-------- Message initial --------
De: Patrick Ben Koetter <p...@state-of-mind.de>
À: postfix-users@postfix.org
Sujet: Re: Postfix SASL didn't query saslauthd whereas smtp.conf is set
Date: Sun, 17 May 2009 22:02:00 +0200
* David Touzeau <da...@touzeau.eu>:
> I use SASL connected to ldap server trough saslauthd daemon
> I don't understand why postfix try to query sasldb2 instead query
> saslauthd daemon in order to authenticate remote clients.
It's a fallback mechanism that kicks in when other authentication methods
fail.
> clients authenticate SMTP session has u...@domain.tld user account
>
> if they send mail trought Postfix there is an error
> warning: SASL authentication failure: no secret in database
> warning: SASL authentication failure: Password verification failed
> warning: ns203243.ovh.net[91.121.178.84]: SASL PLAIN authentication
> failed: authentication failure
>
> but if i add the user in sasldb2 :
>
> saslpasswd2 -f /etc/sasldb2 -u domain.tld user
>
> Postfix answer OK
> May 17 15:26:11 lagaffe postfix/smtpd[26276]: 376C4A43BB:
> client=ns203243.ovh.net[91.121.178.84], sasl_method=CRAM-MD5,
> sasl_username=u...@domain.tld
Right. This is where the fallback works.
I guess you'd rather make it work at once without fallback, right? ;)
> How to specify postfxi to query only the saslauthd daemon instead
> salsdb2 database ?
>
> here it is output of saslfinger
>
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.5.5
> System: Debian GNU/Linux 5.0 \n \l
Is your Postfix from a Debian package or did you build Postfix yourself?
> -- smtpd is linked to --
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7c87000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = cheramy.name
> smtpd_sasl_path = /etc/postfix/sasl/smtpd.conf
This is wrong. Make it this:
smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_tls_CAfile = /etc/postfix/certificates/cacert.pem
> smtpd_tls_ask_ccert = no
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_received_header = yes
> smtpd_tls_req_ccert = no
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_database = btree:
> $queue_directory/smtpd_tls_cache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = no
>
> -- listing of /etc/postfix/sasl --
> total 12
> drwxr-xr-x 2 root root 4096 mai 17 14:40 .
> drwxr-xr-x 5 root root 4096 mai 17 14:41 ..
> -rw-r--r-- 1 root root 99 mai 17 14:50 smtpd.conf
>
> -- content of /usr/lib/sasl2/smtpd.conf --
Postfix Debian packages search for Cyrus SASL config in /etc/postfix/sasl/.
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> minimum_layer: 0
> log_level: 5
>
> -- content of /etc/postfix/sasl/smtpd.conf --
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
saslauthd can only deal with PLAIN and LOGIN. Reduce the list:
mech_list: PLAIN LOGIN
Drop the rest
minimum_layer: 0
log_level: 5
> -- active services in /etc/postfix/master.cf --
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> smtp inet n - n - - smtpd
Fine for now.
I believe fixing smtpd_sasl_path will fix your problem.
p...@rick
Dear
Many Thanks Patrick this will fix the problem.
