Hello, all.
I am having a problem getting postfix to authenticate users with Cyrus-
SASL's 'auxprop' method and the 'sasldb2' internal user database. The
system is question is a freshly-installed CentOS 5.2 server with Cyrus-
SASL version 2.1.22.4 (installed from RPM), and Postfix version 2.3.3,
release 2.1.el5_2 (also the latest RPM). I have carefully followed the
following directions, from chapters 15 and 16 of "The Book of
Postfix"...
Step 1 - Create the Posftix application config file for SASL:
=============================================
[EMAIL PROTECTED] ~]# ll /etc/sasl2/smtpd.conf
-rw-r----- 1 root postfix 103 Nov 19 10:58 /etc/sasl2/smtpd.conf
[EMAIL PROTECTED] ~]# cat /etc/sasl2/smtpd.conf
log_level: 3
pwcheck_method: auxprop
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
auxprop_plugin: sasldb
=============================================
As you can see, the file is readable by postfix, and directs postfix
to use SASL's internal database of users.
Step 2 - Create a test user in the database, and make sure postfix can
read the database file:
=============================================
[EMAIL PROTECTED] ~]# postconf -h myhostname
emailrelay.mydomain.org
[EMAIL PROTECTED] ~]# echo 'testpass' | saslpasswd2 -pc -u `postconf -h
myhostname` relay
[EMAIL PROTECTED] ~]# sasldblistusers2
[EMAIL PROTECTED]: userPassword
[EMAIL PROTECTED] ~]# chmod 0640 /etc/sasldb2 ; chgrp postfix /etc/
sasldb2
[EMAIL PROTECTED] ~]# ls -l /etc/sasldb2
-rw-r----- 1 root postfix 12288 Nov 19 13:04 /etc/sasldb2
[EMAIL PROTECTED] ~]# sudo -u postfix sasldblistusers2
[EMAIL PROTECTED]: userPassword
=============================================
Here you can see that the domain is the fully-qualified hostname. The
user name is "relay", and the (temporary) password is "testpass". The
database file can be read by postfix. The last command actually runs
as the postfix user, and lists the users in the file.
Step 3 - Test the authentication through SASL tools only. In one
terminal, I run the following:
=============================================
[EMAIL PROTECTED] etc]# sasl2-sample-server -s rcmd -p 8000
trying 10, 1, 6
trying 2, 1, 6
bind: Address already in use
=============================================
I don't know why the "Address already in use" appears. In fact, the
server binds to port 8000 just fine, as verified by the following
test, using the SASL sample client:
=============================================
[EMAIL PROTECTED] ~]# sasl2-sample-client -s rcmd -p 8000 -m PLAIN
localhost
receiving capability list... recv: {31}
LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
please enter an authentication id: relay
please enter an authorization id: relay
Password: [ here I type "testpass" ]
send: {5}
PLAIN
send: {1}
Y
send: {20}
relay[0]relay[0]testpass
successful authentication
closing connection
=============================================
This test is clearly succeeding. On the server terminal, I also see
the supplied password echoed back:
=============================================
accepted new connection
send: {31}
LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
recv: {5}
PLAIN
recv: {1}
Y
recv: {20}
relay[0]relay[0]testpass
successful authentication 'relay'
closing connection
=============================================
So, it seems that I have created my credentials correctly, and SASL is
happy. On to Postfix configuration...
Step 4 - Configure Postfix to allow relaying based on SASL
authentication. After editing the main.cf file, I run the following
commands to verify the correct settings:
=============================================
[EMAIL PROTECTED] ~]# postconf -h smtpd_sasl_auth_enable
smtpd_sasl_local_domain
yes
emailrelay.mydomain.org
[EMAIL PROTECTED] ~]# postconf -h smtpd_recipient_restrictions
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
[EMAIL PROTECTED] ~]# postconf -h smtpd_sasl_security_options
noanonymous
=============================================
According to Chapter 16 of "The Book of Postfix", this looks correct.
Step 5 - Test server-side authentication using telnet. After setting
the smtp server to verbose output in master.cf and restarting postfix,
I first generate the Base64-encoded authentication string required by
the protocol:
=============================================
[EMAIL PROTECTED] ~]# perl -MMIME::Base64 -e 'print encode_base64("relay
\0relay\0testpass");'
cmVsYXkAcmVsYXkAdGVzdHBhc3M=
=============================================
Why must the username be supplied twice? I have no idea, but I guess
it's part of the ESMTP specification. :-\
Anyway, next, I open a telnet session from the same system, and try
authenticating. Here's the output of the session...
=============================================
[EMAIL PROTECTED] ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 emailrelay.mydomain.org ESMTP Postfix
EHLO client.mydomain.org
250-emailrelay.mydomain.org
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN cmVsYXkAcmVsYXkAdGVzdHBhc3M=
535 5.7.0 Error: authentication failed: generic failure
=============================================
Here's where a "generic failure" has occurred. Server output for the
above session follows:
=============================================
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: connection established
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: master_notify: status 0
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: name_mask: resource
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: name_mask: software
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]:
xsasl_cyrus_server_create: SASL service=smtp,
realm=emailrelay.mydomain.org
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: name_mask: noanonymous
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: connect from
localhost[127.0.0.1]
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_list_match:
localhost: no match
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_list_match:
127.0.0.1: no match
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_list_match:
localhost: no match
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_list_match:
127.0.0.1: no match
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_hostname:
localhost ~? 127.0.0.0/8
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_hostaddr:
127.0.0.1 ~? 127.0.0.0/8
Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 220 emailrelay.mydomain.org ESMTP Postfix
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: <
localhost[127.0.0.1]: EHLO client.mydomain.org
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 250-emailrelay.mydomain.org
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 250-PIPELINING
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 250-SIZE 10240000
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 250-VRFY
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 250-ETRN
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: match_list_match:
localhost: no match
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: match_list_match:
127.0.0.1: no match
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 250-ENHANCEDSTATUSCODES
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 250-8BITMIME
Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 250 DSN
Nov 19 13:47:36 emailrelay postfix/smtpd[4234]: <
localhost[127.0.0.1]: AUTH PLAIN cmVsYXkAcmVsYXkAdGVzdHBhc3M=
Nov 19 13:47:36 emailrelay postfix/smtpd[4234]:
xsasl_cyrus_server_first: sasl_method PLAIN, init_response
cmVsYXkAcmVsYXkAdGVzdHBhc3M=
Nov 19 13:47:36 emailrelay postfix/smtpd[4234]:
xsasl_cyrus_server_first: decoded initial response relay
Nov 19 13:47:36 emailrelay postfix/smtpd[4234]: warning: SASL
authentication failure: cannot connect to saslauthd server: No such
file or directory
Nov 19 13:47:36 emailrelay postfix/smtpd[4234]: warning: SASL
authentication failure: Password verification failed
Nov 19 13:47:36 emailrelay postfix/smtpd[4234]: warning:
localhost[127.0.0.1]: SASL PLAIN authentication failed: generic failure
Nov 19 13:47:36 emailrelay postfix/smtpd[4234]: >
localhost[127.0.0.1]: 535 5.7.0 Error: authentication failed: generic
failure
=============================================
A couple of things strike me as odd with this output. First, why does
it say "cannot connect to saslauthd server"? As shown above, my
smtpd.conf clearly specifies "pwcheck_method: auxprop", NOT
"pwcheck_method: saslauthd", so Postfix should not be trying to
contact saslauthd at all. Perhaps the message "No such file or
directory" indicates that the smtpd.conf file is not located in the
correct place, or lacks the correct permissions? Here's a listing of
the files I think are being accessed at this stage:
=============================================
[EMAIL PROTECTED] ~]# ls -l /etc/sasl2/smtpd.conf /etc/sasldb2
-rw-r----- 1 root postfix 103 Nov 19 10:58 /etc/sasl2/smtpd.conf
-rw-r----- 1 root postfix 12288 Nov 19 13:04 /etc/sasldb2
=============================================
Looks OK to me. If the database file itself is not located correctly,
why does the SASL client test succeed? Just to be sure, I tried
copying both of these files into /usr/lib/sasl2, to no effect. I
tried running smtpd under 'strace' to see where it's looking for the
files, but the process dies with the message "smtpd: fatal: do not run
this command by hand". :-\
Second, why does the server report "decoded initial response relay"?
Shouldn't it report both the username and password? Have I encoded the
authentication string correctly? The Book of Postfix recommends
decoding it again, just to be sure.
=============================================
[EMAIL PROTECTED] ~]# perl -MMIME::Base64 -e 'print
decode_base64("cmVsYXkAcmVsYXkAdGVzdHBhc3M");'
relayrelaytestpass
=============================================
Again, looks fine.
So... after all that, I am at the final stage of this setup, but can't
seem to make it work. Anyone have any ideas here? Any pointers or
further debugging suggestions are gratefully accepted.
Thanks in advance,
- Ann
