RE: Trying to setup SASL auth to use a LDAP server on postfix and having issues .

Bandaru, Vamsi Sun, 26 Apr 2020 17:26:46 -0700

Thanks Viktor ,

> Not sure why you did that.  Is this a submission only MTA?  Inbound mail is 
> handled somewhere else?


Yes V , i am setting this up to accept email sent from a vendor application 
over the internet and relay the email to their destination ( usually  to O365 
where the mailboxes reside ).

> LDAP auxprop plugin.  Did you install it?

Yes , these are the installed packages on my side for Cyrus-Sasl 

cyrus-sasl-2.1.26-23.el7.x86_64
cyrus-sasl-devel-2.1.26-23.el7.x86_64

cyrus-sasl-ldap-2.1.26-23.el7.x86_64    >>> 
( Description : The cyrus-sasl-ldap package contains the Cyrus SASL plugin 
which supports using
            : a directory server, accessed using LDAP, for storing shared 
secrets. 
)
cyrus-sasl-md5-2.1.26-23.el7.x86_64
cyrus-sasl-ntlm-2.1.26-23.el7.x86_64
cyrus-sasl-plain-2.1.26-23.el7.x86_64
cyrus-sasl-lib-2.1.26-23.el7.x86_64

- have added 'postfix' user to the ' saslauthd '  group .

- not running in chrooted :

submission inet n       -       n       -       -       smtpd

**********************************************************************

When I run :  ps -ef | grep saslauthd

/usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
/usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
/usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
/usr/sbin/saslauthd -m /run/saslauthd -a ldap -r

Some blogs suggest moving the ' /run/saslauthd '  file to under ' 
/var/spool/postfix '

"
Suggested steps :

rm -r /var/run/saslauthd/ 
mkdir -p /var/spool/postfix/var/run/saslauthd 
ln -s /var/spool/postfix/var/run/saslauthd /var/run 
chgrp sasl /var/spool/postfix/var/run/saslauthd 
adduser postfix sasl

"
I am not sure if I have to do this .

My permissions under 

# ll /run/saslauthd
srwxrwxrwx. 1 root root 0 Apr 26 06:54 mux
-rw-------. 1 root root 0 Apr 26 06:54 mux.accept
-rw-------. 1 root root 6 Apr 26 06:54 saslauthd.pid



Set them to :

# ll /run/saslauthd
srwxrwxrwx. 1 root saslauth 0 Apr 26 06:54 mux
-rw-r-x---. 1 root saslauth 0 Apr 26 06:54 mux.accept
-rw-r-x---. 1 root saslauth 6 Apr 26 06:54 saslauthd.pid


< still says this >

postfix/submission/smtpd[94812]: _sasl_plugin_load failed on 
sasl_auxprop_plug_init for plugin: ldapdb
postfix/submission/smtpd[94812]: _sasl_plugin_load failed on 
sasl_canonuser_init for plugin: ldapdb


could you suggest if I have to move : ' /run/saslauthd '  file to under ' 
/var/spool/postfix '  for postfix to load the plugin .


Thanks and regards, Vamsi B

-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On 
Behalf Of Viktor Dukhovni
Sent: Monday, April 27, 2020 4:22 AM
To: postfix-users@postfix.org
Subject: Re: Trying to setup SASL auth to use a LDAP server on postfix and 
having issues .

CAUTION: This email originated outside P&G. Please exercise caution when 
opening any links or attachments.


On Sun, Apr 26, 2020 at 10:35:58PM +0000, Bandaru, Vamsi wrote:

> After your recommendation this is what I have done :
>
> 1. commented out smtp service for inbound
>
> #smtp      inet  n       -       n       -       200       smtpd -vv

Not sure why you did that.  Is this a submission only MTA?  Inbound mail is 
handled somewhere else?

> 2. Configured Submission service as suggested , with few limitations ( 
> I am running mail_version of 2.10.1 , and few of the suggested 
> parameters aren't available)

You're mistaken about "unavailable" parameters.  Custom parameters can be used 
that are not pre-defined in Postfix.

> master.cf:
>     submission inet  n       -       n       -       -       smtpd
>       -o syslog_name=postfix/submission
>       -o smtpd_tls_security_level=encrypt
>       -o smtpd_sasl_auth_enable=yes
>       -o smtpd_tls_auth_only=yes
>       -o smtpd_reject_unlisted_recipient=no
>       -o smtpd_client_restrictions=$mua_client_restrictions

( mua_client / helo / sender _restrictions , also not available under the 
version I am using )

These default to empty, but you can set them to appropriate values if you wish, 
but the idea is to not break submission mail when you customise the 
restrictions for port 25 in main.cf.

>       -o smtpd_helo_restrictions=$mua_helo_restrictions
>       -o smtpd_sender_restrictions=$mua_sender_restrictions
>       -o smtpd_recipient_restrictions=
>       -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
>       -o milter_macro_daemon_name=ORIGINATING

The suggested settings are correct as written.


> Under main.cf  , this parameter isn't available : 
> smtpd_sasl_mechanism_filter

Here you're right, I overlooked the fact that we only have a mechanism filter 
for the client side.  Ignore that one suggestion.

> on port 587  ( responds )
> [no plaintext SASL as expected]
>
> Connect to server on port 587 via openssl_client
>
> < openssl s_client -debug -starttls smtp -crlf -connect x.x.x.x:587 >
>
> 250 DSN
> ehlo localhost
> write to 0xa04550 [0xa1fc13] (45 bytes => 45 (0x2D)) read from 
> 0xa04550 [0xa1b6c8] (190 bytes => 190 (0xBE))
> 250- < hostname >
> 250-PIPELINING
> 250-SIZE 36700160
> 250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN 250-ENHANCEDSTATUSCODES 
> 250-8BITMIME
> 250 DSN

Great, now the server actually offers a non-empty mechanism list.
You'll probably want to narrow that down in your SASL config.

> AUTH LOGIN
> 334 VXNlcm5hbWU6   ( prompts for username )
> 435 4.7.8 Error: authentication failed: authentication failure
>
> The auth.log under /var/log records this :
>
> postfix/submission/smtpd[94812]: _sasl_plugin_load failed on 
> sasl_auxprop_plug_init for plugin: ldapdb
> postfix/submission/smtpd[94812]: _sasl_plugin_load failed on 
> sasl_canonuser_init for plugin: ldapdb
> postfix/submission/smtpd[95522]: _sasl_plugin_load failed on 
> sasl_auxprop_plug_init for plugin: ldapdb
> postfix/submission/smtpd[95522]: _sasl_plugin_load failed on 
> sasl_canonuser_init for plugin: ldapdb
> postfix/submission/smtpd[96590]: _sasl_plugin_load failed on 
> sasl_auxprop_plug_init for plugin: ldapdb
> postfix/submission/smtpd[96590]: _sasl_plugin_load failed on 
> sasl_canonuser_init for plugin: ldapdb

You'll need to install that plugin.

> *************************************
>
> This is my :  /etc/saslauthd.conf  file
>
> ldap_servers: ldaps://x.x.x:636
> ldap_version: 3
> ldap_auth_method: bind
> ldap_search_base: ou=xx,ou=xx,o=xx
> ldap_scope: sub
> ldap_bind_dn: uid=xxxx,ou=xx,ou=xx,o=xx
> ldap_bind_pw: xx
> ldap_filter: ShortName=%U
> auxprop_plugin: ldapdb
>
> This is my  smtpd.conf file setting :   @ /etc/sasl2/smtpd.conf
>
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb
> mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5

You should probably remove everything other than PLAIN and LOGIN.

> ldapdb_uri: ldaps://x.x.x:636
> ldapdb_id: uid=xxx,ou=xx,ou=xx,o=xx
> ldapdb_pw: xx
> ldapdb_mech: LOGIN
> ldap_version: 3
> ldap_auth_method: bind

Now you just need an LDAP auxprop plugin.  Did you install it?
At this point your Postfix issues are largely resolved, you now need to 
properly configure Cyrus SASL.

--
    Viktor.

RE: Trying to setup SASL auth to use a LDAP server on postfix and having issues .

Reply via email to