sasl fails
Alexander Dalloz
ad+lists at uni-x.org
Wed Aug 24 20:05:55 UTC 2005
Am Mi, den 24.08.2005 schrieb Anne Ramey um 20:40:
> I just cannot seem to get my smtp auth working. I've read, and re-read
> the sasl_readme with no luck...I've followed those instructions. It
> appears that sasl is trying to use sasldb2 (which it's not supposed to,
> I'm trying to use pam). I'm running on fedora core 3. Someone on the
> postfix list replied and said I can't use pwcheck_method: saslauthd on
> FC3...is that true? I need to use pam/my passwd/shadow info for smtp
> auth, so if that is true, what is the work around? Many thanks.
It isn't true. Of course you can use saslauthd.
> [root at hedwig readme]# ps aux|grep sasl
> root 29058 0.0 0.0 19912 844 ? Ss 13:14 0:00
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root 29059 0.0 0.0 20984 1264 ? S 13:14 0:00
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root 29060 0.0 0.0 19912 844 ? S 13:14 0:00
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root 29061 0.0 0.0 19912 844 ? S 13:14 0:00
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root 29062 0.0 0.0 19912 844 ? S 13:14 0:00
> /usr/sbin/saslauthd -m /var/run/saslauthd -a pam
> root 29295 0.0 0.0 42400 668 pts/4 R+ 13:59 0:00 grep sasl
Proper. PAM here means you let PAM call system accounts, I guess.
> [root at hedwig readme]# testsaslauthd -u anner -p mypass
> 0: OK "Success."
Looks good.
> [root at hedwig readme]# cat /usr/lib/sasl2/smtpd.conf
> pwcheck_method: saslauthd
If you don't offer MD5 mechs because of your auth backend, then exclude
them. Add
mech_list: plain login
to smtpd.conf.
> [root at hedwig readme]# postconf -n
[ ... ]
> permit_sasl_authenticated, reject
> smtpd_sasl_auth_enable = yes
> transport_maps = mysql:/etc/postfix/transport.cf
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = mysql:/etc/postfix/virtual.cf
You should add
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
Required is
smtpd_sasl_local_domain =
For use with saslauthd leave it empty.
> When I try and use it with a standard mail client I get:
> Aug 24 13:53:52 daredevil postfix/smtpd[29286]: connect from
> h27.83.213.151.ip.alltel.net[151.213.83.27]
> Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
The client tries an MD5 mech as you offer it (see below). But as you use PAM
and probably system accounts you can't use MD5. So as I told you above remove
MD5 mechs.
> Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL
> authentication failure: no secret in database
> Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning:
> h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5
> authentication failed
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
> authentication failure: no secret in database
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning:
> h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Aug 24 13:53:57 daredevil last message repeated 4 times
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
> authentication failure: Password verification failed
The client tries the mechs you offer but which are not valid from your setup.
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning:
> h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication
> failed
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Aug 24 13:53:57 daredevil last message repeated 5 times
> Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning:
> h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication
> failed
PLAIN and LOGIN fail too.
> When I try through telnet, my telnet session looks like this:
> [anner:~] anner% telnet 66.45.100.233 25
> Trying 66.45.100.233...
> Connected to 66.45.100.233.
> Escape character is '^]'.
> 220 hedwig.blast.com ESMTP Postfix
> EHLO anner.blast.com
> 250-hedwig.blast.com
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
> 250 8BITMIME
> AUTH PLAIN myEncodedUser&Pass
> 535 Error: authentication failed
It would be more helpful if you would create a test account and show real test data.
That would show us which format your user has (realm or not).
> [root at hedwig readme]# saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Wed Aug 24 14:02:36 EDT 2005
> version: 0.9.9.1
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.2.5
Is that pasted or typed manually? The latest FC3 Postfix version is postfix-2.1.5-5.i386.rpm.
> System: Fedora Core release 3 (Heidelberg)
>
> -- smtpd is linked to --
> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003c6db00000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> smtpd_sasl_auth_enable = yes
>
>
> -- listing of /usr/lib/sasl --
That does not matter: this is SASL version 1(.5).
> -- listing of /usr/lib/sasl2 --
> total 3052
> drwxr-xr-x 2 root root 4096 Aug 24 09:47 .
> drwxr-xr-x 94 root root 65536 Aug 24 09:53 ..
> -rwxr-xr-x 1 root root 875 Oct 7 2004 libanonymous.la
> -rwxr-xr-x 1 root root 12820 Oct 7 2004 libanonymous.so
> -rwxr-xr-x 1 root root 12820 Oct 7 2004 libanonymous.so.2
> -rwxr-xr-x 1 root root 12820 Oct 7 2004 libanonymous.so.2.0.19
> -rwxr-xr-x 1 root root 863 Oct 7 2004 libcrammd5.la
> -rwxr-xr-x 1 root root 15216 Oct 7 2004 libcrammd5.so
> -rwxr-xr-x 1 root root 15216 Oct 7 2004 libcrammd5.so.2
> -rwxr-xr-x 1 root root 15216 Oct 7 2004 libcrammd5.so.2.0.19
>
> -rwxr-xr-x 1 root root 884 Oct 7 2004 libdigestmd5.la
> -rwxr-xr-x 1 root root 42964 Oct 7 2004 libdigestmd5.so
> -rwxr-xr-x 1 root root 42964 Oct 7 2004 libdigestmd5.so.2
> -rwxr-xr-x 1 root root 42964 Oct 7 2004 libdigestmd5.so.2.0.19
> -rwxr-xr-x 1 root root 911 Oct 7 2004 libgssapiv2.la
> -rwxr-xr-x 1 root root 22292 Oct 7 2004 libgssapiv2.so
> -rwxr-xr-x 1 root root 22292 Oct 7 2004 libgssapiv2.so.2
> -rwxr-xr-x 1 root root 22292 Oct 7 2004 libgssapiv2.so.2.0.19
> -rwxr-xr-x 1 root root 851 Oct 7 2004 liblogin.la
> -rwxr-xr-x 1 root root 13296 Oct 7 2004 liblogin.so
> -rwxr-xr-x 1 root root 13296 Oct 7 2004 liblogin.so.2
> -rwxr-xr-x 1 root root 13296 Oct 7 2004 liblogin.so.2.0.19
> -rwxr-xr-x 1 root root 854 Oct 7 2004 libntlm.la
> -rwxr-xr-x 1 root root 29104 Oct 7 2004 libntlm.so
> -rwxr-xr-x 1 root root 29104 Oct 7 2004 libntlm.so.2
> -rwxr-xr-x 1 root root 29104 Oct 7 2004 libntlm.so.2.0.19
> -rwxr-xr-x 1 root root 851 Oct 7 2004 libplain.la
> -rwxr-xr-x 1 root root 13360 Oct 7 2004 libplain.so
> -rwxr-xr-x 1 root root 13360 Oct 7 2004 libplain.so.2
> -rwxr-xr-x 1 root root 13360 Oct 7 2004 libplain.so.2.0.19
> -rwxr-xr-x 1 root root 931 Oct 7 2004 libsasldb.la
> -rwxr-xr-x 1 root root 784960 Oct 7 2004 libsasldb.so
> -rwxr-xr-x 1 root root 784960 Oct 7 2004 libsasldb.so.2
> -rwxr-xr-x 1 root root 784960 Oct 7 2004 libsasldb.so.2.0.19
> -rw-r--r-- 1 root root 26 Aug 24 09:46 smtpd.conf
The required libs are installed.
> -- content of /usr/lib/sasl/smtpd.conf --
> pwcheck_method: saslauthd
> saslauthd_version: 2
Again SASL version 1.
> -- mechanisms on localhost --
> 250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
Do not offer auth mechs which aren't provided by your auth backend.
> -- end of saslfinger output --
> Anne
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 22:01:02 up 2 days, 18:44, load average: 0.15, 0.10, 0.12
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050824/ef176cd9/attachment-0001.sig>
More information about the fedora-list
mailing list