SASL authentication problem

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL authentication problem

Bernhard Rohrer
Hi guys

I recently upgraded my mailserver from Ubuntu gutsy to hardy an
somehow SASL broke in the process:

I am using postfix with ldap for authentication and configuration. The
configuration part (aliases) works nicely, but when I try to submit to
port 587 which does an authentication via sasl/ldap I get:

mail.log shows this:

Jun 12 22:44:15 collab postfix/smtpd[10513]:
lionscage.local[192.168.1.8]: save session
C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submissio$
Jun 12 22:44:15 collab postfix/tlsmgr[10428]: put smtpd session
id=C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submission
[data 127 bytes]
Jun 12 22:44:15 collab postfix/tlsmgr[10428]: write smtpd TLS cache
entry C8DF006B81DC0C8FEE137BDFB39A09E8BEE013868C9B62E5B54A05F54A35A4C0&s=submission:
time=121330$
Jun 12 22:44:15 collab postfix/smtpd[10513]: Anonymous TLS connection
established from lionscage.local[192.168.1.8]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 b$
Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
authentication failure: cannot connect to saslauthd server: Permission
denied
Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
authentication failure: Password verification failed
Jun 12 22:44:15 collab postfix/smtpd[10513]: warning:
lionscage.local[192.168.1.8]: SASL PLAIN authentication failed:
generic failure

master.cf:

root@collab:/etc/postfix# cat master.cf
#
# Postfix master process configuration file.  For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#submission inet n      -       -       -       -        smtpd
#       -o smtpd_etrn_restrictions=reject
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps    inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
#submission inet n      -       -       -       -       smtpd
#    -o smtpd_etrn_restrictions=reject
#    -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628      inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
       -o fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
 flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
 flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
 flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
 flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
 flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
 ${nexthop} ${user}
policy  unix  -       n       n       -       -       spawn
 user=nobody argv=/usr/bin/perl /usr/share/perl5/Mail/postfix-policyd-spf.pl
#
# Before-filter SMTP server. Receive mail from the network and
# pass it to the content filter on localhost port 10025.
#
smtp      inet  n       -       n       -       -       smtpd
   -o smtpd_proxy_filter=127.0.0.1:10025
   -o smtpd_client_connection_count_limit=20
   -o content_filter=dksign:[127.0.0.1]:10027
#
# After-filter SMTP server. Receive mail from the content filter on
# localhost port 10026.
#
127.0.0.1:10026 inet n  -       n       -        -      smtpd
   -o smtpd_authorized_xforward_hosts=127.0.0.0/8
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o smtpd_data_restrictions=
   -o mynetworks=127.0.0.0/8,192.168.0.0/16
   -o receive_override_options=no_unknown_recipient_checks
#
# modify the default submission service to specify a content filter
# and restrict it to local clients and SASL authenticated clients only
#
submission  inet  n     -       n       -       -       smtpd
   -o smtpd_etrn_restrictions=reject
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_enforce_tls=yes
#    -o content_filter=dksign:[127.0.0.1]:10027
   -o receive_override_options=no_address_mappings
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#
# specify the location of the DomainKeys signing filter
#
dksign    unix  -       -       n       -       10      smtp
   -o smtp_send_xforward_command=yes
   -o smtp_discard_ehlo_keywords=8bitmime
#
# service for accepting messages FROM the DomainKeys signing filter
#
127.0.0.1:10028 inet  n  -      n       -       10      smtpd
   -o content_filter=
   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
   -o smtpd_helo_restrictions=
   -o smtpd_client_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_recipient_restrictions=permit_mynetworks,reject
   -o mynetworks=127.0.0.0/8,192.168.0.0/16
#    -o smtpd_authorized_xforward_hosts=127.0.0.0/8

sublion inet  n     -       n       -       -       smtpd
   -o smtpd_etrn_restrictions=reject
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_enforce_tls=no
   -o content_filter=dksign:[127.0.0.1]:10027
   -o receive_override_options=no_address_mappings
   -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
retry     unix  -       -       -       -       -       error

given that the new version of SASL works differently I have 2
instances running now, this is the one for postfix

root@collab:/etc/default# cat saslauthd-postfix
#
# Settings for saslauthd daemon
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="ldap"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c)
# See the saslauthd man page for information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
NAME="saslauthd-postfix"
DESC="der fuer postfix"

root@collab:/etc/postfix/sasl# cat smtpd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd
mech_list: plain login
allow_plaintext: true
ldap_sasl: 1
ldap_servers: ldap://localhost/
ldap_base: dc=domain,dc=tld
ldap_group_base: ou=groups,dc=domain,dc=tld
ldap_group_filter: cn=%U
ldap_member_filter: dn=%U
ldap_group_scope: sub
ldap_member_method: filter


root@collab:/var/spool/postfix/var/run/saslauthd# ls -al
total 980
drwx--x--- 2 root sasl   4096 2008-06-12 22:20 .
drwxr-xr-x 3 root root   4096 2008-03-13 00:13 ..
-rw------- 1 root root      0 2008-06-12 22:20 cache.flock
-rw------- 1 root root 986112 2008-06-12 22:20 cache.mmap
srwxrwxrwx 1 root root      0 2008-06-12 22:20 mux
-rw------- 1 root root      0 2008-06-12 22:20 mux.accept
-rw------- 1 root root      6 2008-06-12 22:20 saslauthd.pid

I did the dpkg-statoverride --add root sasl 710
/var/spool/postfix/var/run/saslauthd

and to add insult to injury:

root@collab:# sudo -u postfix testsaslauthd -f
/var/spool/postfix/var/run/saslauthd/mux -u xxxxxxx -p xyz
0: OK "Success."

what am I missing?

this worked rather nicely before the upgrade from ubuntu gutsy to hardy

thanks

Bernhard
Reply | Threaded
Open this post in threaded view
|

Re: SASL authentication problem

Sahil Tandon
Bernhard Rohrer <[hidden email]> wrote:

[...]

> Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied

[...]

> root@collab:/var/spool/postfix/var/run/saslauthd# ls -al
> total 980
> drwx--x--- 2 root sasl   4096 2008-06-12 22:20 .
                    ^^^^
Bit of a wild guess.  Is the postfix user part of the sasl group?  

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: SASL authentication problem

Bernhard Rohrer
sadly yes:

root@collab:/home/adminlion# grep sasl /etc/group
sasl:x:45:cyrus,postfix

root@collab:/var/run/saslauthd# ls -al
total 976
drwx--x---  2 root sasl    140 2008-06-12 22:20 .
drwxr-xr-x 28 root root    960 2008-06-12 22:21 ..
-rw-------  1 root root      0 2008-06-12 22:20 cache.flock
-rw-------  1 root root 986112 2008-06-12 22:20 cache.mmap
srwxrwxrwx  1 root root      0 2008-06-12 22:20 mux
-rw-------  1 root root      0 2008-06-12 22:20 mux.accept
-rw-------  1 root root      6 2008-06-12 22:20 saslauthd.pid

which means that the exact same setup works for cyrus

thanks

Bernhard

2008/6/14 Sahil Tandon <[hidden email]>:

> Bernhard Rohrer <[hidden email]> wrote:
>
> [...]
>
>> Jun 12 22:44:15 collab postfix/smtpd[10513]: warning: SASL
>> authentication failure: cannot connect to saslauthd server: Permission
>> denied
>
> [...]
>
>> root@collab:/var/spool/postfix/var/run/saslauthd# ls -al
>> total 980
>> drwx--x--- 2 root sasl   4096 2008-06-12 22:20 .
>                    ^^^^
> Bit of a wild guess.  Is the postfix user part of the sasl group?
>
> --
> Sahil Tandon <[hidden email]>
>
Reply | Threaded
Open this post in threaded view
|

Re: SASL authentication problem

Wietse Venema
Bernhard Rohrer:

> sadly yes:
>
> root@collab:/home/adminlion# grep sasl /etc/group
> sasl:x:45:cyrus,postfix
>
> root@collab:/var/run/saslauthd# ls -al
> total 976
> drwx--x---  2 root sasl    140 2008-06-12 22:20 .
> drwxr-xr-x 28 root root    960 2008-06-12 22:21 ..
> -rw-------  1 root root      0 2008-06-12 22:20 cache.flock
> -rw-------  1 root root 986112 2008-06-12 22:20 cache.mmap
> srwxrwxrwx  1 root root      0 2008-06-12 22:20 mux
> -rw-------  1 root root      0 2008-06-12 22:20 mux.accept
> -rw-------  1 root root      6 2008-06-12 22:20 saslauthd.pid
>
> which means that the exact same setup works for cyrus

What is the NUMERICAL group ID of the Postfix password file
entry? If that number does not give group access to the cyrus
socket then Postfix will not be able to use it.

What you are looking at in /etc/group are the secondary groups,
and Postfix does not use secondary groups.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: SASL authentication problem

Wietse Venema
In reply to this post by Bernhard Rohrer
Bernhard Rohrer:
> root@collab:/home/adminlion# grep sasl /etc/group
> sasl:x:45:cyrus,postfix
>
> root@collab:/var/run/saslauthd# ls -al
> total 976
> drwx--x---  2 root sasl    140 2008-06-12 22:20 .
...
> srwxrwxrwx  1 root root      0 2008-06-12 22:20 mux

So, the directory is owned by numerical group ID 45.

Wietse:
> What is the NUMERICAL group ID of the Postfix password file
> entry? If that number does not give group access to the cyrus
> socket then Postfix will not be able to use it.

Bernhard Rohrer:
> postfix:x:107:116::/var/spool/postfix:/bin/false

So, the postfix process has numerical group ID 116.

There is no way that a process with group ID 116 can have
group access to an object that is owned by group ID 45.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: SASL authentication problem

Bernhard Rohrer
OK, I changed the owenership of the postfix saslauthd directory:

root@collab:/var/spool/postfix/var/run/saslauthd# ls -al
total 980
drwxr-x--- 2 root postfix   4096 2008-06-16 13:05 .
drwxr-xr-x 3 root root      4096 2008-06-16 13:05 ..
-rw------- 1 root root         0 2008-06-16 13:05 cache.flock
-rw------- 1 root root    986112 2008-06-16 13:05 cache.mmap
srwxrwxrwx 1 root root         0 2008-06-16 13:05 mux
-rw------- 1 root root         0 2008-06-16 13:05 mux.accept
-rw------- 1 root root         6 2008-06-16 13:05 saslauthd.pid

sadly the effect is the same :(

Jun 16 13:06:25 collab postfix/smtpd[31367]: unknown[66.7.58.13]: save
session A9CBC6DCDCEECC3C351BAE160C896F1EADB5B3EC542567C2C5D8F858AB9AE866&s=submission
to smtpd cache
Jun 16 13:06:25 collab postfix/tlsmgr[31368]: put smtpd session
id=A9CBC6DCDCEECC3C351BAE160C896F1EADB5B3EC542567C2C5D8F858AB9AE866&s=submission
[data 127 bytes]
Jun 16 13:06:25 collab postfix/tlsmgr[31368]: write smtpd TLS cache
entry A9CBC6DCDCEECC3C351BAE160C896F1EADB5B3EC542567C2C5D8F858AB9AE866&s=submission:
time=1213617985 [data 127 bytes]
Jun 16 13:06:25 collab postfix/smtpd[31367]: Anonymous TLS connection
established from unknown[66.7.58.13]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Jun 16 13:06:34 collab postfix/smtpd[31367]: warning: SASL
authentication failure: cannot connect to saslauthd server: Permission
denied
Jun 16 13:06:34 collab postfix/smtpd[31367]: warning: SASL
authentication failure: Password verification failed
Jun 16 13:06:34 collab postfix/smtpd[31367]: warning:
unknown[66.7.58.13]: SASL PLAIN authentication failed: generic failure
Jun 16 13:06:36 collab postfix/smtpd[31367]: warning: SASL
authentication failure: cannot connect to saslauthd server: Permission
denied
Jun 16 13:06:36 collab postfix/smtpd[31367]: warning:
unknown[66.7.58.13]: SASL LOGIN authentication failed: generic failure
Jun 16 13:06:44 collab postfix/smtpd[31367]: warning: SASL
authentication failure: cannot connect to saslauthd server: Permission
denied
Jun 16 13:06:44 collab postfix/smtpd[31367]: warning: SASL
authentication failure: Password verification failed
Jun 16 13:06:44 collab postfix/smtpd[31367]: warning:
unknown[66.7.58.13]: SASL PLAIN authentication failed: generic failure
Jun 16 13:06:45 collab postfix/smtpd[31367]: warning: SASL
authentication failure: cannot connect to saslauthd server: Permission
denied
Jun 16 13:06:45 collab postfix/smtpd[31367]: warning:
unknown[66.7.58.13]: SASL LOGIN authentication failed: generic failure

again, this worked before the update ...

cheers

Bernhard

2008/6/15 Wietse Venema <[hidden email]>:

> Bernhard Rohrer:
>> root@collab:/home/adminlion# grep sasl /etc/group
>> sasl:x:45:cyrus,postfix
>>
>> root@collab:/var/run/saslauthd# ls -al
>> total 976
>> drwx--x---  2 root sasl    140 2008-06-12 22:20 .
> ...
>> srwxrwxrwx  1 root root      0 2008-06-12 22:20 mux
>
> So, the directory is owned by numerical group ID 45.
>
> Wietse:
>> What is the NUMERICAL group ID of the Postfix password file
>> entry? If that number does not give group access to the cyrus
>> socket then Postfix will not be able to use it.
>
> Bernhard Rohrer:
>> postfix:x:107:116::/var/spool/postfix:/bin/false
>
> So, the postfix process has numerical group ID 116.
>
> There is no way that a process with group ID 116 can have
> group access to an object that is owned by group ID 45.
>
>        Wietse
>
Reply | Threaded
Open this post in threaded view
|

Re: SASL authentication problem

Bernhard Rohrer
Actually I am beginning to think that the problem may be here:

submission  inet  n     -       n       -       -       smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_enforce_tls=yes
#    -o content_filter=dksign:[127.0.0.1]:10027
    -o receive_override_options=no_address_mappings
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

as this doesn't run in the chroot jail. I have tried putting it into
the chroot jail, but that simply breaks it.

any ideas?

Thanks

Bernhard
Reply | Threaded
Open this post in threaded view
|

Re: SASL authentication problem

mouss-2
In reply to this post by Bernhard Rohrer
Bernhard Rohrer wrote:
> OK, I changed the owenership of the postfix saslauthd directory:
>
> root@collab:/var/spool/postfix/var/run/saslauthd# ls -al
>  

- your submission service is not chrooted, so this directory doesn't count.
- you have two smtpd listeners on port 25. This cannot work.


> total 980
> drwxr-x--- 2 root postfix   4096 2008-06-16 13:05 .
> drwxr-xr-x 3 root root      4096 2008-06-16 13:05 ..
> -rw------- 1 root root         0 2008-06-16 13:05 cache.flock
> -rw------- 1 root root    986112 2008-06-16 13:05 cache.mmap
> srwxrwxrwx 1 root root         0 2008-06-16 13:05 mux
> -rw------- 1 root root         0 2008-06-16 13:05 mux.accept
> -rw------- 1 root root         6 2008-06-16 13:05 saslauthd.pid
>
> sadly the effect is the same :(
>
> Jun 16 13:06:25 collab postfix/smtpd[31367]: unknown[66.7.58.13]: save
> session A9CBC6DCDCEECC3C351BAE160C896F1EADB5B3EC542567C2C5D8F858AB9AE866&s=submission
> to smtpd cache
> Jun 16 13:06:25 collab postfix/tlsmgr[31368]: put smtpd session
> id=A9CBC6DCDCEECC3C351BAE160C896F1EADB5B3EC542567C2C5D8F858AB9AE866&s=submission
> [data 127 bytes]
> Jun 16 13:06:25 collab postfix/tlsmgr[31368]: write smtpd TLS cache
> entry A9CBC6DCDCEECC3C351BAE160C896F1EADB5B3EC542567C2C5D8F858AB9AE866&s=submission:
> time=1213617985 [data 127 bytes]
> Jun 16 13:06:25 collab postfix/smtpd[31367]: Anonymous TLS connection
> established from unknown[66.7.58.13]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> Jun 16 13:06:34 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied
> Jun 16 13:06:34 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: Password verification failed
> Jun 16 13:06:34 collab postfix/smtpd[31367]: warning:
> unknown[66.7.58.13]: SASL PLAIN authentication failed: generic failure
> Jun 16 13:06:36 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied
> Jun 16 13:06:36 collab postfix/smtpd[31367]: warning:
> unknown[66.7.58.13]: SASL LOGIN authentication failed: generic failure
> Jun 16 13:06:44 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied
> Jun 16 13:06:44 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: Password verification failed
> Jun 16 13:06:44 collab postfix/smtpd[31367]: warning:
> unknown[66.7.58.13]: SASL PLAIN authentication failed: generic failure
> Jun 16 13:06:45 collab postfix/smtpd[31367]: warning: SASL
> authentication failure: cannot connect to saslauthd server: Permission
> denied
> Jun 16 13:06:45 collab postfix/smtpd[31367]: warning:
> unknown[66.7.58.13]: SASL LOGIN authentication failed: generic failure
>
> again, this worked before the update ...
>
> cheers
>
> Bernhard
>
> 2008/6/15 Wietse Venema <[hidden email]>:
>  
>> Bernhard Rohrer:
>>    
>>> root@collab:/home/adminlion# grep sasl /etc/group
>>> sasl:x:45:cyrus,postfix
>>>
>>> root@collab:/var/run/saslauthd# ls -al
>>> total 976
>>> drwx--x---  2 root sasl    140 2008-06-12 22:20 .
>>>      
>> ...
>>    
>>> srwxrwxrwx  1 root root      0 2008-06-12 22:20 mux
>>>      
>> So, the directory is owned by numerical group ID 45.
>>
>> Wietse:
>>    
>>> What is the NUMERICAL group ID of the Postfix password file
>>> entry? If that number does not give group access to the cyrus
>>> socket then Postfix will not be able to use it.
>>>      
>> Bernhard Rohrer:
>>    
>>> postfix:x:107:116::/var/spool/postfix:/bin/false
>>>      
>> So, the postfix process has numerical group ID 116.
>>
>> There is no way that a process with group ID 116 can have
>> group access to an object that is owned by group ID 45.
>>
>>        Wietse
>>
>>    

Reply | Threaded
Open this post in threaded view
|

Fwd: SASL authentication problem

Bernhard Rohrer
---------- Forwarded message ----------
From: Bernhard Rohrer <[hidden email]>
Date: 2008/6/17
Subject: Re: SASL authentication problem
To: mouss <[hidden email]>


"
- your submission service is not chrooted, so this directory doesn't count."

I figured. how do I fix this?

thanks

Bernhard
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: SASL authentication problem

mouss-2
Bernhard Rohrer wrote:

> ---------- Forwarded message ----------
> From: Bernhard Rohrer <[hidden email]>
> Date: 2008/6/17
> Subject: Re: SASL authentication problem
> To: mouss <[hidden email]>
>
>
> "
> - your submission service is not chrooted, so this directory doesn't count."
>
> I figured. how do I fix this?
>  

the directory to care for is /var/run/... not
/var/spool/postfix/var/run/.... so check the permissions of
/var/run/saslauthd/... and make sure this where saslauthd puts its stuff.