sasl fails

Anne Ramey anner at blast.com
Wed Aug 24 20:55:46 UTC 2005 


Alexander Dalloz wrote:
> Am Mi, den 24.08.2005 schrieb Anne Ramey um 20:40:
> 
> 
>>I just cannot seem to get my smtp auth working.  I've read, and re-read 
>>the sasl_readme with no luck...I've followed those instructions.  It 
>>appears that sasl is trying to use sasldb2 (which it's not supposed to, 
>>I'm trying to use pam).  I'm running on fedora core 3.  Someone on the 
>>postfix list replied and said I can't use pwcheck_method: saslauthd on 
>>FC3...is that true?  I need to use pam/my passwd/shadow info for smtp 
>>auth, so if that is true, what is the work around?  Many thanks.
> 
> 
> It isn't true. Of course you can use saslauthd.

Thanks for replying...that's what I thought
> 
> 
>>[root at hedwig readme]# ps aux|grep sasl
>>root     29058  0.0  0.0 19912  844 ?        Ss   13:14   0:00 
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root     29059  0.0  0.0 20984 1264 ?        S    13:14   0:00 
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root     29060  0.0  0.0 19912  844 ?        S    13:14   0:00 
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root     29061  0.0  0.0 19912  844 ?        S    13:14   0:00 
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root     29062  0.0  0.0 19912  844 ?        S    13:14   0:00 
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root     29295  0.0  0.0 42400  668 pts/4    R+   13:59   0:00 grep sasl
> 
> 
> Proper. PAM here means you let PAM call system accounts, I guess.
> 
> 
>>[root at hedwig readme]# testsaslauthd -u anner -p mypass
>>0: OK "Success."
> 
> 
> Looks good.
> 
> 
>>[root at hedwig readme]# cat /usr/lib/sasl2/smtpd.conf
>>pwcheck_method: saslauthd
> 
> If you don't offer MD5 mechs because of your auth backend, then exclude
> them. Add
> 
> mech_list: plain login
> 
> to smtpd.conf.

I did, but it doesn't seem to have made any difference...
-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login

-- mechanisms on localhost --
250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
250-AUTH=CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN

logs of an attempt:
Aug 24 16:45:34 daredevil postfix/smtpd[29695]: connect from 
h27.83.213.151.ip.alltel.net[151.213.83.27]
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL 
authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL 
authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL 
authentication failure: no secret in database
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: 
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5 
authentication failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL 
authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL 
authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL 
authentication failure: no secret in database
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: 
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL 
authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
file or directory
Aug 24 16:45:39 daredevil last message repeated 4 times
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL 
authentication failure: Password verification failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: 
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication 
failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL 
authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
file or directory
Aug 24 16:45:39 daredevil last message repeated 5 times
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: 
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication 
failed

Why would it be trying to open Berkeley db /etc/sasldb2--it should be 
using pam?

> 
> 
>>[root at hedwig readme]# postconf -n
> 
> [ ... ] 
> 
>>permit_sasl_authenticated, reject
>>smtpd_sasl_auth_enable = yes
>>transport_maps = mysql:/etc/postfix/transport.cf
>>unknown_local_recipient_reject_code = 550
>>virtual_alias_maps = mysql:/etc/postfix/virtual.cf
> 
> 
> You should add
> 
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> 
> Required is
> 
> smtpd_sasl_local_domain =
> 
> For use with saslauthd leave it empty.
Had those first but removed them in testing.  Now I have:
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous

> 
> 
>>When I try and use it with a standard mail client I get:
>>Aug 24 13:53:52 daredevil postfix/smtpd[29286]: connect from 
>>h27.83.213.151.ip.alltel.net[151.213.83.27]
>>Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL 
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
>>file or directory
> 
> 
> The client tries an MD5 mech as you offer it (see below). But as you use PAM
> and probably system accounts you can't use MD5. So as I told you above remove
> MD5 mechs.
> 
> 
>>Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL 
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
>>file or directory
>>Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL 
>>authentication failure: no secret in database
>>Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: 
>>h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5 
>>authentication failed
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
>>file or directory
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
>>file or directory
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
>>authentication failure: no secret in database
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: 
>>h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
>>file or directory
>>Aug 24 13:53:57 daredevil last message repeated 4 times
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
>>authentication failure: Password verification failed
> 
> 
> The client tries the mechs you offer but which are not valid from your setup.
> 
> 
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: 
>>h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication 
>>failed
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL 
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such 
>>file or directory
>>Aug 24 13:53:57 daredevil last message repeated 5 times
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: 
>>h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication 
>>failed
> 
> 
> PLAIN and LOGIN fail too.
> 
> 
>>When I try through telnet, my telnet session looks like this:
>>[anner:~] anner% telnet 66.45.100.233 25
>>Trying 66.45.100.233...
>>Connected to 66.45.100.233.
>>Escape character is '^]'.
>>220 hedwig.blast.com ESMTP Postfix
>>EHLO anner.blast.com
>>250-hedwig.blast.com
>>250-PIPELINING
>>250-SIZE 10240000
>>250-VRFY
>>250-ETRN
>>250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
>>250 8BITMIME
>>AUTH PLAIN myEncodedUser&Pass
>>535 Error: authentication failed
> 
> 
> It would be more helpful if you would create a test account and show real test data.
> That would show us which format your user has (realm or not).
> 
> 
>>[root at hedwig readme]# saslfinger -s
>>saslfinger - postfix Cyrus sasl configuration Wed Aug 24 14:02:36 EDT 2005
>>version: 0.9.9.1
>>mode: server-side SMTP AUTH
>>
>>-- basics --
>>Postfix: 2.2.5
> 
> 
It's pasted.  I figured since I had to compile a new copy to include 
mysql and sasl support, I'd compile the most recent.

> Is that pasted or typed manually? The latest FC3 Postfix version is postfix-2.1.5-5.i386.rpm.
> 
> 
>>System: Fedora Core release 3 (Heidelberg)
>>
>>-- smtpd is linked to --
>>         libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003c6db00000)
>>
>>-- active SMTP AUTH and TLS parameters for smtpd --
>>smtpd_sasl_auth_enable = yes
>>
[...]

> 
>>-- end of saslfinger output --
> 
> 
>>Anne
> 
> 
> Alexander
> 
> 
> 
Anne

More information about the fedora-list mailing list