SASL problems on Debian

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL problems on Debian

Curtis Vaughan-2
I'm having a problem getting postfix and SASL (with TLS or SSL) working.
Although I've set up postfix many times with such a configuration, this
time I'm stumped as to what the problem could be. Whereas this is the
first time I've set up postfix on a fresh Debian Etch server, I'm
inclined to think that there may be something broken in Etch. But surely
that's not the case.

So here are some relevant logs I think:

Apr 27 08:29:31 dmz postfix/smtpd[9328]: initializing the server-side TLS
engine
Apr 27 08:29:31 dmz postfix/smtpd[9328]: connect from
c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]
Apr 27 08:29:31 dmz postfix/smtpd[9328]: setting up TLS connection from
xxxx
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:before/accept
initialization
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:error in SSLv2/v3
read client hello A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:error in SSLv3 read
client hello B
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:error in SSLv3 read
client hello B
Apr 27 08:29:31 dmz postfix/smtpd[9328]: looking up session
1DD8E2B3E12843404766DB4CA6D5CA67173BB41E0812F543513075FC4EF632F0 in smtpd
cache
Apr 27 08:29:31 dmz postfix/tlsmgr[4017]: lookup smtpd session
id=1DD8E2B3E12843404766DB4CA6D5CA67173BB41E0812F543513075FC4EF632F0
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 read client
hello B
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 write server
hello A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 write
certificate A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 write key
exchange A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 write server
done A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 flush data
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:error in SSLv3 read
client certificate A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:error in SSLv3 read
client certificate A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 read client key
exchange A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:error in SSLv3 read
certificate verify A
Apr 27 08:29:31 dmz last message repeated 3 times
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 read finished A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 write change
cipher spec A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 write finished A
Apr 27 08:29:31 dmz postfix/smtpd[9328]: SSL_accept:SSLv3 flush data
Apr 27 08:29:31 dmz postfix/smtpd[9328]: save session
AAB858400D1431A51BB62C387E6ABB970458562CA1768F29CCEAC39CB537B3EC to smtpd
cache
Apr 27 08:29:31 dmz postfix/tlsmgr[4017]: put smtpd session
id=AAB858400D1431A51BB62C387E6ABB970458562CA1768F29CCEAC39CB537B3EC [data
127 bytes]
Apr 27 08:29:31 dmz postfix/tlsmgr[4017]: write smtpd TLS cache entry
AAB858400D1431A51BB62C387E6ABB970458562CA1768F29CCEAC39CB537B3EC:
time=1209310171 [data 127 bytes]
Apr 27 08:29:31 dmz postfix/smtpd[9328]: TLS connection established from
xxxxx: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Apr 27 08:29:31 dmz postfix/smtpd[9328]: disconnect from xxxxxx



And a few more:

Apr 27 08:30:51 dmz postfix/smtpd[9328]: TLS connection established from
c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: SSLv3 with cipher DHE-
RSA-AES256-SHA (256/256 bits)
Apr 27 08:30:59 dmz postfix/smtpd[9328]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: Permission denied
Apr 27 08:30:59 dmz postfix/smtpd[9328]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: Permission denied
Apr 27 08:30:59 dmz postfix/smtpd[9328]: warning:
c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: SASL LOGIN
authentication failed: authentication failure
Apr 27 08:31:05 dmz postfix/smtpd[9328]: warning: SASL authentication
problem: unable to open Berkeley db /etc/sasldb2: Permission denied
Apr 27 08:31:05 dmz last message repeated 3 times
Apr 27 08:31:05 dmz postfix/smtpd[9328]: warning:
c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: SASL LOGIN
authentication failed: authentication failure


BTW, I have entered and reentered my password on both the server and the
client, but to no avail. It still says authentication failure.

Reply | Threaded
Open this post in threaded view
|

Re: SASL problems on Debian

Wietse Venema
Curtis Vaughan:
> Apr 27 08:30:59 dmz postfix/smtpd[9328]: warning: SASL authentication
> problem: unable to open Berkeley db /etc/sasldb2: Permission denied

Fix this.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: SASL problems on Debian

Curtis Vaughan-2
On Sun, 27 Apr 2008 12:13:44 -0400, Wietse Venema wrote:

> Curtis Vaughan:
>> Apr 27 08:30:59 dmz postfix/smtpd[9328]: warning: SASL authentication
>> problem: unable to open Berkeley db /etc/sasldb2: Permission denied
>
> Fix this.
>
> Wietse

But the permissions are:
-rw-rw---- 1 root   sasl    12288 2008-04-26 22:47 sasldb2

The same as on other servers. So, I'm not sure whether I should make it
666 or what?

Reply | Threaded
Open this post in threaded view
|

Re: SASL problems on Debian

Scott Kitterman-4
On Sun, 27 Apr 2008 16:31:39 +0000 (UTC) Curtis Vaughan
<[hidden email]> wrote:

>On Sun, 27 Apr 2008 12:13:44 -0400, Wietse Venema wrote:
>
>> Curtis Vaughan:
>>> Apr 27 08:30:59 dmz postfix/smtpd[9328]: warning: SASL authentication
>>> problem: unable to open Berkeley db /etc/sasldb2: Permission denied
>>
>> Fix this.
>>
>> Wietse
>
>But the permissions are:
>-rw-rw---- 1 root   sasl    12288 2008-04-26 22:47 sasldb2
>
>The same as on other servers. So, I'm not sure whether I should make it
>666 or what?
>
The postfix user needs to be in the sasl group.  Additionally if Postfix is
chrooted (default in Debian) you'll need to copy sasldb2 into the chroot.

Scott K
Reply | Threaded
Open this post in threaded view
|

Re: SASL problems on Debian

Sahil Tandon
In reply to this post by Curtis Vaughan-2
* Curtis Vaughan <[hidden email]> [2008-04-27 16:31:39 +0000]:

> On Sun, 27 Apr 2008 12:13:44 -0400, Wietse Venema wrote:
>
> > Curtis Vaughan:
> >> Apr 27 08:30:59 dmz postfix/smtpd[9328]: warning: SASL authentication
> >> problem: unable to open Berkeley db /etc/sasldb2: Permission denied
> >
> > Fix this.
> >
> > Wietse
>
> But the permissions are:
> -rw-rw---- 1 root   sasl    12288 2008-04-26 22:47 sasldb2
>
> The same as on other servers. So, I'm not sure whether I should make it
> 666 or what?

Which user is trying to access the file?  Is that user in group 'sasl'?

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: SASL problems on Debian

Curtis Vaughan-2
In reply to this post by Scott Kitterman-4
On Sun, 27 Apr 2008 12:54:21 -0400, Scott Kitterman wrote:

> On Sun, 27 Apr 2008 16:31:39 +0000 (UTC) Curtis Vaughan
> <[hidden email]> wrote:
>>On Sun, 27 Apr 2008 12:13:44 -0400, Wietse Venema wrote:
>>
>>> Curtis Vaughan:
>>>> Apr 27 08:30:59 dmz postfix/smtpd[9328]: warning: SASL authentication
>>>> problem: unable to open Berkeley db /etc/sasldb2: Permission denied
>>>
>>> Fix this.
>>>
>>> Wietse
>>
>>But the permissions are:
>>-rw-rw---- 1 root   sasl    12288 2008-04-26 22:47 sasldb2
>>
>>The same as on other servers. So, I'm not sure whether I should make it
>>666 or what?
>>
> The postfix user needs to be in the sasl group.  Additionally if Postfix
> is chrooted (default in Debian) you'll need to copy sasldb2 into the
> chroot.
>
> Scott K

Adding postfix user to sasl group fixed the permission issue.
Nonetheless, I'm getting the following:

Apr 27 10:06:17 dmz postfix/smtpd[10525]: SSL_accept:SSLv3 read finished A
Apr 27 10:06:17 dmz postfix/smtpd[10525]: Reusing old session
Apr 27 10:06:17 dmz postfix/smtpd[10525]: TLS connection established from
c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: TLSv1 with cipher DHE-
RSA-AES256-SHA (256/256 bits)
Apr 27 10:06:23 dmz postfix/smtpd[10525]: warning:
c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: SASL LOGIN
authentication failed: authentication failure
Apr 27 10:06:27 dmz postfix/smtpd[10525]: warning:
c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: SASL LOGIN
authentication failed: authentication failure
Apr 27 10:06:42 dmz postfix/smtpd[10525]: disconnect from
c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]

Oh, and it is not chroot-ed

Reply | Threaded
Open this post in threaded view
|

Re: SASL problems on Debian

Wietse Venema
Curtis Vaughan:

> Adding postfix user to sasl group fixed the permission issue.
> Nonetheless, I'm getting the following:
>
> Apr 27 10:06:17 dmz postfix/smtpd[10525]: SSL_accept:SSLv3 read finished A
> Apr 27 10:06:17 dmz postfix/smtpd[10525]: Reusing old session
> Apr 27 10:06:17 dmz postfix/smtpd[10525]: TLS connection established from
> c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: TLSv1 with cipher DHE-
> RSA-AES256-SHA (256/256 bits)
> Apr 27 10:06:23 dmz postfix/smtpd[10525]: warning:
> c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: SASL LOGIN
> authentication failed: authentication failure

Having fixed the permissions problem, this is a good time
to pull out the saslfinger tool, as described in the mailing
list welcome message. A copy is included below.

        Wietse

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail

TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Thank you for using Postfix.
Reply | Threaded
Open this post in threaded view
|

Re: SASL problems on Debian

Curtis Vaughan-2
On Sun, 27 Apr 2008 14:29:09 -0400, Wietse Venema wrote:

> Curtis Vaughan:
>> Adding postfix user to sasl group fixed the permission issue.
>> Nonetheless, I'm getting the following:
>>
>> Apr 27 10:06:17 dmz postfix/smtpd[10525]: SSL_accept:SSLv3 read
>> finished A Apr 27 10:06:17 dmz postfix/smtpd[10525]: Reusing old
>> session Apr 27 10:06:17 dmz postfix/smtpd[10525]: TLS connection
>> established from c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]:
>> TLSv1 with cipher DHE- RSA-AES256-SHA (256/256 bits)
>> Apr 27 10:06:23 dmz postfix/smtpd[10525]: warning:
>> c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: SASL LOGIN
>> authentication failed: authentication failure
>
> Having fixed the permissions problem, this is a good time to pull out
> the saslfinger tool, as described in the mailing list welcome message. A
> copy is included below.
>
> Wietse
>
> TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
>
> TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
>
> Thank you for using Postfix.

So, having used saslfinger -s on the server here is the output.

saslfinger - postfix Cyrus sasl configuration Sun Apr 27 11:47:04 PDT 2008
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.3.8
System: Debian GNU/Linux 4.0 \n \l

-- smtpd is linked to --
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d18000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/tls.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/tls.pem
smtpd_tls_key_file = /etc/postfix/tls.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_sessionid_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes


-- listing of /usr/lib/sasl2 --
total 696
drwxr-xr-x  2 root root  4096 2008-04-25 11:00 .
drwxr-xr-x 34 root root 12288 2008-04-27 11:45 ..
-rw-r--r--  1 root root 13304 2006-12-13 13:26 libanonymous.a
-rw-r--r--  1 root root   855 2006-12-13 13:26 libanonymous.la
-rw-r--r--  1 root root 12844 2006-12-13 13:26 libanonymous.so
-rw-r--r--  1 root root 12844 2006-12-13 13:26 libanonymous.so.2
-rw-r--r--  1 root root 12844 2006-12-13 13:26 libanonymous.so.2.0.22
-rw-r--r--  1 root root 15502 2006-12-13 13:26 libcrammd5.a
-rw-r--r--  1 root root   841 2006-12-13 13:26 libcrammd5.la
-rw-r--r--  1 root root 15052 2006-12-13 13:26 libcrammd5.so
-rw-r--r--  1 root root 15052 2006-12-13 13:26 libcrammd5.so.2
-rw-r--r--  1 root root 15052 2006-12-13 13:26 libcrammd5.so.2.0.22
-rw-r--r--  1 root root 46320 2006-12-13 13:26 libdigestmd5.a
-rw-r--r--  1 root root   864 2006-12-13 13:26 libdigestmd5.la
-rw-r--r--  1 root root 43040 2006-12-13 13:26 libdigestmd5.so
-rw-r--r--  1 root root 43040 2006-12-13 13:26 libdigestmd5.so.2
-rw-r--r--  1 root root 43040 2006-12-13 13:26 libdigestmd5.so.2.0.22
-rw-r--r--  1 root root 13482 2006-12-13 13:26 liblogin.a
-rw-r--r--  1 root root   835 2006-12-13 13:26 liblogin.la
-rw-r--r--  1 root root 13384 2006-12-13 13:26 liblogin.so
-rw-r--r--  1 root root 13384 2006-12-13 13:26 liblogin.so.2
-rw-r--r--  1 root root 13384 2006-12-13 13:26 liblogin.so.2.0.22
-rw-r--r--  1 root root 29300 2006-12-13 13:26 libntlm.a
-rw-r--r--  1 root root   829 2006-12-13 13:26 libntlm.la
-rw-r--r--  1 root root 28776 2006-12-13 13:26 libntlm.so
-rw-r--r--  1 root root 28776 2006-12-13 13:26 libntlm.so.2
-rw-r--r--  1 root root 28776 2006-12-13 13:26 libntlm.so.2.0.22
-rw-r--r--  1 root root 13818 2006-12-13 13:26 libplain.a
-rw-r--r--  1 root root   835 2006-12-13 13:26 libplain.la
-rw-r--r--  1 root root 13992 2006-12-13 13:26 libplain.so
-rw-r--r--  1 root root 13992 2006-12-13 13:26 libplain.so.2
-rw-r--r--  1 root root 13992 2006-12-13 13:26 libplain.so.2.0.22
-rw-r--r--  1 root root 21726 2006-12-13 13:26 libsasldb.a
-rw-r--r--  1 root root   856 2006-12-13 13:25 libsasldb.la
-rw-r--r--  1 root root 17980 2006-12-13 13:26 libsasldb.so
-rw-r--r--  1 root root 17980 2006-12-13 13:26 libsasldb.so.2
-rw-r--r--  1 root root 17980 2006-12-13 13:26 libsasldb.so.2.0.22
-rw-r--r--  1 root root    70 2008-04-22 13:18 smtpd.conf




-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login

-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       50      smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       -       300     1       qmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       -       -       -       smtp
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}

tlsmgr  unix - - n 1000? 1 tlsmgr
smtps  inet n - n - - smtpd -o
smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

-- mechanisms on localhost --

-- end of saslfinger output --

Reply | Threaded
Open this post in threaded view
|

RE: SASL problems on Debian

Gary V-2

>>> Apr 27 10:06:23 dmz postfix/smtpd[10525]: warning:
>>> c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: SASL LOGIN
>>> authentication failed: authentication failure
>>
> saslfinger - postfix Cyrus sasl configuration Sun Apr 27 11:47:04 PDT 2008
> version: 1.0.2
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.3.8
> System: Debian GNU/Linux 4.0 \n \l
>
> -- smtpd is linked to --
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d18000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =

Run sasldblistusers2 and look at the format of the login name. I could be wrong here, but on Debian I seem to remember that if smtpd_sasl_local_domain is empty, the user would log in as (authenticate as) user@host. I don't know if that is how you have configured the users to log in however. What format did you use to add the logins (using saslpasswd2)?



> -- content of /etc/postfix/sasl/smtpd.conf --
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: plain login



> -- active services in /etc/postfix/master.cf --
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> smtp inet n - n - 50 smtpd

Gary V


_________________________________________________________________
Express yourself wherever you are. Mobilize!
http://www.gowindowslive.com/Mobile/Landing/Messenger/Default.aspx?Locale=en-US?ocid=TAG_APRIL
Reply | Threaded
Open this post in threaded view
|

Re: SASL problems on Debian

Curtis Vaughan-2
On Sun, 27 Apr 2008 14:18:28 -0600, Gary V wrote:

>>>> Apr 27 10:06:23 dmz postfix/smtpd[10525]: warning:
>>>> c-76-28-231-225.hsd1.wa.comcast.net[76.28.231.225]: SASL LOGIN
>>>> authentication failed: authentication failure
>>>
>> saslfinger - postfix Cyrus sasl configuration Sun Apr 27 11:47:04 PDT
>> 2008 version: 1.0.2
>> mode: server-side SMTP AUTH
>>
>> -- basics --
>> Postfix: 2.3.8
>> System: Debian GNU/Linux 4.0 \n \l
>>
>> -- smtpd is linked to --
>> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d18000)
>>
>> -- active SMTP AUTH and TLS parameters for smtpd --
>> broken_sasl_auth_clients = yes
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_local_domain =
>
> Run sasldblistusers2 and look at the format of the login name. I could
> be wrong here, but on Debian I seem to remember that if
> smtpd_sasl_local_domain is empty, the user would log in as (authenticate
> as) user@host. I don't know if that is how you have configured the users
> to log in however. What format did you use to add the logins (using
> saslpasswd2)?
>
>
Gary! You got it!!!I had to enter $myhostname and it worked!
The only thing strange about that though, is that my other Debian systems
work fine with a null entry there.