig.blast.com ESMTP Postfix
EHLO anner.blast.com
250-hedwig.blast.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
250 8BITMIME
AUTH PLAIN myEncodedUser&Pass
535 Error: authentication failed
It would be more helpful if you would create a test account and show real test data.
That would show us which format your user has (realm or not).
[root@hedwig readme]# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed Aug 24 14:02:36 EDT 2005
version: 0.9.9.1
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.2.5
It's pasted. I figured since I had to compile a new copy to include
mysql and sasl support, I'd compile the most recent.
Is that pasted or typed manually? The latest FC3 Postfix version is postfix-2.1.5-5.i386.rpm.
System: Fedora Core release 3 (Heidelberg)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003c6db00000)
-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
[...]
-- end of saslfinger output --
Anne
Alexander
Anne