On Mon, May 30, 2022 at 12:15:19AM -0400, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Mon, May 30, 2022 at 12:48:46PM +1000, raf wrote: > > > I don't think that's entirely correct. On Debian, for > > example, the default value of cyrus_sasl_config_path is > > empty, and /etc/postfix/sasl is the directory that is > > used. > > Well, how exactly does that happen? I don't see any patches to Postfix > that would make it so at first blush. Changes to Cyrus SASL to always > look in /etc/postfix even for non-Postfix applications are exceedingly > unlikely, so something in Postfix would have to call sasl_set_path(3), > and that code uses the "cyrus_sasl_config_path" parameter. > > > They haven't changed the default value to be non-empty. > > So what did they do? > > > $ postconf -d cyrus_sasl_config_path > > cyrus_sasl_config_path = > > $ postconf cyrus_sasl_config_path > > cyrus_sasl_config_path = > > $ dpkg-query -S /etc/postfix/sasl > > postfix: /etc/postfix/sasl > > What would make anything look there? > > -- > Viktor. That's a very good question. I have no idea. I searched for /etc/postfix/sasl in all files, not just the executable ones, and found nothing that explains it. And there are no symlinks to it, either. The Debian Postfix/SASL wiki page definitely indicates that that directory is where Postfix's SASL config files go: https://wiki.debian.org/PostfixAndSASL But that doesn't explain how it works. The wiki page doesn't give instructions to set cyrus_sasl_config_path. Debian does provide its own default main.cf file, but cyrus_sasl_config_path isn't set in there. I've asked the postfix package maintainer for an explanation. I'll let you know if he answers. I experimented to see if /etc/postfix/sasl is really used, and it looks like it isn't. I think that my settings just happen to coincide with libsasl2's defaults. I'm explicitly setting smtpd_sasl_type and smtpd_sasl_path to their default values in main.cf (cyrus and smtpd). And Postfix's SASL readme and Debian's postfix package's contents lead me to think that /etc/postfix/sasl was important, and it all worked, but I just noticed that the 250-AUTH response includes NTLM which isn't in the mech_list directive of the /etc/postfix/conf/smtpd.conf file. So I renamed /etc/postfix/sasl/smtpd.conf to something else, and restarted postfix, and it still worked. So that directory is irrelevant. If I rename the file back, and symlink /etc/sasl2 to /etc/postfix/sasl, then the NTLM disappears from the 250-AUTH response and matches the config file. So, even though the Postfix SASL readme suggests the possibility, and the Debian postfix package and the Debian Postfix SASL wiki page indicate otherwise, there is nothing on Debian that makes libsasl2 look at /etc/postfix/sasl. Also, the default smtpd.conf file (when none is found) must be the equivalent of: pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN I'll modify that wiki page to add an instruction to set cyrus_sasl_config_path. It is an old page (2015). Presumably, it used to be correct then. And saslfinger definitely still thinks that /etc/postfix/sasl is relevant. When I have /etc/postfix/sasl/smtpd.conf, saslfinger -s reports its contents happily (because it looks in /etc/postfix/sasl even when nothing else does), but when I rename it, saslfinger -s claims that SASL can't work because there is no smtpd config. Perhaps is was relevant in the past but something changed since 2015. Actually, that wiki page is dreadful in several other ways. Thanks for the question. cheers, raf
