Issue with SASL authentication

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Issue with SASL authentication

Daniel Bareiro
Hi all!

Maybe this question is not 100% about Postfix, but it is related. I am
configuring a Postifx server with SASL authentication.

When I do a test to authenticate, I get an error:

------------------------------------------------------------------
root@server2:~# saslpasswd2 -c daniel
------------------------------------------------------------------
root@server2:~# testsaslauthd -u daniel -p password
0: NO "authentication failed"
------------------------------------------------------------------

However it works when I provide the realm:

------------------------------------------------------------------
root@server2:~# testsaslauthd -u daniel -r server2 -p password
0: OK "Success."
------------------------------------------------------------------

It's strange because I have another mail server where it works without
problems:

------------------------------------------------------------------
root@mail:~# testsaslauthd -u daniel -p password
0: OK "Success."
------------------------------------------------------------------

Both hosts have Debian Jessie and the SASL configuration is the same:

------------------------------------------------------------------
root@mail:~# grep ^[^#] /etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="sasldb"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
------------------------------------------------------------------
root@server2:~# grep ^[^#] /etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="sasldb"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
------------------------------------------------------------------

"mail" has some updates to apply, but I do not see any differences in
the versions of the SASL packages:

------------------------------------------------------------------
root@mail:~# aptitude show libsasl2-2 | grep Versión
Versión: 2.1.26.dfsg1-13+deb8u1

root@mail:~# aptitude show libsasl2-modules | grep Versión
Versión: 2.1.26.dfsg1-13+deb8u1

root@mail:~# aptitude show sasl2-bin | grep Versión
Versión: 2.1.26.dfsg1-13+deb8u1
------------------------------------------------------------------

------------------------------------------------------------------
root@server2:~# aptitude show libsasl2-2 | grep Version
Version: 2.1.26.dfsg1-13+deb8u1

root@server2:~# aptitude show libsasl2-modules | grep Version
Version: 2.1.26.dfsg1-13+deb8u1

root@server2:~# aptitude show sasl2-bin | grep Version
Version: 2.1.26.dfsg1-13+deb8u1
------------------------------------------------------------------

In this case I'm not doing the authentication test against IMAP but
directly against SASL, so I guess the problem will be directly related
to the SASL configuration itself.

In case it is useful, when the authentication fails I get this in
/var/log/auth.log:

------------------------------------------------------------------
May 24 15:31:38 server2 saslauthd[2701]: do_auth         : auth failure:
[user=daniel] [service=imap] [realm=] [mech=sasldb] [reason=Unknown]
------------------------------------------------------------------

It seems that authentication is done through IMAP and I have previously
installed the Cyrus packages.


Any thoughts about what might differ between the two environments?


Thanks in advance.

Kind regards,
Daniel


signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Issue with SASL authentication

Daniel Bareiro
Hi again.

On 24/05/17 17:46, Daniel Bareiro wrote:

> Maybe this question is not 100% about Postfix, but it is related. I am
> configuring a Postifx server with SASL authentication.
>
> When I do a test to authenticate, I get an error:
>
> ------------------------------------------------------------------
> root@server2:~# saslpasswd2 -c daniel
> ------------------------------------------------------------------
> root@server2:~# testsaslauthd -u daniel -p password
> 0: NO "authentication failed"
> ------------------------------------------------------------------
>
> However it works when I provide the realm:
>
> ------------------------------------------------------------------
> root@server2:~# testsaslauthd -u daniel -r server2 -p password
> 0: OK "Success."
> ------------------------------------------------------------------
>
> It's strange because I have another mail server where it works without
> problems:
>
> ------------------------------------------------------------------
> root@mail:~# testsaslauthd -u daniel -p password
> 0: OK "Success."
> ------------------------------------------------------------------
>
> Both hosts have Debian Jessie and the SASL configuration is the same:
>
> ------------------------------------------------------------------
> root@mail:~# grep ^[^#] /etc/default/saslauthd
> START=yes
> DESC="SASL Authentication Daemon"
> NAME="saslauthd"
> MECHANISMS="sasldb"
> MECH_OPTIONS=""
> THREADS=5
> OPTIONS="-c -m /var/run/saslauthd"
> ------------------------------------------------------------------
> root@server2:~# grep ^[^#] /etc/default/saslauthd
> START=yes
> DESC="SASL Authentication Daemon"
> NAME="saslauthd"
> MECHANISMS="sasldb"
> MECH_OPTIONS=""
> THREADS=5
> OPTIONS="-c -m /var/run/saslauthd"
> ------------------------------------------------------------------
>
> "mail" has some updates to apply, but I do not see any differences in
> the versions of the SASL packages:
>
> ------------------------------------------------------------------
> root@mail:~# aptitude show libsasl2-2 | grep Versión
> Versión: 2.1.26.dfsg1-13+deb8u1
>
> root@mail:~# aptitude show libsasl2-modules | grep Versión
> Versión: 2.1.26.dfsg1-13+deb8u1
>
> root@mail:~# aptitude show sasl2-bin | grep Versión
> Versión: 2.1.26.dfsg1-13+deb8u1
> ------------------------------------------------------------------
>
> ------------------------------------------------------------------
> root@server2:~# aptitude show libsasl2-2 | grep Version
> Version: 2.1.26.dfsg1-13+deb8u1
>
> root@server2:~# aptitude show libsasl2-modules | grep Version
> Version: 2.1.26.dfsg1-13+deb8u1
>
> root@server2:~# aptitude show sasl2-bin | grep Version
> Version: 2.1.26.dfsg1-13+deb8u1
> ------------------------------------------------------------------
>
> In this case I'm not doing the authentication test against IMAP but
> directly against SASL, so I guess the problem will be directly related
> to the SASL configuration itself.
>
> In case it is useful, when the authentication fails I get this in
> /var/log/auth.log:
>
> ------------------------------------------------------------------
> May 24 15:31:38 server2 saslauthd[2701]: do_auth         : auth failure:
> [user=daniel] [service=imap] [realm=] [mech=sasldb] [reason=Unknown]
> ------------------------------------------------------------------
>
> It seems that authentication is done through IMAP and I have previously
> installed the Cyrus packages.
>
>
> Any thoughts about what might differ between the two environments?
Apparently, despite this difference, the SASL authentication via IMAP is
working.

/var/log/mail.log:

------------------------------------------------------------------
May 24 19:38:51 server2 cyrus/imaps[3711]: starttls: TLSv1.2 with cipher
ECDHE-RSA-AES128-SHA (128/128 bits new) no authentication
May 24 19:38:51 server2 cyrus/imaps[3711]: login: host.domain.tld.net
[x.y.z.t] daniel CRAM-MD5+TLS User logged in
SESSIONID=<cyrus-3711-1495665531-1>
May 24 19:38:51 server2 cyrus/imaps[3711]: created decompress buffer of
4102 bytes
May 24 19:38:51 server2 cyrus/imaps[3711]: created compress buffer of
4102 bytes
May 24 19:38:51 server2 cyrus/imaps[3711]: client id: "name"
"Thunderbird" "version" "45.8.0"
May 24 19:38:53 server2 cyrus/master[3800]: about to exec
/usr/lib/cyrus/bin/imapd
May 24 19:38:53 server2 cyrus/imaps[3800]: executed
May 24 19:38:53 server2 cyrus/imaps[3800]: accepted connection
May 24 19:38:53 server2 cyrus/imaps[3800]: imapd:Loading hard-coded DH
parameters
May 24 19:38:53 server2 cyrus/imaps[3800]: SSL_accept() incomplete -> wait
May 24 19:38:54 server2 cyrus/imaps[3800]: SSL_accept() succeeded -> done
------------------------------------------------------------------

But SMTP authentication for sending mail is not working.

/var/log/auth.log:

------------------------------------------------------------------
May 24 20:12:38 server2 saslauthd[3685]: do_auth         : auth failure:
[user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown]
May 24 20:12:38 server2 saslauthd[3683]: do_auth         : auth failure:
[user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown]
May 24 20:12:56 server2 saslauthd[3684]: do_auth         : auth failure:
[user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown]
May 24 20:12:56 server2 saslauthd[3682]: do_auth         : auth failure:
[user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown]
------------------------------------------------------------------

/var/log/mail.log:

------------------------------------------------------------------
May 24 20:12:37 server2 postfix/smtpd[4122]: Anonymous TLS connection
established from unknown[x.y.z.t] TLSv1.2 with cipher
ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
May 24 20:12:38 server2 postfix/smtpd[4122]: warning: SASL
authentication failure: Password verification failed
May 24 20:12:38 server2 postfix/smtpd[4122]: warning: unknown[x.y.z.t]
SASL PLAIN authentication failed: authentication failure
May 24 20:12:38 server2 postfix/smtpd[4122]: warning: unknown[x.y.z.t]
SASL LOGIN authentication failed: authentication failure
May 24 20:12:56 server2 postfix/smtpd[4122]: warning: SASL
authentication failure: Password verification failed
May 24 20:12:56 server2 postfix/smtpd[4122]: warning: unknown[x.y.z.t]
SASL PLAIN authentication failed: authentication failure
May 24 20:12:56 server postfix/smtpd[4122]: warning: unknown[x.y.z.t]
SASL LOGIN authentication failed: authentication failure
------------------------------------------------------------------

I'll keep investigating.

All comments are welcome.

Thanks.

Kind regards,
Daniel


signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Issue with SASL authentication

Daniel Bareiro
Hi!

On 24/05/17 21:18, Daniel Bareiro wrote:

> Hi again.
>
> On 24/05/17 17:46, Daniel Bareiro wrote:
>
>> Maybe this question is not 100% about Postfix, but it is related. I am
>> configuring a Postifx server with SASL authentication.
>>
>> When I do a test to authenticate, I get an error:
>>
>> ------------------------------------------------------------------
>> root@server2:~# saslpasswd2 -c daniel
>> ------------------------------------------------------------------
>> root@server2:~# testsaslauthd -u daniel -p password
>> 0: NO "authentication failed"
>> ------------------------------------------------------------------
>>
>> However it works when I provide the realm:
>>
>> ------------------------------------------------------------------
>> root@server2:~# testsaslauthd -u daniel -r server2 -p password
>> 0: OK "Success."
>> ------------------------------------------------------------------
>>
>> It's strange because I have another mail server where it works without
>> problems:
>>
>> ------------------------------------------------------------------
>> root@mail:~# testsaslauthd -u daniel -p password
>> 0: OK "Success."
>> ------------------------------------------------------------------
>>
>> Both hosts have Debian Jessie and the SASL configuration is the same:
>>
>> ------------------------------------------------------------------
>> root@mail:~# grep ^[^#] /etc/default/saslauthd
>> START=yes
>> DESC="SASL Authentication Daemon"
>> NAME="saslauthd"
>> MECHANISMS="sasldb"
>> MECH_OPTIONS=""
>> THREADS=5
>> OPTIONS="-c -m /var/run/saslauthd"
>> ------------------------------------------------------------------
>> root@server2:~# grep ^[^#] /etc/default/saslauthd
>> START=yes
>> DESC="SASL Authentication Daemon"
>> NAME="saslauthd"
>> MECHANISMS="sasldb"
>> MECH_OPTIONS=""
>> THREADS=5
>> OPTIONS="-c -m /var/run/saslauthd"
>> ------------------------------------------------------------------
>>
>> "mail" has some updates to apply, but I do not see any differences in
>> the versions of the SASL packages:
>>
>> ------------------------------------------------------------------
>> root@mail:~# aptitude show libsasl2-2 | grep Versión
>> Versión: 2.1.26.dfsg1-13+deb8u1
>>
>> root@mail:~# aptitude show libsasl2-modules | grep Versión
>> Versión: 2.1.26.dfsg1-13+deb8u1
>>
>> root@mail:~# aptitude show sasl2-bin | grep Versión
>> Versión: 2.1.26.dfsg1-13+deb8u1
>> ------------------------------------------------------------------
>>
>> ------------------------------------------------------------------
>> root@server2:~# aptitude show libsasl2-2 | grep Version
>> Version: 2.1.26.dfsg1-13+deb8u1
>>
>> root@server2:~# aptitude show libsasl2-modules | grep Version
>> Version: 2.1.26.dfsg1-13+deb8u1
>>
>> root@server2:~# aptitude show sasl2-bin | grep Version
>> Version: 2.1.26.dfsg1-13+deb8u1
>> ------------------------------------------------------------------
>>
>> In this case I'm not doing the authentication test against IMAP but
>> directly against SASL, so I guess the problem will be directly related
>> to the SASL configuration itself.
>>
>> In case it is useful, when the authentication fails I get this in
>> /var/log/auth.log:
>>
>> ------------------------------------------------------------------
>> May 24 15:31:38 server2 saslauthd[2701]: do_auth         : auth failure:
>> [user=daniel] [service=imap] [realm=] [mech=sasldb] [reason=Unknown]
>> ------------------------------------------------------------------
>>
>> It seems that authentication is done through IMAP and I have previously
>> installed the Cyrus packages.
>>
>>
>> Any thoughts about what might differ between the two environments?
>
> Apparently, despite this difference, the SASL authentication via IMAP is
> working.
>
> /var/log/mail.log:
>
> ------------------------------------------------------------------
> May 24 19:38:51 server2 cyrus/imaps[3711]: starttls: TLSv1.2 with cipher
> ECDHE-RSA-AES128-SHA (128/128 bits new) no authentication
> May 24 19:38:51 server2 cyrus/imaps[3711]: login: host.domain.tld.net
> [x.y.z.t] daniel CRAM-MD5+TLS User logged in
> SESSIONID=<cyrus-3711-1495665531-1>
> May 24 19:38:51 server2 cyrus/imaps[3711]: created decompress buffer of
> 4102 bytes
> May 24 19:38:51 server2 cyrus/imaps[3711]: created compress buffer of
> 4102 bytes
> May 24 19:38:51 server2 cyrus/imaps[3711]: client id: "name"
> "Thunderbird" "version" "45.8.0"
> May 24 19:38:53 server2 cyrus/master[3800]: about to exec
> /usr/lib/cyrus/bin/imapd
> May 24 19:38:53 server2 cyrus/imaps[3800]: executed
> May 24 19:38:53 server2 cyrus/imaps[3800]: accepted connection
> May 24 19:38:53 server2 cyrus/imaps[3800]: imapd:Loading hard-coded DH
> parameters
> May 24 19:38:53 server2 cyrus/imaps[3800]: SSL_accept() incomplete -> wait
> May 24 19:38:54 server2 cyrus/imaps[3800]: SSL_accept() succeeded -> done
> ------------------------------------------------------------------
>
> But SMTP authentication for sending mail is not working.
>
> /var/log/auth.log:
>
> ------------------------------------------------------------------
> May 24 20:12:38 server2 saslauthd[3685]: do_auth         : auth failure:
> [user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown]
> May 24 20:12:38 server2 saslauthd[3683]: do_auth         : auth failure:
> [user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown]
> May 24 20:12:56 server2 saslauthd[3684]: do_auth         : auth failure:
> [user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown]
> May 24 20:12:56 server2 saslauthd[3682]: do_auth         : auth failure:
> [user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown]
> ------------------------------------------------------------------
>
> /var/log/mail.log:
>
> ------------------------------------------------------------------
> May 24 20:12:37 server2 postfix/smtpd[4122]: Anonymous TLS connection
> established from unknown[x.y.z.t] TLSv1.2 with cipher
> ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> May 24 20:12:38 server2 postfix/smtpd[4122]: warning: SASL
> authentication failure: Password verification failed
> May 24 20:12:38 server2 postfix/smtpd[4122]: warning: unknown[x.y.z.t]
> SASL PLAIN authentication failed: authentication failure
> May 24 20:12:38 server2 postfix/smtpd[4122]: warning: unknown[x.y.z.t]
> SASL LOGIN authentication failed: authentication failure
> May 24 20:12:56 server2 postfix/smtpd[4122]: warning: SASL
> authentication failure: Password verification failed
> May 24 20:12:56 server2 postfix/smtpd[4122]: warning: unknown[x.y.z.t]
> SASL PLAIN authentication failed: authentication failure
> May 24 20:12:56 server postfix/smtpd[4122]: warning: unknown[x.y.z.t]
> SASL LOGIN authentication failed: authentication failure
> ------------------------------------------------------------------
>
> I'll keep investigating.
>
> All comments are welcome.
Well, I was comparing the configuration of both mail servers and doing
several more tests. I could not find the difference yet but it seems
that the SMTP authentication error is also related to the authentication
fails if the realm is not provided.

-----------------------------------------------------------------------
root@server2:~# /usr/sbin/saslauthd -a sasldb -V -c -m
/var/run/saslauthd -n 5 -d
saslauthd[6020] :main            : num_procs  : 5
saslauthd[6020] :main            : mech_option: NULL
saslauthd[6020] :main            : run_path   : /var/run/saslauthd
saslauthd[6020] :main            : auth_mech  : sasldb
saslauthd[6020] :cache_alloc_mm  : mmaped shared memory segment on file:
/var/run/saslauthd/cache.mmap
saslauthd[6020] :cache_init      : bucket size: 96 bytes
saslauthd[6020] :cache_init      : stats size : 36 bytes
saslauthd[6020] :cache_init      : timeout    : 28800 seconds
saslauthd[6020] :cache_init      : cache table: 985828 total bytes
saslauthd[6020] :cache_init      : cache table: 1711 slots
saslauthd[6020] :cache_init      : cache table: 10266 buckets
saslauthd[6020] :cache_init_lock : flock file opened at
/var/run/saslauthd/cache.flock
saslauthd[6020] :ipc_init        : using accept lock file:
/var/run/saslauthd/mux.accept
saslauthd[6020] :detach_tty      : master pid is: 0
saslauthd[6020] :ipc_init        : listening on socket:
/var/run/saslauthd/mux
saslauthd[6020] :main            : using process model
saslauthd[6020] :have_baby       : forked child: 6021
saslauthd[6020] :have_baby       : forked child: 6022
saslauthd[6020] :have_baby       : forked child: 6023
saslauthd[6020] :have_baby       : forked child: 6024
saslauthd[6020] :get_accept_lock : acquired accept lock
saslauthd[6020] :rel_accept_lock : released accept lock
saslauthd[6024] :get_accept_lock : acquired accept lock
-----------------------------------------------------------------------

Without using the realm for authenticate against SMTP:

-----------------------------------------------------------------------
root@server2:/etc/postfix# testsaslauthd -u daniel -p password -s smtp
0: NO "authentication failed"
-----------------------------------------------------------------------
May 25 12:54:19 server2 saslauthd[6023]: rel_accept_lock : released
accept lock
May 25 12:54:19 server2 saslauthd[6022]: get_accept_lock : acquired
accept lock
May 25 12:54:19 server2 saslauthd[6023]: cache_get_rlock : attempting a
read lock on slot: 750
May 25 12:54:19 server2 saslauthd[6023]: cache_lookup    :
[login=daniel] [service=smtp] [realm=]: not found, update pending
May 25 12:54:19 server2 saslauthd[6023]: cache_un_lock   : attempting to
release lock on slot: 750
May 25 12:54:19 server2A saslauthd[6023]: do_auth         : auth
failure: [user=daniel] [service=smtp] [realm=] [mech=sasldb]
[reason=Unknown]
May 25 12:54:19 server2 saslauthd[6023]: do_request      : response: NO
-----------------------------------------------------------------------

Using the realm for authenticate against SMTP:

-----------------------------------------------------------------------
root@server2:/etc/postfix# testsaslauthd -u daniel -p passwprd -s smtp
-r server2
0: OK "Success."
-----------------------------------------------------------------------
May 25 12:53:20 server2 saslauthd[6024]: rel_accept_lock : released
accept lock
May 25 12:53:20 server2 saslauthd[6023]: get_accept_lock : acquired
accept lock
May 25 12:53:20 server2 saslauthd[6024]: cache_get_rlock : attempting a
read lock on slot: 1143
May 25 12:53:20 server2 saslauthd[6024]: cache_lookup    :
[login=daniel] [service=smtp] [realm=server2]: found with valid passwd
May 25 12:53:20 server2 saslauthd[6024]: cache_un_lock   : attempting to
release lock on slot: 1143
May 25 12:53:20 server2 saslauthd[6024]: do_auth         : auth success
(cached): [user=daniel] [service=smtp] [realm=server2]
May 25 12:53:20 server2 saslauthd[6024]: do_request      : response: OK
-----------------------------------------------------------------------

So it's all limited to that saslauth is not able to authenticate without
the realm. What I can not find out is why this happens. I do not see the
difference in the configuration between both servers.

In any case, it seems that Cyrus IMAP is able to run smoothly. But it's
not the same with Postfix. Anyway I'm still thinking what can differ
between both servers so that the authentication without realm does not
work here.

All comments are greatly appreciated.


Kind regards,
Daniel


signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Issue with SASL authentication

John Fawcett
On 05/25/2017 06:20 PM, Daniel Bareiro wrote:

> Hi!
>
> On 24/05/17 21:18, Daniel Bareiro wrote:
>
>> Hi again.
>>
>> On 24/05/17 17:46, Daniel Bareiro wrote:
>>
>>> Maybe this question is not 100% about Postfix, but it is related. I am
>>> configuring a Postifx server with SASL authentication.
>>>
>>> When I do a test to authenticate, I get an error:
>>>
>>> ------------------------------------------------------------------
>>> root@server2:~# saslpasswd2 -c daniel
>>> ------------------------------------------------------------------
>>> root@server2:~# testsaslauthd -u daniel -p password
>>> 0: NO "authentication failed"
>>> ------------------------------------------------------------------
>>>
>>> However it works when I provide the realm:
>>>
>>> ------------------------------------------------------------------
>>> root@server2:~# testsaslauthd -u daniel -r server2 -p password
>>> 0: OK "Success."
>>> ------------------------------------------------------------------
>>>
>>> It's strange because I have another mail server where it works without
>>> problems:
>>>
>>> ------------------------------------------------------------------
>>> root@mail:~# testsaslauthd -u daniel -p password
>>> 0: OK "Success."
>>> ------------------------------------------------------------------
>>>
>>> Both hosts have Debian Jessie and the SASL configuration is the same:
>>>
>>> ------------------------------------------------------------------
>>> root@mail:~# grep ^[^#] /etc/default/saslauthd
>>> START=yes
>>> DESC="SASL Authentication Daemon"
>>> NAME="saslauthd"
>>> MECHANISMS="sasldb"
>>> MECH_OPTIONS=""
>>> THREADS=5
>>> OPTIONS="-c -m /var/run/saslauthd"
>>> ------------------------------------------------------------------
>>> root@server2:~# grep ^[^#] /etc/default/saslauthd
>>> START=yes
>>> DESC="SASL Authentication Daemon"
>>> NAME="saslauthd"
>>> MECHANISMS="sasldb"
>>> MECH_OPTIONS=""
>>> THREADS=5
>>> OPTIONS="-c -m /var/run/saslauthd"
>>> ------------------------------------------------------------------
>>>
>>> "
Is the contents of the file containing the sasl users and passwords the
same between the two hosts?
John
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Issue with SASL authentication

Patrick Ben Koetter-2
In reply to this post by Daniel Bareiro
Daniel,

* Daniel Bareiro <[hidden email]>:
> So it's all limited to that saslauth is not able to authenticate without
> the realm. What I can not find out is why this happens. I do not see the
> difference in the configuration between both servers.
>
> In any case, it seems that Cyrus IMAP is able to run smoothly. But it's
> not the same with Postfix. Anyway I'm still thinking what can differ
> between both servers so that the authentication without realm does not
> work here.

I have no idea why the domain needs to be appended on one machine and doesn't
have to on another one, but *if* all your SASL users are within the same
domain (realm) Postfix can 'add' it for you.

Assuming 'server2' is your domain/realm put this in main.cf:

smtpd_sasl_local_domain = server2

p@rick


--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Issue with SASL authentication

Daniel Bareiro
In reply to this post by John Fawcett
Hi all!

Thanks to all who were interested and answered for this issue. I
appreciate it. An update below.

On 25/05/17 18:08, Andreas Schamanek wrote:

> Hi Daniel,
>
> I wish I could help. I even compared your stuff with my setup and
> re-read https://wiki.debian.org/PostfixAndSASL , Now I don't
> understand why it works at all on my server. However, I'll ignore this
> and keep my fingers off and crossed ;-)
>
> On Thu, 25 May 2017, at 21:15, John Fawcett wrote:
>
>> Is the contents of the file containing the sasl users and passwords
>> the same between the two hosts?
>
> That's a good question, though. My Debian Postfix uses PAM. The DB is
> empty:
>
> ```
> # sasldblistusers2 -v 2>&1 | grep version
> Built against SASL API version 2.1.26
> LibSasl version 2.1.26 by "Cyrus SASL"
> # sasldblistusers2 #-> returns nothing
> # strings /etc/sasldb2
> no:such:user
> userPassword
> ```
Fortunately I was able to find the cause of this issue and
authentication is already working. As mentioned in another thread
(Delivery to accounts of the same domain on two different servers),
there are already users authenticating without problems.

It seems that the issue was a inconsistency in the servername:
/etc/hostname for the operating system provided by the VPS provider had
uppercase and lowercase characters but when creating each SASL user,
these users uses a realm with the hostname string passed entirely to
lowercase. After changing the host name to something less cryptic and
everything in lowercase and re-creating the users in SASL, everything
worked without problems.

Something quite weird ... but we always learn new things ... :-)


Kind regards,
Daniel


signature.asc (188 bytes) Download Attachment
Loading...