Can't get auxprop/sasldb SMTP auth working

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Can't get auxprop/sasldb SMTP auth working

Rich Carreiro-2
I have an Ubuntu 8.04LTS system running Postfix 2.5.1.
On that system SMTP AUTH runs *fine*.  The contents of
/etc/postfix/sasl/smtpd.conf are:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN

The SASL-related properties are:

smtpd_sasl_type = cyrus
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname

When I do "sudo sasldblistusers2" I get:

[hidden email]: userPassword

Like I said, that all works fine.

However, I am trying to migrate this over to an
Ubuntu 12.04LTS system running Postfix 2.9.3
and I just cannot get it to work. I'm doing everything
the same, but postfix gives authentication failures
every time.

It's not the /etc/sasldb2 file.  I've tried bringing
over the file from the old system and that doesn't work.
I've created a new file using

    saslpasswd2 -c -u mail.mydomain.com authusername

and that doesn't work, though it *WILL* work on the old system
if I copy it to the old system, which is how I know there's
nothing wrong with the file.

Likewise, I know postfix is seeing the smtpd.conf file.
If I add more mechanisms to the mech_list line of the file,
I see those extra mechanisms being advertised when I connect
to the smtpd daemon.  And when I remove them they go away
again.  So /etc/postfix/sasl/smtpd.conf is clearly
getting used.

I am testing both by using an actual mail client and by
manually talking to the server after generating a token with this:

    perl -MMIME::Base64 -e 'print encode_base64("\000authusername\000thePassword");'

then:

    openssl s_client -quiet -starttls smtp -connect the.newsystem.com:587

250 DSN
EHLO example.com
250-the.newsystem.com
250-PIPELINING
250-SIZE 20971520
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN theBase64EncodedToken
535 5.7.8 Error: authentication failed: authentication failure

But if I instead connect to the.oldsystem.com:587 and do the
same thing, I get:

235 2.7.0 Authentication successful

The output of saslfinger on the new machine is:

sudoh saslfinger -s
saslfinger - postfix Cyrus sasl configuration Sat Jul 21 00:24:24 EDT 2012
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.9.3
System: Ubuntu 12.04 LTS \n \l

-- smtpd is linked to --
        libsasl2.so.2 => /usr/lib/i386-linux-gnu/libsasl2.so.2 (0xb76c5000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/ssl/certs/MyCA.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s


-- listing of /usr/lib/sasl2 --
total 16
drwxr-xr-x  2 root root 4096 Jul 20 23:00 .
drwxr-xr-x 67 root root 8192 Jul 20 21:25 ..
-rw-r--r--  1 root root    1 May  4 00:17 berkeley_db.txt

-- listing of /etc/postfix/sasl --
total 20
drwxr-xr-x 2 root root 4096 Jul 20 21:29 .
drwxr-xr-x 5 root root 4096 Jul 20 23:58 ..
-rw-r--r-- 1 root root   64 Jul 20 21:29 smtpd.conf




-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN

-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

[snipping the rest of the services]

-- mechanisms on localhost --

-- end of saslfinger output --


--
Rich Carreiro                            [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Can't get auxprop/sasldb SMTP auth working

Scott Kitterman-4
On Saturday, July 21, 2012 12:34:31 AM Rich Carreiro wrote:
...
Snipping heavily to make it easier to follow.

> However, I am trying to migrate this over to an
> Ubuntu 12.04LTS system running Postfix 2.9.3
> and I just cannot get it to work. I'm doing everything
> the same, but postfix gives authentication failures
> every time.
>
> It's not the /etc/sasldb2 file.  I've tried bringing
> over the file from the old system and that doesn't work.
> I've created a new file using
>
>     saslpasswd2 -c -u mail.mydomain.com authusername
>
> and that doesn't work, though it *WILL* work on the old system
> if I copy it to the old system, which is how I know there's
> nothing wrong with the file.

Sometimes Berkeley DB changes it's on disk format.  Cyrus SASL in the
Debian/Ubuntu packages (I don't recall if it's upstream or a patch) has code
to upgrade from one format to another, so it's not guaranteed that you can
copy sasldb files between versions of cyrus-sasl2 that were built with different
DB versions.  I don't know of any incompatibilities, but it's something to be
careful of.  You've excluded this by trying a new sasldb, but I thought it'd
be worth mentioning.
 
> Likewise, I know postfix is seeing the smtpd.conf file.
> If I add more mechanisms to the mech_list line of the file,
> I see those extra mechanisms being advertised when I connect
> to the smtpd daemon.  And when I remove them they go away
> again.  So /etc/postfix/sasl/smtpd.conf is clearly
> getting used.

This seems to conflict with what saslfinger shows.

> I am testing both by using an actual mail client and by
> manually talking to the server after generating a token with this:
>
>     perl -MMIME::Base64 -e 'print
> encode_base64("\000authusername\000thePassword");'
>
> then:
>
>     openssl s_client -quiet -starttls smtp -connect the.newsystem.com:587
>
> 250 DSN
> EHLO example.com
> 250-the.newsystem.com
> 250-PIPELINING
> 250-SIZE 20971520
> 250-ETRN
> 250-AUTH PLAIN
> 250-AUTH=PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> AUTH PLAIN theBase64EncodedToken
> 535 5.7.8 Error: authentication failed: authentication failure

This exact process works on my Ubuntu 12.04 box.  Did you copy the sasldb into
the chroot (/var/spool/postfix/etc/sasldb2)?

> But if I instead connect to the.oldsystem.com:587 and do the
> same thing, I get:
>
> 235 2.7.0 Authentication successful
>
> The output of saslfinger on the new machine is:

...
Mine is very similar.  Differences:

> smtpd_sasl_path = smtpd

smtpd_sasl_path =

> -- content of /etc/postfix/sasl/smtpd.conf --
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: PLAIN

-- content of /etc/postfix/sasl/smtpd.conf --
#Global parameters
log_level: 2
pwcheck_method: auxprop
#saslauthd parameters
mech_list: PLAIN LOGIN
#auxiliary plugin parameters:
auxprop_plugin: sasldb

> -- content of /etc/postfix/sasl/smtpd.conf --
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: PLAIN

-- content of /etc/postfix/sasl/smtpd.conf --
#Global parameters
log_level: 2
pwcheck_method: auxprop
#saslauthd parameters
mech_list: PLAIN LOGIN
#auxiliary plugin parameters:
auxprop_plugin: sasldb

...
>   -o smtpd_tls_security_level=encrypt

smtpd_tls_security_level =

(also no milter on submission)
> [snipping the rest of the services]
>
> -- mechanisms on localhost --
>
> -- end of saslfinger output --

-- mechanisms on localhost --
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: Can't get auxprop/sasldb SMTP auth working

Patrick Ben Koetter
In reply to this post by Rich Carreiro-2
* Rich Carreiro <[hidden email]>:
> -- active services in /etc/postfix/master.cf --
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> smtp      inet  n       -       -       -       -       smtpd

Your server is chrooted. It cannot find /etc/sasldb2.
Remove the chroot or move sasldb into the chroot.

p@rick

--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: Can't get auxprop/sasldb SMTP auth working

Rich Carreiro-2
On Sat, 21 Jul 2012, Patrick Ben Koetter wrote:

>* Rich Carreiro <[hidden email]>:
>> -- active services in /etc/postfix/master.cf --
>> # service type  private unpriv  chroot  wakeup  maxproc command + args
>> #               (yes)   (yes)   (yes)   (never) (100)
>> smtp      inet  n       -       -       -       -       smtpd
>
>Your server is chrooted. It cannot find /etc/sasldb2.
>Remove the chroot or move sasldb into the chroot.

[HEADDESK!]

I'm so embarrassed I missed that.  You are, of course, absolutely
correct.  Once I copied /etc/sasldb2 into the chroot the authentication
worked fine.

Thank you so much!

--
Rich Carreiro                            [hidden email]