On Tue, Jul 02, 2024 at 05:15:28PM -0400, John R. Levine via Postfix-users
wrote:
> I've put a few dummy user entries in /etc/sasldb2 and set up the saslauthd
> service, which for now I'm running in debug mode. When I try sending a test
> query the daemon gets it and replies:
Have you posted "postconf -nf" and "postconf -Mf" output (with as-is
whitespace, including line-breaks)?
> # testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u aaa -r test.qy
> -p aaaa
The username here is "aaa", while in the (later, below) Postfix debug
logging the AUTH PLAIN data decodes to:
^@a...@test.qy^@aaaa
in which the username is "a...@test.qy". These are not the same.
Also, (though given the above, perhaps not your problem) what are the
permissions on the socket and leading path components? Using a shell
that supports csh-style brace expansion:
# ls -ld /var/spool/postfix{,/var{,/run,{/saslauthd{,/mux}}}}
> But when I try to get postfix to authenticate, I cannot get it even to talk to
> the daemon.
What's the evidence that "saslauthd" is not used?
> $ gnutls-cli --no-ca-verification --crlf 172.16.157.132:465
> [ cert stuff skipped ]
We should perhaps add SASL-client support to posttls-finger(1).
You should not need "gnutls-cli" to test a Postfix server.
> - Simple Client Mode:
>
> 220 debian12.qy ESMTP Postfix (Debian/GNU)
> ehlo bob
> 250-debian12.qy
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH LOGIN PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250-DSN
> 250-SMTPUTF8
> 250 CHUNKING
> auth plain AGFhYUB0ZXN0LnF5AGFhYWE=
> 535 5.7.8 Error: authentication failed: authentication failure
I gather you generated the "auth plain ..." yourself. Note the
above reported "authc" (authentication username) discrepancy,
this username comes with an "@<domain>" suffix:
^@a...@test.qy^@aaaa
> When I look at the logs, it gets the user name OK but can't authenticate
>
> Jul 02 11:47:20 debian12 postfix/submissions/smtpd[9563]: connect from
> unknown[172.16.157.1]
> Jul 02 11:47:32 debian12 postfix/submissions/smtpd[9563]: warning: SASL
> authentication failure: Password verification failed
> Jul 02 11:47:32 debian12 postfix/submissions/smtpd[9563]: warning:
> unknown[172.16.157.1]: SASL plain authentication failed: authentication
> failure,
> sasl_username=a...@test.qy
Wrong username.
> In main.cf it has the debian default config, and I added this:
>
> smtp_sasl_type = cyrus
> smtpd_sasl_path = smtpd
> cyrus_sasl_config_path = /usr/lib/sasl2
IIRC (unless recently fixed), Debian systems patch Postfix in a manner
tha effectively ignores cyrus_sasl_config_path, and uses some hard-coded
directory instead.
> Per the instructions in the postfix SASL page and the Cyrus SASL doc
> page I put this both in /etc/sasl2/smtpd.conf
Perhaps that's the hard-coded location I don't recall ATM.
> and in /usr/lib/sasl2/smtpd.conf since it's not clear which postfix
> prefers:
>
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN
Were it not for Debian's flawed patch, the directory should be as
specified in main.cf, but once Postfix is modified, the warranty is void
and you have to ask the Debian maintainers... :-)
> The default location for the saslauthd socket is /var/run/saslauthd
> but postfix is chrooted
For that, it would be helpful to have at least (whichever matches
master.cf on your system):
$ postconf -Mf submissions/inet
$ postconf -Mf smtps/inet
$ postconf -Mf 465/inet
if not the complete "postconf -Mf" output.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
