sasl fails
Anne Ramey
anner at blast.com
Wed Aug 24 20:55:46 UTC 2005
Alexander Dalloz wrote:
> Am Mi, den 24.08.2005 schrieb Anne Ramey um 20:40:
>
>
>>I just cannot seem to get my smtp auth working. I've read, and re-read
>>the sasl_readme with no luck...I've followed those instructions. It
>>appears that sasl is trying to use sasldb2 (which it's not supposed to,
>>I'm trying to use pam). I'm running on fedora core 3. Someone on the
>>postfix list replied and said I can't use pwcheck_method: saslauthd on
>>FC3...is that true? I need to use pam/my passwd/shadow info for smtp
>>auth, so if that is true, what is the work around? Many thanks.
>
>
> It isn't true. Of course you can use saslauthd.
Thanks for replying...that's what I thought
>
>
>>[root at hedwig readme]# ps aux|grep sasl
>>root 29058 0.0 0.0 19912 844 ? Ss 13:14 0:00
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root 29059 0.0 0.0 20984 1264 ? S 13:14 0:00
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root 29060 0.0 0.0 19912 844 ? S 13:14 0:00
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root 29061 0.0 0.0 19912 844 ? S 13:14 0:00
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root 29062 0.0 0.0 19912 844 ? S 13:14 0:00
>>/usr/sbin/saslauthd -m /var/run/saslauthd -a pam
>>root 29295 0.0 0.0 42400 668 pts/4 R+ 13:59 0:00 grep sasl
>
>
> Proper. PAM here means you let PAM call system accounts, I guess.
>
>
>>[root at hedwig readme]# testsaslauthd -u anner -p mypass
>>0: OK "Success."
>
>
> Looks good.
>
>
>>[root at hedwig readme]# cat /usr/lib/sasl2/smtpd.conf
>>pwcheck_method: saslauthd
>
> If you don't offer MD5 mechs because of your auth backend, then exclude
> them. Add
>
> mech_list: plain login
>
> to smtpd.conf.
I did, but it doesn't seem to have made any difference...
-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
-- mechanisms on localhost --
250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
250-AUTH=CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
logs of an attempt:
Aug 24 16:45:34 daredevil postfix/smtpd[29695]: connect from
h27.83.213.151.ip.alltel.net[151.213.83.27]
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication failure: no secret in database
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5
authentication failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication failure: no secret in database
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil last message repeated 4 times
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication failure: Password verification failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication
failed
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning: SASL
authentication problem: unable to open Berkeley db /etc/sasldb2: No such
file or directory
Aug 24 16:45:39 daredevil last message repeated 5 times
Aug 24 16:45:39 daredevil postfix/smtpd[29695]: warning:
h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication
failed
Why would it be trying to open Berkeley db /etc/sasldb2--it should be
using pam?
>
>
>>[root at hedwig readme]# postconf -n
>
> [ ... ]
>
>>permit_sasl_authenticated, reject
>>smtpd_sasl_auth_enable = yes
>>transport_maps = mysql:/etc/postfix/transport.cf
>>unknown_local_recipient_reject_code = 550
>>virtual_alias_maps = mysql:/etc/postfix/virtual.cf
>
>
> You should add
>
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
>
> Required is
>
> smtpd_sasl_local_domain =
>
> For use with saslauthd leave it empty.
Had those first but removed them in testing. Now I have:
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
>
>
>>When I try and use it with a standard mail client I get:
>>Aug 24 13:53:52 daredevil postfix/smtpd[29286]: connect from
>>h27.83.213.151.ip.alltel.net[151.213.83.27]
>>Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such
>>file or directory
>
>
> The client tries an MD5 mech as you offer it (see below). But as you use PAM
> and probably system accounts you can't use MD5. So as I told you above remove
> MD5 mechs.
>
>
>>Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such
>>file or directory
>>Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning: SASL
>>authentication failure: no secret in database
>>Aug 24 13:53:56 daredevil postfix/smtpd[29286]: warning:
>>h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL CRAM-MD5
>>authentication failed
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such
>>file or directory
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such
>>file or directory
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
>>authentication failure: no secret in database
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning:
>>h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL NTLM authentication failed
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such
>>file or directory
>>Aug 24 13:53:57 daredevil last message repeated 4 times
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
>>authentication failure: Password verification failed
>
>
> The client tries the mechs you offer but which are not valid from your setup.
>
>
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning:
>>h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL PLAIN authentication
>>failed
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning: SASL
>>authentication problem: unable to open Berkeley db /etc/sasldb2: No such
>>file or directory
>>Aug 24 13:53:57 daredevil last message repeated 5 times
>>Aug 24 13:53:57 daredevil postfix/smtpd[29286]: warning:
>>h27.83.213.151.ip.alltel.net[151.213.83.27]: SASL LOGIN authentication
>>failed
>
>
> PLAIN and LOGIN fail too.
>
>
>>When I try through telnet, my telnet session looks like this:
>>[anner:~] anner% telnet 66.45.100.233 25
>>Trying 66.45.100.233...
>>Connected to 66.45.100.233.
>>Escape character is '^]'.
>>220 hedwig.blast.com ESMTP Postfix
>>EHLO anner.blast.com
>>250-hedwig.blast.com
>>250-PIPELINING
>>250-SIZE 10240000
>>250-VRFY
>>250-ETRN
>>250-AUTH CRAM-MD5 GSSAPI NTLM PLAIN DIGEST-MD5 LOGIN
>>250 8BITMIME
>>AUTH PLAIN myEncodedUser&Pass
>>535 Error: authentication failed
>
>
> It would be more helpful if you would create a test account and show real test data.
> That would show us which format your user has (realm or not).
>
>
>>[root at hedwig readme]# saslfinger -s
>>saslfinger - postfix Cyrus sasl configuration Wed Aug 24 14:02:36 EDT 2005
>>version: 0.9.9.1
>>mode: server-side SMTP AUTH
>>
>>-- basics --
>>Postfix: 2.2.5
>
>
It's pasted. I figured since I had to compile a new copy to include
mysql and sasl support, I'd compile the most recent.
> Is that pasted or typed manually? The latest FC3 Postfix version is postfix-2.1.5-5.i386.rpm.
>
>
>>System: Fedora Core release 3 (Heidelberg)
>>
>>-- smtpd is linked to --
>> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x0000003c6db00000)
>>
>>-- active SMTP AUTH and TLS parameters for smtpd --
>>smtpd_sasl_auth_enable = yes
>>
[...]
>
>>-- end of saslfinger output --
>
>
>>Anne
>
>
> Alexander
>
>
>
Anne
More information about the fedora-list
mailing list