authdaemond / postfix issues after OS upgrade

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

authdaemond / postfix issues after OS upgrade

Corey Chandler
I recently upgraded from FreeBSD 7.2 to 8.0.  This resulted in a strange
error with authdaemond (part of the Courier imap package, used to
authenticate users) when used in conjunction with postfix; I've rebuilt
all of the packages, but the config they're using has worked since the
6.0 days.

I attempt to send a message using SASL and get the following in my logs
(passwords and hashes have been consistently redacted; nothing else has
been altered):

Dec  1 14:49:06 alcatraz authdaemond: Authenticated: sysusername=<null>,
sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,
address=[hidden email], fullname=Jay Chandler,
maildir=sequestered.net/[hidden email]/, quota=1024000000S,
options=<null>
Dec  1 14:49:06 alcatraz authdaemond: Authenticated:
clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1
Dec  1 14:49:06 alcatraz imapd-ssl: LOGIN, user=[hidden email],
ip=[166.191.99.147], port=[52341], protocol=IMAP
Dec  1 14:49:07 alcatraz imapd-ssl: LOGOUT, user=[hidden email],
ip=[166.191.99.147], headers=0, body=0, rcvd=25, sent=699, time=1,
starttls=1
Dec  1 14:49:08 alcatraz imapd-ssl: LOGIN, user=[hidden email],
ip=[166.191.99.147], port=[52342], protocol=IMAP
Dec  1 14:49:08 alcatraz authdaemond: Authenticated: sysusername=<null>,
sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,
address=[hidden email], fullname=Jay Chandler,
maildir=sequestered.net/[hidden email]/, quota=1024000000S,
options=<null>
Dec  1 14:49:08 alcatraz authdaemond: Authenticated:
clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1
Dec  1 14:49:11 alcatraz imapd-ssl: LOGIN, user=[hidden email],
ip=[166.191.99.147], port=[52343], protocol=IMAP
Dec  1 14:49:11 alcatraz authdaemond: Authenticated: sysusername=<null>,
sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,
address=[hidden email], fullname=Jay Chandler,
maildir=sequestered.net/[hidden email]/, quota=1024000000S,
options=<null>
Dec  1 14:49:11 alcatraz authdaemond: Authenticated:
clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1

It appears I'm authing correctly; in fact, authtest shows:

alcatraz# authtest [hidden email] omgponies
Authentication succeeded.

     Authenticated: [hidden email]  (uid 1008, gid 1008)
    Home Directory: /usr/local/virtual/
           Maildir: sequestered.net/[hidden email]/
             Quota: 1024000000S
Encrypted Password: $1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp
Cleartext Password: omgponies
           Options: wbnodsn=1

At this point I'm at a loss as to what else I can try.

I've included saslfinger and postconf -n output below.


saslfinger - postfix Cyrus sasl configuration Tue Dec  1 18:18:47 PST 2009
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.6.5

-- smtpd is linked to --
    libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28114000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /usr/local/etc/postfix/mail.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/mail.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes


-- listing of /usr/local/lib/sasl2 --
total 508
drwxr-xr-x   2 root  wheel   1024 Dec  1 13:20 .
drwxr-xr-x  22 root  wheel  13312 Dec  1 16:50 ..
-rw-r--r--   1 root  wheel  12652 Dec  1 13:20 libanonymous.a
-rwxr-xr-x   1 root  wheel    957 Dec  1 13:20 libanonymous.la
-rwxr-xr-x   1 root  wheel  16078 Dec  1 13:20 libanonymous.so
-rwxr-xr-x   1 root  wheel  16078 Dec  1 13:20 libanonymous.so.2
-rw-r--r--   1 root  wheel  14866 Dec  1 13:20 libcrammd5.a
-rwxr-xr-x   1 root  wheel    943 Dec  1 13:20 libcrammd5.la
-rwxr-xr-x   1 root  wheel  18370 Dec  1 13:20 libcrammd5.so
-rwxr-xr-x   1 root  wheel  18370 Dec  1 13:20 libcrammd5.so.2
-rw-r--r--   1 root  wheel  44016 Dec  1 13:20 libdigestmd5.a
-rwxr-xr-x   1 root  wheel    966 Dec  1 13:20 libdigestmd5.la
-rwxr-xr-x   1 root  wheel  46792 Dec  1 13:20 libdigestmd5.so
-rwxr-xr-x   1 root  wheel  46792 Dec  1 13:20 libdigestmd5.so.2
-rw-r--r--   1 root  wheel  22040 Dec  1 13:20 libgssapiv2.a
-rwxr-xr-x   1 root  wheel   1038 Dec  1 13:20 libgssapiv2.la
-rwxr-xr-x   1 root  wheel  26726 Dec  1 13:20 libgssapiv2.so
-rwxr-xr-x   1 root  wheel  26726 Dec  1 13:20 libgssapiv2.so.2
-rw-r--r--   1 root  wheel  12978 Dec  1 13:20 liblogin.a
-rwxr-xr-x   1 root  wheel    937 Dec  1 13:20 liblogin.la
-rwxr-xr-x   1 root  wheel  16431 Dec  1 13:20 liblogin.so
-rwxr-xr-x   1 root  wheel  16431 Dec  1 13:20 liblogin.so.2
-rw-r--r--   1 root  wheel  13170 Dec  1 13:20 libplain.a
-rwxr-xr-x   1 root  wheel    937 Dec  1 13:20 libplain.la
-rwxr-xr-x   1 root  wheel  16489 Dec  1 13:20 libplain.so
-rwxr-xr-x   1 root  wheel  16489 Dec  1 13:20 libplain.so.2
-rw-r--r--   1 root  wheel  19552 Dec  1 13:20 libsasldb.a
-rwxr-xr-x   1 root  wheel    936 Dec  1 13:20 libsasldb.la
-rwxr-xr-x   1 root  wheel  21756 Dec  1 13:20 libsasldb.so
-rwxr-xr-x   1 root  wheel  21756 Dec  1 13:20 libsasldb.so.2
-rw-r--r--   1 root  wheel    114 Nov 27  2008 smtpd.conf




-- content of /usr/local/lib/sasl2/smtpd.conf --
pwcheck_method: authdaemond
log_level: 7
mech_list: PLAIN LOGIN
authdaemond_path: /var/run/authdaemond/socket


-- active services in /usr/local/etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
    -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}

-- mechanisms on localhost --
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN


-- end of saslfinger output --

alcatraz# ll /var/run/authdaemond/socket
srwxrwxrwx  1 root  courier  0 Dec  1 17:57 /var/run/authdaemond/socket


postconf -n output:
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
disable_vrfy_command = yes
hash_queue_depth = 2
hash_queue_names = incoming,active,deferred,bounce,defer,flush,hold
header_checks = regexp:/usr/local/etc/postfix/header_checks
html_directory = /usr/local/share/doc/postfix
inet_interfaces = all
inet_protocols = ipv4, ipv6
mail_owner = postfix
mailbox_size_limit = 0
mailbox_transport = virtual
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 150000000
milter_default_action = accept
milter_protocol = 2
mydomain = sequestered.net
myhostname = alcatraz.sequestered.net
mynetworks = 192.168.0.0/16, 10.0.0.0/8, 127.0.0.0/8
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = unix:/var/run/milterdkim/dkim-filter.sock
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
relay_domains =
proxy:mysql:/usr/local/etc/postfix/mysql_relay_domains_maps.cf
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions = ${stress?reject_unknown_client_hostname}
check_client_access cidr:/usr/local/etc/postfix/cidr_access
smtpd_data_restrictions = reject_multi_recipient_bounce
reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_milters = unix:/var/run/milterdkim/dkim-filter.sock
smtpd_recipient_restrictions = permit_sasl_authenticated
permit_mynetworks        reject_unauth_destination
reject_unlisted_recipient        check_recipient_access
hash:/usr/local/etc/postfix/access        check_sender_access
hash:/usr/local/etc/postfix/undesirable_senders
reject_non_fqdn_hostname        reject_rbl_client
psbl.surriel.com        reject_rbl_client zen.spamhaus.org
reject_rbl_client dnsbl.ahbl.org        reject_rbl_client
bl.spamcop.net        reject_rhsbl_sender rhsbl.ahbl.org
warn_if_reject reject_rbl_client dnsbl.sorbs.net        permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_timeout = 120
smtpd_tls_CAfile = /usr/local/etc/postfix/mail.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/mail.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
proxy:mysql:/usr/local/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1008
virtual_mailbox_base = /usr/local/virtual
virtual_mailbox_domains =
proxy:mysql:/usr/local/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 5120000000000
virtual_mailbox_limit_maps =
proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_limit_maps.cf
virtual_mailbox_limit_override = yes
virtual_mailbox_maps =
proxy:mysql:/usr/local/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_maildir_limit_message = Sorry, the user's maildir has overdrawn
his diskspace quota, please try again later.
virtual_minimum_uid = 125
virtual_overquota_bounce = yes
virtual_transport = maildrop
virtual_uid_maps = static:1008


-- Corey / KB1JWQ

Reply | Threaded
Open this post in threaded view
|

Re: authdaemond / postfix issues after OS upgrade

mouss-4
Corey Chandler a écrit :

> I recently upgraded from FreeBSD 7.2 to 8.0.  This resulted in a strange
> error with authdaemond (part of the Courier imap package, used to
> authenticate users) when used in conjunction with postfix; I've rebuilt
> all of the packages, but the config they're using has worked since the
> 6.0 days.
>
> I attempt to send a message using SASL and get the following in my logs
> (passwords and hashes have been consistently redacted; nothing else has
> been altered):
>
> Dec  1 14:49:06 alcatraz authdaemond: Authenticated: sysusername=<null>,
> sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,
> address=[hidden email], fullname=Jay Chandler,
> maildir=sequestered.net/[hidden email]/, quota=1024000000S,
> options=<null>
> Dec  1 14:49:06 alcatraz authdaemond: Authenticated:
> clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1
> Dec  1 14:49:06 alcatraz imapd-ssl: LOGIN, user=[hidden email],
> ip=[166.191.99.147], port=[52341], protocol=IMAP
> Dec  1 14:49:07 alcatraz imapd-ssl: LOGOUT, user=[hidden email],
> ip=[166.191.99.147], headers=0, body=0, rcvd=25, sent=699, time=1,
> starttls=1
> Dec  1 14:49:08 alcatraz imapd-ssl: LOGIN, user=[hidden email],
> ip=[166.191.99.147], port=[52342], protocol=IMAP
> Dec  1 14:49:08 alcatraz authdaemond: Authenticated: sysusername=<null>,
> sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,
> address=[hidden email], fullname=Jay Chandler,
> maildir=sequestered.net/[hidden email]/, quota=1024000000S,
> options=<null>
> Dec  1 14:49:08 alcatraz authdaemond: Authenticated:
> clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1
> Dec  1 14:49:11 alcatraz imapd-ssl: LOGIN, user=[hidden email],
> ip=[166.191.99.147], port=[52343], protocol=IMAP
> Dec  1 14:49:11 alcatraz authdaemond: Authenticated: sysusername=<null>,
> sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,
> address=[hidden email], fullname=Jay Chandler,
> maildir=sequestered.net/[hidden email]/, quota=1024000000S,
> options=<null>
> Dec  1 14:49:11 alcatraz authdaemond: Authenticated:
> clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1
>
> It appears I'm authing correctly; in fact, authtest shows:
>
> alcatraz# authtest [hidden email] omgponies
> Authentication succeeded.
>
>     Authenticated: [hidden email]  (uid 1008, gid 1008)
>    Home Directory: /usr/local/virtual/
>           Maildir: sequestered.net/[hidden email]/
>             Quota: 1024000000S
> Encrypted Password: $1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp
> Cleartext Password: omgponies
>           Options: wbnodsn=1
>
> At this point I'm at a loss as to what else I can try.
>
> [snip]

I see no postfix logs, nor any explanation of what problem you have.
Reply | Threaded
Open this post in threaded view
|

Re: authdaemond / postfix issues after OS upgrade

Corey Chandler
mouss wrote:
> [snip]
> I see no postfix logs, nor any explanation of what problem you have.
>  
Bloody hell, thought they were in the same logfile; my apologies.  The
issue is that while IMAP works correctly authenticating against
authdaemond, any attempt I make to authenticate via SASL fails according
to postfix, yet succeeds according to authdaemond.

As to logs, here you go:

Dec  2 15:10:03 alcatraz postfix/smtpd[16120]: warning: where.i.sit:
address not listed for hostname HOSTNAME
Dec  2 15:10:03 alcatraz postfix/smtpd[16120]: connect from
unknown[where.i.sit]
Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning: SASL
authentication failure: could not verify password
Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning: SASL
authentication failure: Password verification failed
Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning:
unknown[where.i.sit]: SASL PLAIN authentication failed: generic failure
Dec  2 15:10:06 alcatraz authdaemond: Authenticated: sysusername=<null>,
sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,
address=[hidden email], fullname=Jay Chandler,
maildir=sequestered.net/[hidden email]/, quota=1024000000S,
options=<null>
Dec  2 15:10:06 alcatraz authdaemond: Authenticated:
clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1
Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning: SASL
authentication failure: could not verify password
Dec  2 15:10:06 alcatraz postfix/smtpd[16120]: warning:
unknown[where.i.sit]: SASL LOGIN authentication failed: generic failure
Dec  2 15:10:06 alcatraz authdaemond: Authenticated: sysusername=<null>,
sysuserid=1008, sysgroupid=1008, homedir=/usr/local/virtual/,
address=[hidden email], fullname=Jay Chandler,
maildir=sequestered.net/[hidden email]/, quota=1024000000S,
options=<null>
Dec  2 15:10:06 alcatraz authdaemond: Authenticated:
clearpasswd=omgponies, passwd=$1$6dICANHAZPONIEZ?$Z1ySHXcliB8vx0jqwZ9Bp1

Someone else reports the same issue at
http://lists.freebsd.org/pipermail/freebsd-questions/2009-September/205525.html 
but there are no replies.  I could switch over to dovecot and be done
with this, but I'd rather figure out what the underlying error is first...


-- Corey / KB1JWQ
Reply | Threaded
Open this post in threaded view
|

Re: authdaemond / postfix issues after OS upgrade

Jay Deiman
On 12/02/2009 05:16 PM, Corey Chandler wrote:
> mouss wrote:
>> [snip]
>> I see no postfix logs, nor any explanation of what problem you have.
> Bloody hell, thought they were in the same logfile; my apologies. The
> issue is that while IMAP works correctly authenticating against
> authdaemond, any attempt I make to authenticate via SASL fails according
> to postfix, yet succeeds according to authdaemond.

Just to chime in, I'm having *exactly* the same problem.  I'm using
cyrus-sasl, postfix 2.6.5, courier-imap with courier-authdaemond all
running on a new install of FreeBSD 8.0-p1.  I'm able to authenticate
through authdaemond via courier-imap without any kind of issue.  When I
use authdaemond in the sasl2 smtpd.conf (exactly the same as Corey's
conf), I get the exact same errors that Corey is getting.

I eventually, and unfortunately, gave up on the authdaemond approach and
just installed cyrus-sasl-saslauthd and just set up the following in
smtpd.conf:

pwcheck_method: saslauthd
log_level: 7
mech_list: plain login
allow_plaintext: true

This works fine.  I'm not exactly sure what is failing in the postfix
<-> sasl <-> authdaemond transaction, but I can say for sure that it
doesn't work.

Jay

--
Jay Deiman

\033:wq!