Hi listers
On one hand this site uses SASL2 authentication to access the postfix
SMTPD, i.e. for sending messages.
On the other hand this site uses LDAP for all pam and mail parameters.
i wanted to combine both. i.e. take the SASL2 passwords from LDAP,
because maintaining the SASL DB file /etc/sasldb2, limiting the access
to it, was a bit tricky.
I first had to find out, where postfix takes its SASL2 parameters from
and found out the it is from the file /usr/lib/sasl2/smtpd.conf. The
file sofar had looked like:
pwcheck_method: auxprop
mech_list: plain login cram-md5 digest-md5
saslauthd_version: 2
1.
I changed the file to the following:
pwcheck_method: saslauthd
mech_list: plain login
saslauthd_version: 2
and started the saslauthd.
Everything went well as i could check in the log of the respective LDAP
server:
Sep 24 09:18:09 myhost slapd[18821]: conn=2746 fd=41 ACCEPT from
IP=[::1]:43716 (IP=[::]:389)
Sep 24 09:18:09 myhost slapd[18821]: conn=2746 op=0 BIND
dn="cn=myclient,ou=sasldb2,dc=mydomain,dc=com" method=128
Sep 24 09:18:09 myhost slapd[18821]: conn=2746 op=0 BIND
dn="cn=myclient,ou=sasldb2,dc=mydomain,dc=com" mech=SIMPLE ssf=0
Sep 24 09:18:09 myhost slapd[18821]: conn=2746 op=0 RESULT tag=97 err=0
text=
The maillog said:
Sep 24 09:18:09 myhost postfix/smtpd[9065]: 6C6F615004B:
client=lunix.mydomain.com[1xx.1xx.243.162], sasl_method=PLAIN,
sasl_username=mycli...@postfix
2.
But then, i wanted to re-use cram-md5 and digest-md5. i am aware that in
the present state of the SASL2 library, this is only possible with
{cleartext} passwords in the LDAP. So i changed the respective password
to cleartext in the LDAP.
i also changed /usr/lib/sasl2/smtpd.conf to the following:
pwcheck_method: saslauthd
mech_list: plain login cram-md5 digest-md5
saslauthd_version: 2
in order to be sure, that postfix did not inadvertently check passwords
with the /etc/sasldb2 database, i moved this one away.
And from then on, trouble started:
When i tried to send a message to the respective postfix server, i found
in the postfix-log:
Sep 24 09:44:34 myhost postfix/smtpd[8709]: connect from
lunix.mydomain.com[1xx.1xx.243.162]
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
failure: no secret in database
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning:
lunix.mydomain.com[1xx.1xx.243.162]: SASL CRAM-MD5 authentication
failed: authentication failure
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
problem: unknown password verifier
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
failure: Password verification failed
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning:
lunix.mydomain.com[1xx.1xx.243.162]: SASL PLAIN authentication failed:
no mechanism available
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning: SASL authentication
problem: unknown password verifier
Sep 24 09:44:49 myhost postfix/smtpd[8709]: warning:
lunix.mydomain.com[1xx.1xx.243.162]: SASL LOGIN authentication failed:
no mechanism available
Sep 24 09:45:50 myhost postfix/smtpd[8709]: lost connection after AUTH
from lunix.mydomain.com[1xx.1xx.243.162]
Sep 24 09:45:50 myhost postfix/smtpd[8709]: disconnect from
lunix.mydomain.com[1xx.1xx.243.162]
That means, postfix did not contact the saslauthd, but wanted to check
the password against the /etc/sasldb2 database, which i had moved away.
Even if you have plaintext passwords in the LDAP, postfix and sasl2 to
not try to verify passwords against the LDAP server through saslauthd
with this configuration.
I must have missed something. Does somebody of you see, what i did
wrong? Is digest-md5 and cram-md5 only possible with the /etc/sasldb2
database, i.e. with the auxprop plugin of SASL2?
suomi
postfix-2.5.6-3.fc11.i586
[r...@myhost ~]# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
anvil_rate_time_unit = 60s
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/libexec/postfix
data_directory = /data/postfix/cache
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
header_checks = pcre:/etc/postfix/discardthem,
pcre:/etc/postfix/header_checks
html_directory = no
inet_protocols = all
local_recipient_maps = proxy:ldap:/etc/postfix/ldap-alias.cf
mail_owner = postfix
mailbox_command =
mailbox_transport =
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = localhost.$mydomain
mydomain = $myhostname
myhostname = myhost.mydomain.com
mynetworks = 192.168.97.0/24, 1xx.1xx.243.160/27
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /data/postfix/queues
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
relay_domains = permit_sasl_authenticated, permit_mynetworks
relayhost =
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 22
smtpd_client_event_limit_exceptions = $mynetworks
smtpd_client_recipient_rate_limit = 090
smtpd_client_restrictions = permit_sasl_authenticated,
hash:/etc/postfix/whitelist, hash:/etc/postfix/access
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access
hash:/etc/postfix/helo_checks, reject_invalid_hostname
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_recipient_access hash:/etc/postfix/check_recipients,
check_recipient_access hash:/etc/postfix/access,
reject_rbl_client mail-abuse.org, reject_rbl_client
sbl-xbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl,
reject_rbl_client cbl.abuseat.org, reject_rhsbl_client
mail-abuse.org, reject_rhsbl_client sbl-xbl.spamhaus.org,
reject_rhsbl_client blackholes.easynet.nl, reject_rhsbl_client
cbl.abuseat.org check_recipient_access
ldap:/etc/postfix/ldap-spamfilter.cf, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = postfix
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unknown_sender_domain,
hash:/etc/postfix/whitelist, check_sender_access
hash:/etc/postfix/access, reject_rhsbl_sender dsn.rfc-ignorant.org
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-alias.cf
virtual_gid_maps = static:89
virtual_mailbox_base = /data/postfix/maildrop/
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-domain.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-mailbox.cf
virtual_minimum_uid = 51
virtual_transport = virtual
virtual_uid_maps = static:89
[r...@myhost ~]#
