[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

, and SHOULD be deployed with a backend that stores password hashes. Aha. No, the Postfix filter is optional, if you're willing to tolerate whatever mechanisms SASL offers, and with the Postfix filter set, it should be possible to let SASL adverise whatever mechanisms it has available. You s

[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

that stores password hashes. Aha. > No, the Postfix filter is optional, if you're willing to tolerate whatever > mechanisms SASL offers, and with the Postfix filter set, it should be > possible to let SASL adverise whatever mechanisms it has available. You > should not have to set bo

[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

es/passwordserver_sasl/cyrus_sasl/doc/sysadmin.html > > For simplicity sake, the Cyrus SASL library stores plaintext passwords > only in the /etc/sasldb2 database. These passwords are then shared > among all mechanisms which choose to use it. Outdated threat model. DO NOT do th

[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

I just have /etc/sasl2/smtpd.conf using "auxprop_plugin: sasldb", and sasldb only provides plaintext passwords. As emphasized at https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/sysadmin.html For simplicity sake, the Cyrus SASL library stores plaintext passwords

[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

t_sasl_authenticated > > will fail with "554" and "Relay access denied;". For what should be obvious reasons. :-) A restriction grammar without rule order/precedence is unusable. Either all the deny rules are useless, or none of them can be preëmpted by specific e

[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

icated,reject_unauth_destination will work, but: -o smtpd_relay_restrictions=reject_unauth_destination,permit_sasl_authenticated will fail with "554" and "Relay access denied;". Your summary would be a useful addition to the SASL documentation - though better without t

[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

s to first take the time to understand them. Anyway, that's all about the timing. As for questions that are actually about SASL, some of that documentation could likely be better. But you'll need to take the time to be sure that the new advice isn't unduly biased by the specifics you

[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

on are > > skipped. Since with "smtpd_delay_reject = no" the client restrictions > > are evaluate at connect (before issuing the SMTP server's banner), > > it is *impossible* to evaluate SASL restrictions. If you explicitly override the rule evaluation order with

[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

_reject = no" the client restrictions > are evaluate at connect (before issuing the SMTP server's banner), > it is *impossible* to evaluate SASL restrictions. > > This is NOT in any way specific to SASL, the same applies to: > >     # This has

[pfx] Re: Documentation - SASL Howto - Errors and Misdirections

On Fri, Aug 08, 2025 at 10:22:30PM -0600, James Feeney via Postfix-users wrote: > 3) In the postfix configuration, SASL will not even work when the > postfix "restrictions" otherwise fail. And those restrictions become > confusing with the statement in > h

[pfx] Documentation - SASL Howto - Errors and Misdirections

https://www.postfix.org/SASL_README.html Use case: local submissions - port 465, Cyrus SASL with sasldb, .local domain with dnsmasq, and TLS 1) The section "Cyrus SASL Plugins - auxiliary property plugins" is out of place, with the "Plugin" table shown separately and fa

[pfx] Re: Help with SASL Authentication Using /etc/sasldb2 in Postfix

wouldsmina via Postfix-users: > Hello, > > I am facing an issue with configuring Postfix to use /etc/sasldb2. I have > already set up SASL authentication, but authentication only works if > /etc/sasldb2 is included in the $FILE variable into > /usr/lib/postfix/configure-insta

[pfx] Re: Help with SASL Authentication Using /etc/sasldb2 in Postfix

On Debian, I thought the file was located in /etc/postfix/sasl/. But after creating the /etc/sasl/ directory and placing smtpd.conf inside, it worked! This information was indeed in the documentation, but I simply hadn’t understood it. *Cyrus SASL version 2.1.22 and newer additionally search in

[pfx] Help with SASL Authentication Using /etc/sasldb2 in Postfix

Hello, I am facing an issue with configuring Postfix to use /etc/sasldb2. I have already set up SASL authentication, but authentication only works if /etc/sasldb2 is included in the $FILE variable into /usr/lib/postfix/configure-instance.sh file. However, I am not sure if modifying $FILE is

[pfx] Re: How to setup Postfix with Cyrus SASL authentification?

On 12.03.25 14:24, J J via Postfix-users wrote: I am looking to setup Postfix with Cyrus SASL authentification. I am running Ubuntu Server 24.02 I have followed the instructions but all I get is a Mar 12 14:36:22 smtp1 postfix/smtpd[16613]: > soruceserver.domain.local[192.168.12.42]:

[pfx] How to setup Postfix with Cyrus SASL authentification?

Hello I am looking to setup Postfix with Cyrus SASL authentification. I am running Ubuntu Server 24.02 I have followed the instructions but all I get is a Mar 12 14:36:22 smtp1 postfix/smtpd[16613]: > soruceserver.domain.local[192.168.12.42]: 535 5.7.8 Error: authentication fai

[pfx] XOAUTH2 client (was: SASL options)

Alexander Leidinger via Postfix-users: > Am 2024-12-22 01:39, schrieb Peter via Postfix-users: > > On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote: > >> > >> However, there are other mechanisms being developed, for example > >> OAUTH2, > >>

[pfx] Re: SASL options

Am 2024-12-22 01:39, schrieb Peter via Postfix-users: On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote: However, there are other mechanisms being developed, for example OAUTH2, which, in terms of Cyrus SASL, does not work with saslauthd at all, I don't see why it wouldn&#x

[pfx] Re: SASL options

On 22/12/24 23:22, Michael Tokarev via Postfix-users wrote: Cyrus SASL is a separate thing in people minds because it is a separate, independent library/subsystem.  You can install a separate package named this way.  But in Dovecot it is an integral part of a larger system, it is not viewed

[pfx] Re: SASL options

22.12.2024 13:13, Tomasz Pala via Postfix-users wrote: Well, Cyrus is also not SASL-only... https://doc.dovecot.org/2.3/admin_manual/sasl/ is what I mean. Cyrus SASL is a separate thing in people minds because it is a separate, independent library/subsystem. You can install a separate

[pfx] Re: SASL options

it. Well, Cyrus is also not SASL-only... ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: SASL options

22.12.2024 11:53, Peter via Postfix-users wrote: On 22/12/24 19:53, Michael Tokarev via Postfix-users wrote: However, there are other mechanisms being developed, for example OAUTH2, which, in terms of Cyrus SASL, does not work with saslauthd at all, I don't see why it wouldn't.

[pfx] Re: SASL options

On 2024-12-22 01:42, Peter via Postfix-users wrote: >> >> What's worth mentioning is that PLAIN/LOGIN also requires cleartext >> password storage - on the client side. > > This is not entirely true. It is possible for a client to store > passwords in an encrypted db which is decrypted with its o

[pfx] Re: SASL options

22.12.2024 11:53, Peter via Postfix-users wrote: [people treat dovecot sasl as part of dovecot] I realize that, but it's fairly easy to implement and easy to configure dovecot to only provide the SASL backend plus it does appear to be the most comprehensive, easiest to implement solutio

[pfx] Re: SASL options

On 22/12/24 19:53, Michael Tokarev via Postfix-users wrote: 22.12.2024 03:39, Peter via Postfix-users wrote: On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote: However, there are other mechanisms being developed, for example OAUTH2, which, in terms of Cyrus SASL, does not work with

[pfx] Re: SASL options

22.12.2024 03:39, Peter via Postfix-users wrote: On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote: However, there are other mechanisms being developed, for example OAUTH2, which, in terms of Cyrus SASL, does not work with saslauthd at all, I don't see why it wouldn't.

[pfx] Re: SASL options

On 22/12/24 03:19, Tomasz Pala via Postfix-users wrote: What's worth mentioning is that PLAIN/LOGIN also requires cleartext password storage - on the client side. This is not entirely true. It is possible for a client to store passwords in an encrypted db which is decrypted with its own pass

[pfx] Re: SASL options

On 22/12/24 02:54, Michael Tokarev via Postfix-users wrote: However, there are other mechanisms being developed, for example OAUTH2, which, in terms of Cyrus SASL, does not work with saslauthd at all, I don't see why it wouldn't. so needs direct integration within postfix in

[pfx] Re: SASL options

21.12.2024 19:51, Wietse Venema via Postfix-users wrote: Michael Tokarev via Postfix-users: I still yet to see the reason for this, besides a statement "chroot is painless for freebsd but for linux is unsupportable", which is nothing but a big old myth, since the two works the same. That is a

[pfx] Re: SASL options

Michael Tokarev via Postfix-users: > I still yet to see the reason for this, besides a statement "chroot is > painless for freebsd but for linux is unsupportable", which is nothing > but a big old myth, since the two works the same. That is a myth, because we already discussed that glibc needs fil

[pfx] Re: SASL options

21.12.2024 18:31, Wietse Venema via Postfix-users wrote: Michael Tokarev via Postfix-users: It *feels* like postfix needs some separation of this sasl stuff into its own process somehow, similar to how proxymap is done, so that eg cyrus sasl code is not linked directly into smtp[d] with all

[pfx] Re: SASL options

Michael Tokarev via Postfix-users: > There's nothing in the docs saying if dovecot sasl can work with > non-plaintext mechanisms. In almost all docs and examples I've > found, dovecot side of the config is configured with > "auth_mechanisms = plain login". Ther

[pfx] Re: SASL options

On 2024-12-21 14:54, Michael Tokarev via Postfix-users wrote: > > cleartext password (storage) is required for many SASL mechanisms over > than PLAIN. And none of these mechanisms work with -a pam or with [...] > However, there are other mechanisms being developed, for example OAU

[pfx] Re: SASL options

21.12.2024 16:16, Viktor Dukhovni via Postfix-users wrote: On Sat, Dec 21, 2024 at 01:51:46PM +0300, Michael Tokarev via Postfix-users wrote: ... As far as I can see, Cyrus SASL can work with plaintext methods using saslauthd (which has very simple username,password => ok|bad protocol),

[pfx] Re: SASL options

On 2024-12-21 11:51, Michael Tokarev via Postfix-users wrote: > > We've basically two big kinds of SASL mechanisms: plaintext > (which are login and plain) and non-plaintest (everything else). [...] > There's nothing in the docs saying if dovecot sasl can work with > non-

[pfx] Re: SASL options

On Sat, Dec 21, 2024 at 01:51:46PM +0300, Michael Tokarev via Postfix-users wrote: > Hi! > > I'm trying to get a "big picture" about how postfix works with > various SASL options. It looks like there's a big overview > missing in the docs somehow. > &

[pfx] SASL options

Hi! I'm trying to get a "big picture" about how postfix works with various SASL options. It looks like there's a big overview missing in the docs somehow. We've basically two big kinds of SASL mechanisms: plaintext (which are login and plain) and non-plainte

[pfx] Re: dovecot sasl causes smtpd to stop working

On 2024-12-17 at 22:43:06 UTC-0500 (Wed, 18 Dec 2024 11:43:06 +0800) esd via Postfix-users is rumored to have said: Eventually I will remove sasl from port 25. But since port 25 can use sasl authentication, the reliability of the service should be ensured. None of Postfix can use

[pfx] Re: dovecot sasl causes smtpd to stop working

On 2024-12-18 04:43, esd via Postfix-users wrote: > Once dovecot sasl terminates unexpectedly, it will cause a complete > strike of smtpd on port 25. Any connection will not be responded. I Why is that? You have no logs? How many connections are established? Isn't the pool exhau

[pfx] Re: dovecot sasl causes smtpd to stop working

Please give examples of SMTP conversations for - An SMTP client that must authenticate, with local recipient - An SMTP client that must authenticate, with remote recipient - An SMTP client that must not authenticate, with local recipient - An SMTP client that must not authenticate, with remote

[pfx] Re: dovecot sasl causes smtpd to stop working

at do not > require authentication to process. It seems like you want something similar to opportunistic TLS, e.g. smtpd_tls_security_level = may but for SASL. I think the problem with SASL and everything else you try to squeeze on port 25: if SASL was opportunistic then anyone could easi

[pfx] Re: dovecot sasl causes smtpd to stop working

Eventually I will remove sasl from port 25. But since port 25 can use sasl authentication, the reliability of the service should be ensured. Once dovecot sasl terminates unexpectedly, it will cause a complete strike of smtpd on port 25. Any connection will not be responded. I think the high

[pfx] Re: dovecot sasl causes smtpd to stop working

esd via Postfix-users: >   I found a problem during testing. Version postfix 3.9.0. > When using dovecot sasl for verification, if dovecot dies or the > network connecting to dovecot fails, smtpd will not be able to > return 220. Mail cannot be received. You enabled SASL AUTH on

[pfx] dovecot sasl causes smtpd to stop working

  I found a problem during testing. Version postfix 3.9.0. When using dovecot sasl for verification, if dovecot dies or the network connecting to dovecot fails, smtpd will not be able to return 220. Mail cannot be received. I used net socket to connect to dovecot. Is it possible to judge the

[pfx] Re: Postfix and sasl question

Dnia 23.10.2024 o godz. 10:51:38 Ivan Ionut via Postfix-users pisze: > > Well, yes I do have submission service on the same server... and I > do have disabled SASL on port 25 and my logs on failed attempts are > something like this: > > Oct 23 08:15:12 myhost postfix/submis

[pfx] Re: Postfix and sasl question

On Wed, Oct 23, 2024 at 10:51:38AM +0300, Ivan Ionut via Postfix-users wrote: > 2) I have two lists of ipsets ip and ip-cidr blocked for ports > 110,143,993,995,465 - daily updated with a custom script That's too tedious to maintain. You can block known compromised SASL attempts on

[pfx] Re: Postfix and sasl question

On 23-10-2024 10:21, Viktor Dukhovni via Postfix-users wrote: On Wed, Oct 23, 2024 at 10:04:06AM +0300, Ivan Ionut via Postfix-users wrote: Does Postfix can detect an initiated sasl login (before any failed/success). If so, does it have built in option or I must create a shell script or

[pfx] Re: Postfix and sasl question

On Wed, Oct 23, 2024 at 10:04:06AM +0300, Ivan Ionut via Postfix-users wrote: > Does Postfix can detect an initiated sasl login (before any failed/success). > If so, does it have built in option or I must create a shell script or a > custom filter in master.cf for this? > > P.S.

[pfx] Postfix and sasl question

Does Postfix can detect an initiated sasl login (before any failed/success). If so, does it have built in option or I must create a shell script or a custom filter in master.cf for this? P.S. I'm interesting to allow my server to receive mails from a large blacklisted ips, but I wa

[pfx] Re: ignored: no SASL support

Thanks victor. i have followed your suggestion to fix it up. regards. Viktor Dukhovni via Postfix-users: That parameter assignment serves no purpose. "reject_sender_login_mismatch" is an action (verb) for use a restriction list. It isn't a boolean configuration parameter (noun)

[pfx] Re: ignored: no SASL support

On Wed, Aug 28, 2024 at 06:22:27AM +0800, LinuxMail.cc via Postfix-users wrote: > Thank you so much for the help. Now I have resolved the issue. The logs show > nothing that error for now. > > Aug 28 06:15:49 linuxmail postfix/smtpd[39646]: connect from > mail-oo1-f65.google.com[209.85.161.65] >

[pfx] Re: ignored: no SASL support

Hello victor, Thank you so much for the help. Now I have resolved the issue. The logs show nothing that error for now. Aug 28 06:15:49 linuxmail postfix/smtpd[39646]: connect from mail-oo1-f65.google.com[209.85.161.65] Aug 28 06:15:49 linuxmail policyd-spf[39652]: prepend Received-SPF: Pass

[pfx] Re: ignored: no SASL support

only be used on the submission ports, while on port 25, where SASL should be disabled, there is never a SASL username, so a "match" is never possible. If you want to disallow some sender addresses, use "check_sender_access". -- VIktor. __

[pfx] Re: ignored: no SASL support

But I have to disable sasl on port 25. And I did enable sasl on port 465 (smtps). So I think the option 'smtpd_sender_login_maps' should be put in master.cf in smtps section. Am i right? Patrick Ben Koetter via Postfix-users: Enable SASL in Postfix

[pfx] Re: ignored: no SASL support

hash:/etc/postfix/controlled_envelope_senders > ... > > Am I right? thank you in advance. You are wrong. The error that is being logged is because your Postfix smtpd server has not enabled SASL and since it isn't enabled you can't use smtpd_sender_login_maps to check if an identity is permit

[pfx] Re: ignored: no SASL support

advance. Viktor Dukhovni via Postfix-users: The SASL-related restrictions should only be used on the submission ports 465 and 587. ___ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: ignored: no SASL support

On Tue, Aug 27, 2024 at 07:05:32PM +0800, hello--- via Postfix-users wrote: > Hello community, > > My postfix has got this log: > > Aug 27 16:49:04 linuxmail postfix/smtpd[34640]: warning: restriction > `reject_authenticated_sender_login_mismatch' ignored: no SASL su

[pfx] ignored: no SASL support

Hello community, My postfix has got this log: Aug 27 16:49:04 linuxmail postfix/smtpd[34640]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support Aug 27 16:49:04 linuxmail postfix/smtpd[34640]: warning: restri

[pfx] Re: Intermittent fatal: no SASL authentication mechanisms

First, why use SASL auth? It needs a database. Have you considered more scalable alternatives such as TLS client certificates? Postfix can use certificate fingerprints instead of PKI. Second, if you must use SASL auth: What is the authentication backend database query latency? Have you

[pfx] Re: Intermittent fatal: no SASL authentication mechanisms

First, why use SASL auth? It needs a database. Have you considered more scalable alternatives such as TLS client certificates? Postfix can use certificate fingerprints instead of PKI. Second, if you must use SASL auth: What is the authentication backend database query latency? Have you looked at

[pfx] Re: Intermittent fatal: no SASL authentication mechanisms

Some feedback. It may be possible that you're running out of file handles, either the kernel limit, or the per-process limit. I did not have time to actively check this. postconf "max_use = 10" postfix reload Error fatal: no SASL authentication mechanisms and postf

[pfx] Re: Intermittent fatal: no SASL authentication mechanisms

Wietse Venema via Postfix-users: > Stuart Armstrong via Postfix-users: > > Thank you for your response. For clarity, this issue has been present > > for several weeks now. > > > > > warning: SASL: Connect to Dovecot auth socket 'private/auth' > >

[pfx] Re: Intermittent fatal: no SASL authentication mechanisms

Stuart Armstrong via Postfix-users: > Thank you for your response. For clarity, this issue has been present > for several weeks now. > > > warning: SASL: Connect to Dovecot auth socket 'private/auth' > > failed: REASON FOR FAILURE HERE > I do not have

[pfx] Re: Intermittent fatal: no SASL authentication mechanisms

Thank you for your response. For clarity, this issue has been present for several weeks now. warning: SASL: Connect to Dovecot auth socket 'private/auth' failed: REASON FOR FAILURE HERE I do not have this warning in the logs. Can you try these commands: postcon

[pfx] Re: Intermittent fatal: no SASL authentication mechanisms

Stuart Armstrong via Postfix-users: > Hello, > > Currently our Postfix server is experiencing a problem with intermittent > SASL auth problems. With all the useless debug logging you forgot to include this important log message: warning: SASL: Connect to Dovecot auth socket &

[pfx] Intermittent fatal: no SASL authentication mechanisms

Hello, Currently our Postfix server is experiencing a problem with intermittent SASL auth problems. This mail server worked well up to a point, when the "fatal: no SASL authentication mechanisms" errors started. From this point I started researching and changing the m

[pfx] Re: Cyrus SASL summary

On 7/18/2024 2:52 AM, Jaroslaw Rafa via Postfix-users wrote: Can Dovecot do client auth at all? All the docs say that Dovecot can do only submission auth, for client auth you must use Cyrus. Also the link quoted above is basically all about configuring client auth with Cyrus, for Dovecot it just

[pfx] Re: Cyrus SASL summary

Dnia 17.07.2024 o godz. 17:15:07 Kenneth Porter via Postfix-users pisze: > On 7/16/2024 8:59 AM, Scott Kitterman via Postfix-users wrote: > >I didn't write this, but this, FYI, seems to be the most current distro > >documentation on how to configure it: > > > >https://wiki.debian.org/PostfixAndSASL

[pfx] Re: Cyrus SASL summary

On 7/16/2024 8:59 AM, Scott Kitterman via Postfix-users wrote: I didn't write this, but this, FYI, seems to be the most current distro documentation on how to configure it: https://wiki.debian.org/PostfixAndSASL Note that the Dovecot example in the Debian wiki is about client authentication (

[pfx] Re: Cyrus SASL summary

On Tue, Jul 16, 2024 at 11:59:55AM -0400, Scott Kitterman via Postfix-users wrote: > > Note, "undo" isn't quite what I'm suggesting, rather I hope Debian will > > replace the hardcoded preëmpt of the Cyrus SASL configuration directory, > > by a default

[pfx] Re: Cyrus SASL summary

On Friday, July 5, 2024 4:00:59 AM EDT Viktor Dukhovni via Postfix-users wrote: > On Thu, Jul 04, 2024 at 05:01:41PM -, John Levine via Postfix-users > wrote: > > > OK, I'll invent a user. Perhaps if we can get Scott to undo the control > > file move he can add a

[pfx] Re: SASL authentication - first try local and then AD in postfix

[ No need to "Cc:" me in replies, just reply to the list. It is unfortunate that mailman moves my address from "From:" to "Reply-To:", that's very much not my intent. ] On Tue, Jul 09, 2024 at 11:50:40AM +1000, hkhk_exact10 wrote: > > with much additional configuration needed for pam_ldap. >

[pfx] Re: SASL authentication - first try local and then AD in postfix

tup SMTP authentication in such a way that the user > > > should first be looked locally (/etc/passwd) and then in AD. Is it > > > possible to do so? I was able to configure AD auth via sasl (cyrus), > > > but couldn't do both. > > > > Cyrus SASL i

[pfx] Re: SASL authentication - first try local and then AD in postfix

Hi Patrick, Cyrus SASL is able to use saslauthd in order to authenticate users in > /etc/passwd. I don’t know what you did with Cyrus SASL to configure AD > authentication, but assuming it would be a method called foobar you would > configure Cyrus SASL to use the following list of

[pfx] Re: SASL authentication - first try local and then AD in postfix

On Mon, Jul 08, 2024 at 08:39:54AM +0200, Patrick Ben Koetter via Postfix-users wrote: > > I want to setup SMTP authentication in such a way that the user > > should first be looked locally (/etc/passwd) and then in AD. Is it > > possible to do so? I was able to configure AD au

[pfx] Re: SASL authentication - first try local and then AD in postfix

Sandeep, > Am 08.07.2024 um 07:37 schrieb hkhk_exact10 via Postfix-users > : > > Hi All, > > I want to setup SMTP authentication in such a way that the user should first > be looked locally (/etc/passwd) and then in AD. Is it possible to do so? I > was able to co

[pfx] SASL authentication - first try local and then AD in postfix

Hi All, I want to setup SMTP authentication in such a way that the user should first be looked locally (/etc/passwd) and then in AD. Is it possible to do so? I was able to configure AD auth via sasl (cyrus), but couldn't do both. Regards, Sa

[pfx] Re: Cyrus SASL summary

On July 5, 2024 3:03:58 PM UTC, Viktor Dukhovni via Postfix-users wrote: >On Fri, Jul 05, 2024 at 08:45:49AM -0400, Scott Kitterman via Postfix-users >wrote: > >> > Note, "undo" isn't quite what I'm suggesting, rather I hope Debian will >> >

[pfx] Re: Cyrus SASL summary

On Fri, Jul 05, 2024 at 08:45:49AM -0400, Scott Kitterman via Postfix-users wrote: > > Note, "undo" isn't quite what I'm suggesting, rather I hope Debian will > > replace the hardcoded preëmpt of the Cyrus SASL configuration directory, > > by a default

[pfx] Re: Cyrus SASL summary

On Friday, July 5, 2024 4:00:59 AM EDT Viktor Dukhovni via Postfix-users wrote: > On Thu, Jul 04, 2024 at 05:01:41PM -, John Levine via Postfix-users > wrote: > > > OK, I'll invent a user. Perhaps if we can get Scott to undo the control > > file move he can add a

[pfx] Re: Cyrus SASL summary

On Thu, Jul 04, 2024 at 05:01:41PM -, John Levine via Postfix-users wrote: > OK, I'll invent a user. Perhaps if we can get Scott to undo the control file > move he can add a sasl user at the same time. Note, "undo" isn't quite what I'm suggesting, rather

[pfx] Re: Cyrus SASL summary

According to Viktor Dukhovni via Postfix-users : >I don't recommend running "saslauthd" as the "postfix" user, better to >create a suitable dedicated user instead. OK, I'll invent a user. Perhaps if we can get Scott to undo the control file move he can add a s

[pfx] Re: Cyrus SASL summary

Viktor Dukhovni via Postfix-users: > > * Both postfix and the daemon need to be able to open and read and > > write the socket. The sasl package adds a sasl group but not a sasl > > user, so I added postfix to the users for the sasl group, and run the > > daemon as postfix:

[pfx] Re: Cyrus SASL summary

On Wed, Jul 03, 2024 at 09:48:06PM -0400, John Levine via Postfix-users wrote: * Both postfix and the daemon need to be able to open and read and write the socket. The sasl package adds a sasl group but not a sasl user, so I added postfix to the users for the sasl group, and run the daemon as

[pfx] Re: Cyrus SASL summary

On Wed, Jul 03, 2024 at 09:48:06PM -0400, John Levine via Postfix-users wrote: > * Debian moved the sasl configuration file to a nonstandard place > /etc/postfix/sasl/smtpd.conf > Dunno how I would have figured that out if someone here hadn't told me. This is unfortunate, and I ra

[pfx] Cyrus SASL summary

I think these are the main things I learned: * Debian moved the sasl configuration file to a nonstandard place /etc/postfix/sasl/smtpd.conf Dunno how I would have figured that out if someone here hadn't told me. * The socket that the sasl daemon uses has to be inside the postfix chroo

[pfx] Re: Still no luck with Cyrus SASL

It appears that Patrick Ben Koetter via Postfix-users said: >IIRC Debian patches Postfix and expects smtpd.conf to be located in >/etc/postfix/sasl/smtpd.conf. Have you tried this? I just did and it worked. Thanks, everyone. Now I have to back out my hacks one by one and make sure I unde

[pfx] Re: Still no luck with Cyrus SASL

On 02.07.24 17:15, John R. Levine via Postfix-users wrote: [...] In main.cf it has the debian default config, and I added this: smtp_sasl_type = cyrus smtpd_sasl_path = smtpd cyrus_sasl_config_path = /usr/lib/sasl2 Try commenting this out. Per the instructions in the postfix SASL page and

[pfx] Re: Still no luck with Cyrus SASL

Use strace to find out what pathname Postfix (through libsasl) is trying to connect to. 1 - Connect to Postfix with gnutls-cli or "openssl s_client". 2 - Run "strace -p pid-of-smtpd -o output-file". 3 - Send EHLO, AUTH, QUIT. 4 - Look in the trace created in [2] and populated in [3]. W

[pfx] Re: Still no luck with Cyrus SASL

r Debian) > > directory. Note that this setting does include the "/mux" suffix. > > IIRC Debian patches Postfix and expects smtpd.conf to be located in > /etc/postfix/sasl/smtpd.conf. Have you tried this? See: https://salsa.debian.org/postfix-team/postfix-dev/-/blob/debia

[pfx] Re: Still no luck with Cyrus SASL

gt; > > I will, see below. > > Thanks, generally best to do that early when delving into configuration > conundrums. > > > >What's the evidence that "saslauthd" is not used? > > > > I have saslauthd in debug mode so it reports when anything t

[pfx] Re: Still no luck with Cyrus SASL

delving into configuration conundrums. > >What's the evidence that "saslauthd" is not used? > > I have saslauthd in debug mode so it reports when anything talks to > it. As I said, the sasl test client works fine and it reports that, so > I know that works.

[pfx] Re: Still no luck with Cyrus SASL

>> to >> the daemon. > >What's the evidence that "saslauthd" is not used? I have saslauthd in debug mode so it reports when anything talks to it. As I said, the sasl test client works fine and it reports that, so I know that works. >> 535 5.7.8 Error: auth

[pfx] Re: Still no luck with Cyrus SASL

ports csh-style brace expansion: # ls -ld /var/spool/postfix{,/var{,/run,{/saslauthd{,/mux > But when I try to get postfix to authenticate, I cannot get it even to talk to > the daemon. What's the evidence that "saslauthd" is not used? > $ gnutls-cli --no-ca-ve

[pfx] Re: Still no luck with Cyrus SASL

John R. Levine via Postfix-users: > The daemon works fine either way, per the test above, but postfix > doesn't talk to it. I can't share first-hand experiences, but I know that is Postfix never talks to saslauthd. Instead, libsasl does the talking. It may be instructive to compare strace outputs

[pfx] Re: Still no luck with Cyrus SASL

smtpd_sasl_mechanism_filter = login, plain I use the Debian default of: smtpd_sasl_mechanism_filter = !external, static:rest > Per the instructions in the postfix SASL page and the Cyrus SASL doc > page I put this both in /etc/sasl2/smtpd.conf and in > /usr/lib/sasl2/smtpd.conf since

[pfx] Still no luck with Cyrus SASL

I've been poking at this for a week with no luck at all. I presume I am doing something dumb but I can't see what. I have what I think is a bog standard debian systen running in a virtual machine on my laptop, with the usual postfix and sasl packages. All of the mail addresses and

[pfx] Re: Using postfwd for sasl auth clients only?

On 27.06.24 08:15, Gilgongo via Postfix-users wrote: I have some simple postfwd rules that count the number of emails being sent per hour/day per sasl account (and reject once a limit is reached). I'm not sure how best to implement that though, Should I just have the following in master.c

[pfx] Re: working simple config for cyrus SASL

On 26.06.24 16:29, John Levine via Postfix-users wrote: I'm trying to set up a little POP toaster on debian that has a few addreses all in virtual domains. I'm using Cyrus SASL (no Dovecot allowed for reasons) and to keep it simple, I'm using sasldb authentication. I can set up

[pfx] Using postfwd for sasl auth clients only?

I have some simple postfwd rules that count the number of emails being sent per hour/day per sasl account (and reject once a limit is reached). I'm not sure how best to implement that though, Should I just have the following in master.cf? So if an account sent a CC to [n] addresses, the

  1   2   3   4   5   6   7   8   9   10   >