* Simon Wilson <si...@simonandkate.net>: > I have a postfix 2.3.3 server, and I *think* I have SASL set up > right. The reason I think it is right is that I have an iphone that > connects fine to Postfix, and sends emails fine through port 587 > with the following logs: > > Oct 13 23:33:21 server04 postfix/smtpd[988]: connect from > unknown[120.155.207.95] > Oct 13 23:33:21 server04 postfix/smtpd[988]: setting up TLS > connection from unknown[120.155.207.95] > Oct 13 23:33:22 server04 postfix/smtpd[988]: TLS connection > established from unknown[120.155.207.95]: TLSv1 with cipher > AES128-SHA (128/128 bits) > Oct 13 23:33:22 server04 postfix/smtpd[988]: DDB8C57522: > client=unknown[120.155.207.95], sasl_method=PLAIN, > sasl_username=simon > > It seems to be authing against SASL fine, uses PLAIN as its mech, > but as it is TLS encrypted that's fine, and verifies me against > LDAP. > > My /usr/lib64/sasl2/smtpd.conf reads: > > pwcheck_method: saslauthd > saslauthd_version: 2 > mech_list: plain login cram-md5 > > saslauthd is configured to use LDAP. > > I can testsaslauthd -u simon -p password with no problems, and it > hits my LDAP server. > > Now my wife has just got a Nokia E51. When it tries to send using > SMTP to the same port 587, it tries to use CRAM-MD5, and the send > fails:
The saslauthd password verification service can't deal with shared-secret mechanisms such as cram-md5. Remove "cram-md5" from $mech_list in /usr/lib64/sasl2/smtpd.conf and the Nokia E51 should be able to auth. p...@rick > > Oct 13 23:35:37 server04 postfix/smtpd[988]: setting up TLS > connection from unknown[58.171.251.169] > Oct 13 23:35:38 server04 postfix/smtpd[988]: TLS connection > established from unknown[58.171.251.169]: TLSv1 with cipher > AES256-SHA (256/256 bits) > Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: > Permission denied > Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL > authentication problem: unable to open Berkeley db /etc/sasldb2: > Permission denied > Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL > authentication failure: no secret in database > Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: > unknown[58.171.251.169]: SASL CRAM-MD5 authentication failed: > authentication failure > > It establishes the TLS fine, but then tries to use sasldb2 instead > of saslauthd which is configured to go to LDAP. There is nothing IN > sasldb2, no secrets etc as it says - it's not supposed to be using > it. > > One thing I note is that "telnet mail.simonandkate.net 587" does not > return AUTH in the list offered: > > 220 mail.simonandkate.net ESMTP Postfix > EHLO simon.whatever > 250-mail.simonandkate.net > 250-PIPELINING > 250-SIZE 26214400 > 250-ETRN > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > > So it would appear that SASL is *not* setup right... but why do I > get log entries saying the iPhone is sending email as > sasl_method=PLAIN, sasl_username=simon? > > So can anyone tell me what I have done wrong? Why does SASL appear > to be (possibly) working for PLAIN (iPhone) but not for the Nokia > (CRAM-MD5), and why is the server not advertising the AUTH methods? > > Postconf -n: > > alias_database = hash:/etc/aliases > alias_maps = hash:/etc/aliases > bounce_template_file = /etc/postfix/bounce.cf > broken_sasl_auth_clients = yes > canonical_maps = hash:/etc/postfix/canonical > command_directory = /usr/sbin > config_directory = /etc/postfix > content_filter = amavisfeed:[127.0.0.1]:10024 > daemon_directory = /usr/libexec/postfix > debug_peer_level = 2 > delay_warning_time = 2h > disable_vrfy_command = yes > html_directory = no > mailbox_transport = cyrus > mailq_path = /usr/bin/mailq.postfix > manpage_directory = /usr/share/man > masquerade_domains = !system.simonandkate.net, simonandkate.net, > simonandkate.lan > message_size_limit = 26214400 > mydestination = $myhostname, localhost.$mydomain, localhost, > $mydomain, localhost.localdomain, simonandkate.net, > system.simonandkate.net, howiesue.net > myhostname = mail.simonandkate.net > mynetworks = 127.0.0.0/8, 192.168.1.0/24 > myorigin = simonandkate.net > newaliases_path = /usr/bin/newaliases.postfix > readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES > sample_directory = /usr/share/doc/postfix-2.3.3/samples > sendmail_path = /usr/sbin/sendmail.postfix > setgid_group = postdrop > smtpd_client_restrictions = > smtpd_data_restrictions = reject_unauth_pipelining permit > smtpd_helo_required = yes > smtpd_helo_restrictions = > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, reject_unauth_destination, > reject_unauth_pipelining, reject_invalid_helo_hostname, > reject_non_fqdn_helo_hostname, > reject_non_fqdn_sender,reject_unknown_sender_domain, > reject_non_fqdn_recipient, reject_unknown_recipient_domain, > check_sender_access hash:/etc/postfix/sender_access, > reject_rbl_client zen.spamhaus.org, reject_rbl_client > bl.spamcop.net, check_policy_service unix:postgrey/socket, > check_policy_service unix:private/policy permit > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = > smtpd_sender_restrictions = > smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/pki/tls/certs/simonandkate.net-cert.pem > smtpd_tls_key_file = /etc/pki/tls/private/simonandkate.net-key.pem > smtpd_tls_loglevel = 1 > smtpd_tls_security_level = may > smtpd_tls_session_cache_timeout = 3600s > transport_maps = hash:/etc/postfix/transport > unknown_local_recipient_reject_code = 550 > > Any help would be appreciated... :) > -- > Simon Wilson > www.simonandkate.net -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
