* brian <postfix-l...@logi.ca>: > I'm having trouble with SASL when relaying and don't know if the > problem is with the client (thunderbird), the server, or the fact > I've been at this for going on 12 hours now. > > > shortened log entries: > SSL_accept:before/accept initialization > ... > SSL_accept:SSLv3 read finished A > Reusing old session > Anonymous TLS connection established from ... TLSv1 with cipher > ECDHE-RSA-AES256-SHA (256/256 bits) > warning: SASL authentication failure: Password verification failed > SASL PLAIN authentication failed: authentication failure > SASL LOGIN authentication failed: authentication failure > > I'd enabled TLS because I thought SASL had been finally conquered. > But i'd forgotten to go back and check outgoing first. Anyway, TLS > appears to be fine so I've left it on. > > > $ sudo sasldblistusers2 > cyrus@demeter: userPassword > test@demeter: userPassword > > $ sudo testsaslauthd -u test -p test > 0: OK "Success."
Your test is misleading, because it tests a different SASL setup. testsaslauthd tests saslauthd authentication while you have configured Cyrus SASL to have libsasl access sasldb using the sasldb auxprop plugin. You seem to be running Postfix on a debianized machine. Is Postfix in group sasl as the documentation requires it? Is the sasl group owner of /etc/sasldb2 so Postfix may access it? > main.cf: > broken_sasl_auth_clients = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_authenticated_header = no > smtpd_sasl_local_domain = $mydomain The following two are at their defaults. No need to set them: > smtpd_sasl_path = smtpd > smtpd_sasl_security_options = noanonymous > /etc/postfix/sasl/smtpd.conf: > pwcheck_method: auxprop > auxprop_plugin: sasldb > mech_list: PLAIN LOGIN > > telnet shows me: > 250-AUTH PLAIN LOGIN > 250-AUTH=PLAIN LOGIN > > master.cf: > smtp inet n - n - - smtpd > submission inet n - n - - smtpd > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_mynetworks, > permit_sasl_authenticated,reject Unless you are planning to let clients from $mynetworks send from 587 you should switch smtpd_client_restrictions back to this: -o smtpd_client_restrictions=permit_sasl_authenticated,reject I would be helpful if you also sent output from "postconf -n" and log showing what takes place when AUTH fails. What's the current setting for smtpd_delay_reject? Is it at its default? With your current setup it must be set to 'yes' or AUTH will fail. > I also tried adding the following under submission: > > -o smtpd_sasl_local_domain=DOMAIN.org > -o smtpd_sasl_path=smtpd > > It's not clear to me if these need to be added in master.cf. If so, > are there other params that need be included? You don't have to add $smtpd_sasl_local_domain unless you have clients that send their identity without the domainpart. Only in that case Postfix would append $smtpd_sasl_local_domain. You don't have to add smtpd_sasl_path=smtpd; it is the default. > (BONUS: can I use $mydomain here?) You can. See above. > The mail client's outgoing server is set to: > > port: 587 > username: test > secure authentication: no > connection security: STARTTLS Use 'test@demeter' to authenticate. That's what your sasldblistusers2 listing returns. > I've tried with both STARTTLS & none. > > I've also tried with test & t...@domain.org t...@domain.org is not a user in your sasldb. > I've set up Postfix/CyrusIMAP with SASL & TLS before but always with > virtual mailboxes. I foolishly thought that this time was going to > be a piece of cake because there's only going to be a single domain > for this server. Virtual domains and SASL have nothing in common. > I've also usually created mailboxes of the form f...@domain.tld but > that led to several hours of grief for some reason this time. I'm > fine with just having bare usernames in sasldb2 but don't know if > that's the problem here. You can't have bare usernames in sasldb. It always requires username that consits of a localpart and a domainpart. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
