Hi p...@rick
thank you very much indeed for your prompt reply.
In the meantime, i found out the following:
1. postfix reads /usr/lib/sasldb2/smtpd.conf definitely , as you said.
i found that out by doing changes to the mech-list in this file and then:
[myu...@clienthost ~]$ telnet myhost.lan 25
Trying 192.168.97.166...
Connected to myhost.lan.
Escape character is '^]'.
220 myhost.ayni.com ESMTP Postfix
EHLO clienthost.lan
250-myhost.ayni.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
^[^]
telnet> quit
Connection closed.
[myu...@clienthost ~]$
2. if in /usr/lib/sasldb2/smtpd.conf i mentionned a mech, requiring a
shared secret (the client certainly required this one), postfix
continued to complain that /etc/sasldb2 was not there, even if i had
requested
pwcheck_method: saslauthd
in /usr/lib/sasldb2/smtpd.conf
Sep 21 12:19:43 myhost postfix/smtpd[9448]: connect from
lunix.ayni.com[1xx.1xx.243.162]
Sep 21 12:19:44 myhost postfix/smtpd[9448]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 21 12:19:44 myhost postfix/smtpd[9448]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 21 12:19:44 myhost postfix/smtpd[9448]: warning: SASL authentication
failure: no secret in database
Sep 21 12:19:44 myhost postfix/smtpd[9448]: warning:
lunix.ayni.com[1xx.1xx.243.162]: SASL CRAM-MD5 authentication failed:
authentication failure
Sep 21 12:19:44 myhost postfix/smtpd[9448]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 21 12:19:44 myhost postfix/smtpd[9448]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 21 12:19:45 myhost postfix/smtpd[9448]: 202B415004B:
client=lunix.ayni.com[1xx.1xx.243.162], sasl_method=PLAIN,
sasl_username=saslu...@postfix
3. if, however, no mech was mentionned (always in
/usr/lib/sasldb2/smtpd.conf) requiring a shared secret and the client
requested PLAIN authentication, i am not sure, whether postfix contacted
the LDAP server, because in the log of the LDAP server, i could not find
a hint to that. so postfix may keep a cache of its authentication
requests, which is maintained even accross postfix restarts.
4. my idea would have been to keep to mechs requiring a shared secret
(preferably digest-md5) and in the LDAP server have {PLAINTEXT}
passwords, as you said.
But all in all, this does not seem possible, because postfix, as soon as
the client requests a mech with a shared secret, requests the
/etc/sasldb2 database.
suomi
Patrick Ben Koetter wrote:
* Patrick Ben Koetter <p...@state-of-mind.de>:
* suomi <post...@ayni.com>:
Hi listers,
I just can't make postfix change from sasl2 auxprop to sasl2 saslauthd
(with LDAP). postfix never reads /usr/lib/sasl/smtpd.conf.
Postfix on Fedora will not look for smtpd.conf in /usr/lib/sasl/.
It will either search in /usr/lib/sasl2/ or in /etc/sasl2/. The latter is the
right way[tm] to do it.
On second thought:
Your test log shows that your mail client attempts to use CRAM-MD5 as
authentication mechanism. CRAM-MD5 is a shared secret mechanism and saslauthd
cannot handle this group of mechanisms.
Solution
a. Reduce your mech_list in smtpd.conf to "plain login" only.
Then you should required TLS before clients may use these plaintext
mechanisms, because passwords will be transmitted plaintext.
b. Use a different password check method to access your LDAP server i.e. the
Cyrus SASL ldapdb plugin. This allows for shared secret mechanisms, but
requires you to store passwords in plaintext (required by shared secret
mechanisms) in your LDAP database backend.
p...@rick
p...@rick
postfix-2.5.6-3.fc11.i586
[r...@myhost ~]# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
anvil_rate_time_unit = 60s
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/libexec/postfix
data_directory = /data/postfix/cache
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
header_checks = pcre:/etc/postfix/discardthem,
pcre:/etc/postfix/header_checks
html_directory = no
inet_protocols = all
local_recipient_maps = proxy:ldap:/etc/postfix/ldap-alias.cf
mail_owner = postfix
mailbox_command =
mailbox_transport =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = localhost.$mydomain
mydomain = $myhostname
myhostname = myhost.mydomain.com
mynetworks = 192.168.97.0/24, 1xx.1xx.243.160/27
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /data/postfix/queues
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
relay_domains = permit_sasl_authenticated, permit_mynetworks
relayhost =
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 22
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_recipient_rate_limit = 100
smtpd_client_restrictions = permit_sasl_authenticated,
hash:/etc/postfix/whitelist, hash:/etc/postfix/access
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/helo_checks, reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_recipient_access hash:/etc/postfix/check_recipients,
check_recipient_access hash:/etc/postfix/access, reject_rbl_client
mail-abuse.org, reject_rbl_client sbl-xbl.spamhaus.org,
reject_rbl_client blackholes.easynet.nl, reject_rbl_client
cbl.abuseat.org, reject_rhsbl_client mail-abuse.org,
reject_rhsbl_client sbl-xbl.spamhaus.org, reject_rhsbl_client
blackholes.easynet.nl, reject_rhsbl_client cbl.abuseat.org
check_recipient_access ldap:/etc/postfix/ldap-spamfilter.cf,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = postfix
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unknown_sender_domain,
hash:/etc/postfix/whitelist, check_sender_access
hash:/etc/postfix/access, reject_rhsbl_sender dsn.rfc-ignorant.org
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-alias.cf
virtual_gid_maps = static:89
virtual_mailbox_base = /data/postfix/maildrop/
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-domain.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-mailbox.cf
virtual_minimum_uid = 51
virtual_transport = virtual
virtual_uid_maps = static:89
[r...@myhost ~]#
The actual /usr/lib/sasl2/smtpd.conf reads like:
pwcheck_method: saslauthd
mech_list: plain login cram-md5 digest-md5
There is another similar file in /usr/lib/sasl/smtpd.conf, which reads like:
pwcheck_method: saslauthd
mech_list: plain login
saslauthd_version: 2
I also checked to see whether there is another smtpd.conf file in
/etc/postfix/sasl (there is a hint to that in
http://www.postfix.org/SASL_README.html): there is none.
It must have been about seven times that i restarted postfix from the
moment, when i changed /usr/lib/sasl2/smtpd.conf
But when I send a message from a client to this smtpd host, in the
/var/log/maillog I get
Sep 21 08:58:07 myhost postfix/smtpd[7240]: connect from
lunix.mydomain.com[1xx.1xx.243.162]
Sep 21 08:58:07 myhost postfix/smtpd[7240]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or
directory
Sep 21 08:58:07 myhost postfix/smtpd[7240]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or
directory
Sep 21 08:58:07 myhost postfix/smtpd[7240]: warning: SASL authentication
failure: no secret in database
Sep 21 08:58:07 myhost postfix/smtpd[7240]: warning:
lunix.mydomain.com[1xx.1xx.243.162]: SASL CRAM-MD5 authentication
failed: authentication failure
Sep 21 08:58:08 myhost postfix/smtpd[7240]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or
directory
Sep 21 08:58:08 myhost postfix/smtpd[7240]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or
directory
Sep 21 08:58:08 myhost postfix/smtpd[7240]: 4AA8015004B:
client=lunix.mydomain.com[1xx.1xx.243.162], sasl_method=PLAIN,
sasl_username=myu...@postfix
Sep 21 08:58:08 myhost postfix/cleanup[7243]: 4AA8015004B:
message-id=<4ab723ff.70...@mydomain.com>
This is because i moved away /etc/sasldb2 in order to prevent postfix to
read it.
That means, postfix doesn't care a damn to contact the saslauthd. It
continues to read /etc/sasldb2. It should have contacted the saslauthd
in any case, i.e. if it had read either smtpd.conf.
[r...@myhost /usr]# saslauthd -v
saslauthd 2.1.22
authentication mechanisms: getpwent kerberos4 kerberos5 pam rimap shadow
ldap
[r...@myhost /usr]#
[r...@myhost /usr]# ps xa |grep saslauthd
6935 ? Ss 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a
ldap
6936 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a
ldap
6938 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a
ldap
6939 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a
ldap
6940 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a
ldap
7497 pts/0 R+ 0:00 grep saslauthd
[r...@myhost /usr]#
I did extensive tests to check proper functionning of saslauthd using
testsaslauthd
[r...@myhost /usr]# testsaslauthd -u myuser -p secret
0: OK "Success."
[r...@myhost /usr]#
What did i miss?
suomi
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
