I'm migrating from an ancient Postfix 2.6.6 with SASL 2.1.23 on Centos
6 to 3.5.6 with SASL 2.1.27 on Debian 11. I've got everything working
EXCEPT SASL authentication, and the amount of conflicting information
on Postfix+SASL on the web is rather amazing :-).
I tried reading the Cyrus SASL manual, but it seems to be incomplete,
with lots of headings with no text.
I have authentication working just fine on my old system (for years),
but I'm stumped on the new system after about 10 hours of
experimentation. Here's the current setup (sensitive info redacted):
$sudo sasldblistusers2
myu...@mydomain.com: userPassword
$ sudo testsaslauthd -r mydomain.com -u myuser -p [password]
0: OK "Success."
So I know SASL itself is working, but in case it's relevant:
$ sudo db_dump -p /etc/sasldb2
VERSION=3
format=print
type=hash
h_nelem=2
db_pagesize=4096
HEADER=END
myuser\00mydomain.com\00userPassword
[password]
DATA=END
$cat /etc/sasl2/smtpd.conf
pwcheck_method: auxprop
log_level: 4
mech_list: PLAIN
$ sudo postconf -a
cyrus
dovecot
$ sudo postconf |egrep '^smtpd_(sasl|relay)'
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_response_limit = 12288
smtpd_sasl_security_options = noanonymous
smtpd_sasl_service = smtpd
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus
Since the Debian default is to run Postfix chroot, I applied the fix
suggested to make the SASL socket available to Postfix (OPTIONS below)
$ cat /etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="sasldb"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
$ groups postfix
postfix : postfix sasl
$ ls -ld /var/spool/postfix
drwxr-xr-x 21 root root 4096 May 27 21:42 /var/spool/postfix
$ ls -ld /var/spool/postfix/var
drwxr-xr-x 3 root root 4096 May 27 21:42 /var/spool/postfix/var
$ ls -ld /var/spool/postfix/var/run
drwxr-xr-x 3 root root 4096 May 27 21:42 /var/spool/postfix/var/run
$ ls -ld /var/spool/postfix/var/run/saslauthd/
drwx--x--- 2 root sasl 4096 May 28 00:41
/var/spool/postfix/var/run/saslauthd/
$ sudo ls -l /var/spool/postfix/var/run/saslauthd/mux
srwxrwxrwx 1 root root 0 May 28 00:41
/var/spool/postfix/var/run/saslauthd/mux
Thunderbird client configuration (same as working config that connects
to the old system, except for the hostname).
Host: hostname of the new server
Port: 587
User: myu...@mydomain.com
Auth: Normal Password
Sec: STARTTLS
The consistent error is (/var/log/mail.log)
May 28 00:50:34 smtp2 postfix/submission/smtpd[19147]: connect from
[redacted]
May 28 00:50:35 smtp2 postfix/submission/smtpd[19147]: warning: SASL
authentication failure: Password verification failed
May 28 00:50:35 smtp2 postfix/submission/smtpd[19147]: warning:
[redacted]: SASL PLAIN authentication failed: authentication failure
There is nothing logged in auth.log, and journalctl does not show
anything for saslauthd except daemon start and stop messages.
So I'm out of ideas. What can I do to resolve the problem or
troubleshoot further?
I also tried manually connecting, here's the results of that session:
$ echo -ne '\000myu...@mydomain.com\000[password]' | openssl base64
[redacted base64]
$ openssl s_client -connect localhost:587 -starttls smtp
CONNECTED(00000003)
[certificate data]
---
SSL handshake has read 4810 bytes and written 396 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
[session ticket]
---
read R BLOCK
EHLO test.com
250-[redacted]
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
AUTH PLAIN [redacted base64]
535 5.7.8 Error: authentication failed: bad protocol / cancel
QUIT
DONE
--
Jim Garrison
j...@acm.org
