SASL configuration issue

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL configuration issue

James Moe
Hello,
  postfix 3.3.1
  opensuse 15.0 (linux )

  AFAICT the configuration on this computer is the same as that on
another where postfix works just fine. Obviously, something is different.
  The report of a mystery error is not much help.
  I cannot determine the failure. Postfix finds the authentication data,
and promptly fails authentication.
  What has this gone wrong?

  Below are the log entries for one failure, and an excerpt from <main.cf>.

----[ log entry ]----
  (see attached file)
----[ end ]----

############################################################
# SASL stuff
############################################################
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_auth_enable = no
#smtpd_sasl_path = private/auth
#smtpd_sasl_type = dovecot
############################################################
# TLS stuff
############################################################
tls_append_default_CA = no
relay_clientcerts =
#tls_random_source = dev:/dev/urandom

smtp_use_tls = yes
#smtp_tls_loglevel = 0
smtp_enforce_tls = no
smtp_tls_CAfile =
smtp_tls_CApath = /etc/ssl/cacerts
smtp_tls_cert_file =
smtp_tls_key_file =
#smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database =
btree:/var/lib/postfix/smtp_tls_session_cache

smtpd_use_tls = no
#smtpd_tls_loglevel = 0
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_cert_file =
smtpd_tls_key_file =
smtpd_tls_ask_ccert = no
smtpd_tls_received_header = no


--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

postfix-logs-1.txt (19K) Download Attachment
signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SASL configuration issue

Viktor Dukhovni
On Wed, Mar 27, 2019 at 02:40:36PM -0700, James Moe wrote:

> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: < mail.sma.com[192.168.69.246]:5025: 250-sma-inc.us we trust you sma-station14l.sma.com
> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: < mail.sma.com[192.168.69.246]:5025: 250-DSN
> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: < mail.sma.com[192.168.69.246]:5025: 250-SIZE
> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: < mail.sma.com[192.168.69.246]:5025: 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI
> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: < mail.sma.com[192.168.69.246]:5025: 250-NO-SOLICITING
> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: < mail.sma.com[192.168.69.246]:5025: 250-8BITMIME
> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: < mail.sma.com[192.168.69.246]:5025: 250-HELP
> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: < mail.sma.com[192.168.69.246]:5025: 250 EHLO

The server offers multiple SASL mechanisms, including GSSAPI.

> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: smtp_sasl_authenticate: mail.sma.com[192.168.69.246]:5025: SASL mechanisms LOGIN PLAIN CRAM-MD5 DIGEST-MD5 GSSAPI

The client's SASL library supports multiple mechanisms, including GSSAPI.

> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: GSSAPI client step 1

The SASL library chooses GSSAPI

> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No Kerberos credentials available (default cache: DIR:/run/user/51/krb5cc))

despite lack of GSSAPI credentials, and fails.

> 2019-03-27T14:16:57-0700 sma-station14l postfix/smtp[19939]: connect to subsystem private/defer

Try:

    http://www.postfix.org/postconf.5.html#smtp_sasl_mechanism_filter

    smtp_sasl_mechanism_filter = plain

--
        Viktor.