On Fri, May 27, 2022 at 06:22:01PM -0700, Jim Garrison wrote:
> I'm migrating from an ancient Postfix 2.6.6 with SASL 2.1.23 on Centos
> 6 to 3.5.6 with SASL 2.1.27 on Debian 11. I've got everything working
> EXCEPT SASL authentication, and the amount of conflicting information
> on Postfix+SASL on the web is rather amazing :-).
Why not just read the SASL_README that comes with Postfix, e.g. at:
https://www.postfix.org/SASL_README.html
and skip the various false leads on the Internet?
> $sudo sasldblistusers2
> myu...@mydomain.com: userPassword
Why do you want to use "sasldb" with passwords stored in cleartext?
Sure support various mechanisms that don't transmit the password from
the user to the server, but the bigger risk is *storing* the password on
the server. You're generally much better off with hashed passwords and
PLAIN inside TLS.
> $cat /etc/sasl2/smtpd.conf
> pwcheck_method: auxprop
> log_level: 4
> mech_list: PLAIN
When using "auxprop", I'd expect to also see a setting for
"auxprop_plugin", and perhaps additional related parameters.
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = no
> smtpd_sasl_exceptions_networks =
> smtpd_sasl_local_domain =
> smtpd_sasl_path = smtpd
> smtpd_sasl_response_limit = 12288
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_service = smtpd
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sasl_type = cyrus
Ideally, you also have "smtpd_tls_auth_only = yes",
> Since the Debian default is to run Postfix chroot, I applied the fix
> suggested to make the SASL socket available to Postfix (OPTIONS below)
Instead get smtpd(8) + SASL working *without* chroot first, with
"auxprop" and "sasldb" smtpd(8) would need to be able to read the SASL
database, which would be challenging after chroot, and perhaps also
when running as the "postfix" user, rather than "root".
You'd be better off with "saslauthd" + PAM, and ideally limit which
users are eligible to authenticated that way, in case some accounts
that should not authenticate have weak passwords.
I use the "dovecot" SASL driver, with:
# cat /etc/pam.d/dovecot
auth required pam_group.so no_warn
group=pamimap
auth required pam_unix.so no_warn
Users have to be in group "pamimap" in order use the "pam" backend.
> $ cat /etc/default/saslauthd
> START=yes
> DESC="SASL Authentication Daemon"
> NAME="saslauthd"
> MECHANISMS="sasldb"
> MECH_OPTIONS=""
> THREADS=5
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
You're not using "saslauthd", that's an alternative "pwcheck_method"
to "auxprop" (that you should consider instead, via "saslauthd -a pam",
or use the dovecot driver).
--
Viktor.
