* Simon Brereton <simon.brere...@dada.net>:
> > From: owner-postfix-us...@postfix.org [mailto:owner-postfix-
> > us...@postfix.org] On Behalf Of Patrick Ben Koetter
> > * Simon Brereton <simon.brere...@dada.net>:
> > > Probably not the best place for this, but hopefully someone will
> > tell
> > > me what I'm doing wrong anyway..
> > >
> > > I've gotten the TLS up and working. And SASL auth seemed to be
> > > working. I installed saslfinger and everything was fine there.
> > But
> > > when trying to locally inject mail on the submission port, I get:
> > >
> > > Apr 11 20:31:10 jonty postfix/smtpd[28787]: setting up TLS
> > connection
> > > from localhost[127.0.0.1] Apr 11 20:31:10 jonty
> > postfix/smtpd[28787]:
> > > Anonymous TLS connection established from localhost[127.0.0.1]:
> > TLSv1
> > > with cipher DHE-RSA-AES256-SHA (256/256 bits) Apr 11 20:31:10 jonty
> > > postfix/smtpd[28787]: warning: localhost[127.0.0.1]: SASL LOGIN
> > > authentication failed: authentication failure Apr 11 20:31:10 jonty
> > > postfix/smtpd[28787]: disconnect from localhost[127.0.0.1]
> > >
> > > I turned the verbosity up in smtpd.conf to try and diagnose this,
> > and
> > > it does nothing (which I guess is my biggest issue).
> > >
> > > 1 # Global Parameters
> > > 2 log_level: 7
> > > 3 pwcheck_method: auxprop
> > > 4 #pwcheck_method: saslauthd
> <SNIP>
> > >
> > > Saslfinger -s says:
> >
> > saslfinger also reports much other, useful information which we need
> > to debug your problem. Please post complete output.
>
> Gladly. I was hoping you'd step in. Just to let you know, I've tried
> both auxprop and saslauthd as the pwcheck method.
>
> I even tried rimap - and with courier authdaemon logging turned up to 2, I
> can see the MYSQL is call is successful (i.e. IMAP validates) and still SASL
> says authentication failed.
We'll simplify first, and make it feature-complete later.
> root@jonty:~# saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Wed Apr 13 05:52:12 BST 2011
> version: 1.0.4
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.7.1
> System: Debian GNU/Linux 6.0 \n \l
>
> -- smtpd is linked to --
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7672000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = spamfreeisp.net
$smtpd_sasl_local_domain required or because you found it on a website?
> smtpd_sasl_security_options = noanonymous
> smtpd_tls_CAfile = /root/certauth/cacert.pem
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/postfix/ssl/mail.spamfreeisp.net.cert
> smtpd_tls_key_file = /etc/postfix/ssl/mail.spamfreeisp.net.key
Just as a sidenote: You might want to move your key and certs to /etc/ssl/...
and own them root:ssl-cert and then "adduser postfix ssl-cert" to make it the
"Debian way".
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
>
>
> -- listing of /usr/lib/sasl2 --
> total 704
> drwxr-xr-x 2 root root 4096 Mar 8 14:21 .
> drwxr-xr-x 79 root root 32768 Apr 4 19:18 ..
> -rw-r--r-- 1 root root 13436 Dec 19 12:29 libanonymous.a
> -rw-r--r-- 1 root root 1003 Dec 19 12:29 libanonymous.la
> -rw-r--r-- 1 root root 13076 Dec 19 12:29 libanonymous.so
> -rw-r--r-- 1 root root 13076 Dec 19 12:29 libanonymous.so.2
> -rw-r--r-- 1 root root 13076 Dec 19 12:29 libanonymous.so.2.0.23
> -rw-r--r-- 1 root root 15882 Dec 19 12:29 libcrammd5.a
> -rw-r--r-- 1 root root 989 Dec 19 12:29 libcrammd5.la
> -rw-r--r-- 1 root root 15444 Dec 19 12:29 libcrammd5.so
> -rw-r--r-- 1 root root 15444 Dec 19 12:29 libcrammd5.so.2
> -rw-r--r-- 1 root root 15444 Dec 19 12:29 libcrammd5.so.2.0.23
> -rw-r--r-- 1 root root 45328 Dec 19 12:29 libdigestmd5.a
> -rw-r--r-- 1 root root 1012 Dec 19 12:29 libdigestmd5.la
> -rw-r--r-- 1 root root 43144 Dec 19 12:29 libdigestmd5.so
> -rw-r--r-- 1 root root 43144 Dec 19 12:29 libdigestmd5.so.2
> -rw-r--r-- 1 root root 43144 Dec 19 12:29 libdigestmd5.so.2.0.23
> -rw-r--r-- 1 root root 13586 Dec 19 12:29 liblogin.a
> -rw-r--r-- 1 root root 983 Dec 19 12:29 liblogin.la
> -rw-r--r-- 1 root root 13552 Dec 19 12:29 liblogin.so
> -rw-r--r-- 1 root root 13552 Dec 19 12:29 liblogin.so.2
> -rw-r--r-- 1 root root 13552 Dec 19 12:29 liblogin.so.2.0.23
> -rw-r--r-- 1 root root 29140 Dec 19 12:29 libntlm.a
> -rw-r--r-- 1 root root 977 Dec 19 12:29 libntlm.la
> -rw-r--r-- 1 root root 28528 Dec 19 12:29 libntlm.so
> -rw-r--r-- 1 root root 28528 Dec 19 12:29 libntlm.so.2
> -rw-r--r-- 1 root root 28528 Dec 19 12:29 libntlm.so.2.0.23
> -rw-r--r-- 1 root root 13786 Dec 19 12:29 libplain.a
> -rw-r--r-- 1 root root 983 Dec 19 12:29 libplain.la
> -rw-r--r-- 1 root root 14096 Dec 19 12:29 libplain.so
> -rw-r--r-- 1 root root 14096 Dec 19 12:29 libplain.so.2
> -rw-r--r-- 1 root root 14096 Dec 19 12:29 libplain.so.2.0.23
> -rw-r--r-- 1 root root 21498 Dec 19 12:29 libsasldb.a
> -rw-r--r-- 1 root root 1014 Dec 19 12:29 libsasldb.la
> -rw-r--r-- 1 root root 18084 Dec 19 12:29 libsasldb.so
> -rw-r--r-- 1 root root 18084 Dec 19 12:29 libsasldb.so.2
> -rw-r--r-- 1 root root 18084 Dec 19 12:29 libsasldb.so.2.0.23
Okay.
> -- listing of /etc/postfix/sasl --
> total 12
> drwxr-xr-x 2 root root 4096 Apr 12 23:41 .
> drwxr-xr-x 4 root root 4096 Apr 12 00:18 ..
> -rw-r--r-- 1 root root 644 Apr 12 23:41 smtpd.conf
Okay.
> -- content of /etc/postfix/sasl/smtpd.conf --
Make this as follows and REMOVE the semi-colon at the end of your
sql_select:-statement:
pwcheck_method: auxprop
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: localhost
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: Mail
sql_select: SELECT Password FROM MailAccounts WHERE Username = '%u@%r'
> # Global Parameters
> log_level: 7
> pwcheck_method: auxprop
> #pwcheck_method: saslauthd
> #mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> mech_list: PLAIN LOGIN
> allow_plaintext: true
> # saslauthd Parameters
> #saslauthd_path: /var/state/saslauthd/mux
> saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
> # Auxiliary Plugin Paramters
> auxprop_plugin: sql
> sql_engine: mysql
> #sql_hostnames: 127.0.0.1
> sql_hostnames: localhost
> sql_user: --- replaced ---
> sql_passwd: --- replaced ---
> sql_database: Mail
> sql_select: select Password from MailAccounts where Username = '%u@%r';
> # or Username = '%u@%r' or (Username = '%u' and ForwardAdd = '') or Username
> = '%u.%r';
> sql_usessl: no
>
>
> -- active services in /etc/postfix/master.cf --
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> smtp inet n - - - - smtpd -v
> submission inet n - n - - smtpd
> -o receive_override_options=no_address_mappings
> -o content_filter=dksign:[127.0.0.1]:10028
> -o smtpd_enforce_tls=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
Disable TLS for the moment.
What do you get when you run "postconf smtpd_delay_reject"?
Post verbose smtpd log that shows an authentication attempt if AUTH still
fails after the changes.
Caution
When posting logs of the SASL negotiations to public lists, please keep in
mind that username/password information is trivial to recover from the
base64-encoded form written to log files.
p@rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
