postfix + saslauthd problem

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix + saslauthd problem

Андрей-21
I'm testing  postfix this way:

        telnet hosting.vpcit.ru 25
        Trying 91.192.168.241...
        Connected to hosting.vpcit.ru.
        Escape character is '^]'.
        220 Welcome to ESMTP llc. Gercon
        helo andreyv
        250 mail.1vp.ru
        auth plain
        334
        AGR1a2VudWtlbUB2cGNpdC5ydQBzdGFydGVy
        535 5.7.0 Error: authentication failed: generic failure

In syslog I see:
        Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: SASL authentication
failure: cannot connect to saslauthd server: No such file or directory
        Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: SASL authentication
failure: Password verification failed
        Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: unknown[10.10.80.20]:
SASL plain authentication failed: generic failure

Where is my mistake?

Additional info:

Auth string is generated using this script
http://jetmore.org/john/code/gen-auth

I configured postfix this way:

/etc/postfix/main.cf
        # See /usr/share/postfix/main.cf.dist for a commented, more complete version
       
        # Debian specific:  Specifying a file name will cause the first
        # line of that file to be used as the name.  The Debian default
        # is /etc/mailname.
        #myorigin = /etc/mailname
       
        smtpd_banner = Welcome to ESMTP llc. Gercon
        biff = no
       
        # appending .domain is the MUA's job.
        append_dot_mydomain = no
       
        # Uncomment the next line to generate "delayed mail" warnings
        #delay_warning_time = 4h
       
        # TLS parameters
        smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
        smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
        smtpd_use_tls=yes
        smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
        smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
       
        # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
        # information on enabling SSL in the smtp client.

        #this section is for hosted domains
        myhostname = mail.1vp.ru
        alias_maps = hash:/etc/aliases
        alias_database = hash:/etc/aliases
        myorigin = $myhostname
        mydestination = $myhostname, localhost.$mydomain, localhost
        relayhost =
        mynetworks = 127.0.0.0/8
        mailbox_size_limit = 0
        recipient_delimiter = +
        inet_interfaces = all
        command_directory = /usr/sbin
        daemon_directory = /usr/lib/postfix
        mydomain = localdomain
        local_recipient_maps = unix:passwd.byname $alias_maps
        virtual_alias_domains = /etc/mail/local-host-names
        virtual_alias_maps = hash:/etc/mail/virtusertable
        smtp_generic_maps = hash:/etc/mail/generic
        smtpd_sasl_auth_enable = yes
        smtpd_sender_restrictions = permit_sasl_authenticated
        smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination, reject_unlisted_recipient,
reject_unverified_recipient, check_policy_service inet:127.0.0.1:60000

        #this section is for my domain
        virtual_mailbox_domains = vpcit.ru
        virtual_mailbox_base = /var/mail/vpcit.ru/
        virtual_mailbox_maps = pgsql:/etc/postfix/vpcit.ru_mailboxes
        virtual_minimum_uid = 100
        virtual_uid_maps = static:5000
        virtual_gid_maps = static:5000
        virtual_destination_concurrency_limit = 10
        virtual_destination_recipient_limit = 10
        virtual_mailbox_limit = 100000000
       
        inet_protocols = ipv4
        smtpd_sasl_type = cyrus
        smtp_sasl_auth_enable = no
        broken_sasl_auth_clients = yes
        smtpd_sasl_authenticated_header = yes
        smtpd_sasl_security_options = noanonymous
        unknown_local_recipient_reject_code = 450
        smtp_sasl_password_maps = pgsql:/etc/pam_pgsql.conf

/etc/postfix/vpcit.ru_mailboxes
        hosts = db
        user = postgres
        password = bestsql
        dbname = userdb
        table = vpcit_ru
        select_field = pw_name
        where_field = email

/etc/postfix/sasl/smtpd.conf
        pwcheck_method: saslauthd
        mech_list: plain login

/etc/default/saslauthd
        #
        # Settings for saslauthd daemon
        #
       
        # Should saslauthd run automatically on startup? (default: no)
        START=yes
       
        # Which authentication mechanisms should saslauthd use? (default: pam)
        #
        # Available options in this Debian package:
        # getpwent  -- use the getpwent() library function
        # kerberos5 -- use Kerberos 5
        # pam       -- use PAM
        # rimap     -- use a remote IMAP server
        # shadow    -- use the local shadow password file
        # sasldb    -- use the local sasldb database file
        # ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
        #
        # Only one option may be used at a time. See the saslauthd man page
        # for more information.
        #
        # Example: MECHANISMS="pam"
        MECHANISMS="pam"
       
        DESC="SASL Authentication Daemon"
       
        NAME="saslauthd"
       
        # Additional options for this mechanism. (default: none)
        # See the saslauthd man page for information about mech-specific options.
        MECH_OPTIONS=""
       
        # How many saslauthd processes should we run? (default: 5)
        # A value of 0 will fork a new process for each connection.
        THREADS=5
       
        # Other options (default: -c)
        # See the saslauthd man page for information about these options.
        #
        # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
        # Note: See /usr/share/doc/sasl2-bin/README.Debian
        #OPTIONS="-c"
        OPTIONS="-m /var/spool/postfix/var/run/saslauthd"

/etc/pam.d/smtp
        auth            required        pam_pgsql.so
        account         required        pam_pgsql.so
        password        required        pam_pgsql.so

/etc/pam_pgsql.conf
        database = userdb
        host = db
        user = postgres
        password = bestsql
        table = vpcit_ru
        user_column = email
        pwd_column = pw_clear_passwd
        pw_type = plain
        debug = /var/log/pam_pgsql.log
        #but there is no file /var/log/pam_pgsql.log

Yours faithfully,
Andrey.
Reply | Threaded
Open this post in threaded view
|

Re: postfix + saslauthd problem

Patrick Ben Koetter
* Андрей <[hidden email]>:

> I'm testing  postfix this way:
>
> telnet hosting.vpcit.ru 25
> Trying 91.192.168.241...
> Connected to hosting.vpcit.ru.
> Escape character is '^]'.
> 220 Welcome to ESMTP llc. Gercon
> helo andreyv
> 250 mail.1vp.ru
> auth plain
> 334
> AGR1a2VudWtlbUB2cGNpdC5ydQBzdGFydGVy
> 535 5.7.0 Error: authentication failed: generic failure
>
> In syslog I see:
> Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: SASL authentication
> failure: cannot connect to saslauthd server: No such file or directory
> Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: SASL authentication
> failure: Password verification failed
> Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: unknown[10.10.80.20]:
> SASL plain authentication failed: generic failure
>
> Where is my mistake?

Please show output from "saslfinger -s".

p@rick

--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: postfix + saslauthd problem

Ralf Hildebrandt
In reply to this post by Андрей-21
* Андрей <[hidden email]>:

> I'm testing  postfix this way:
>
> telnet hosting.vpcit.ru 25
> Trying 91.192.168.241...
> Connected to hosting.vpcit.ru.
> Escape character is '^]'.
> 220 Welcome to ESMTP llc. Gercon
> helo andreyv
> 250 mail.1vp.ru
> auth plain
> 334
> AGR1a2VudWtlbUB2cGNpdC5ydQBzdGFydGVy
> 535 5.7.0 Error: authentication failed: generic failure
>
> In syslog I see:
> Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: SASL authentication
> failure: cannot connect to saslauthd server: No such file or directory

Is smtpd chrooted?

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
"Hardware: the parts of a computer that can be kicked."       -- Jeff Pesis  
Reply | Threaded
Open this post in threaded view
|

Re: postfix + saslauthd problem

Андрей-21
In reply to this post by Patrick Ben Koetter
On Wednesday 02 July 2008 12:49:51 Patrick Ben Koetter wrote:

> * Андрей <[hidden email]>:
> > I'm testing  postfix this way:
> >
> > telnet hosting.vpcit.ru 25
> > Trying 91.192.168.241...
> > Connected to hosting.vpcit.ru.
> > Escape character is '^]'.
> > 220 Welcome to ESMTP llc. Gercon
> > helo andreyv
> > 250 mail.1vp.ru
> > auth plain
> > 334
> > AGR1a2VudWtlbUB2cGNpdC5ydQBzdGFydGVy
> > 535 5.7.0 Error: authentication failed: generic failure
> >
> > In syslog I see:
> > Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: SASL
> > authentication failure: cannot connect to saslauthd server: No such file
> > or directory Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: SASL
> > authentication failure: Password verification failed
> > Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning:
> > unknown[10.10.80.20]: SASL plain authentication failed: generic failure
> >
> > Where is my mistake?
>
> Please show output from "saslfinger -s".
>
> p@rick

hosting:/# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed Jul  2 14:26:27 YEKST 2008
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.3.8
System: Debian GNU/Linux 4.0 \n \l

-- smtpd is linked to --
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00002b68d3aa3000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes

-- listing of /usr/lib64/sasl2 --
total 808
drwxr-xr-x  2 root root  4096 2008-06-11 16:10 .
drwxr-xr-x 49 root root 12288 2008-06-19 11:31 ..
-rw-r--r--  1 root root 18868 2006-12-14 02:52 libanonymous.a
-rw-r--r--  1 root root   855 2006-12-14 02:52 libanonymous.la
-rw-r--r--  1 root root 15792 2006-12-14 02:52 libanonymous.so
-rw-r--r--  1 root root 15792 2006-12-14 02:52 libanonymous.so.2
-rw-r--r--  1 root root 15792 2006-12-14 02:52 libanonymous.so.2.0.22
-rw-r--r--  1 root root 21754 2006-12-14 02:52 libcrammd5.a
-rw-r--r--  1 root root   841 2006-12-14 02:52 libcrammd5.la
-rw-r--r--  1 root root 19184 2006-12-14 02:52 libcrammd5.so
-rw-r--r--  1 root root 19184 2006-12-14 02:52 libcrammd5.so.2
-rw-r--r--  1 root root 19184 2006-12-14 02:52 libcrammd5.so.2.0.22
-rw-r--r--  1 root root 60216 2006-12-14 02:52 libdigestmd5.a
-rw-r--r--  1 root root   864 2006-12-14 02:52 libdigestmd5.la
-rw-r--r--  1 root root 48504 2006-12-14 02:52 libdigestmd5.so
-rw-r--r--  1 root root 48504 2006-12-14 02:52 libdigestmd5.so.2
-rw-r--r--  1 root root 48504 2006-12-14 02:52 libdigestmd5.so.2.0.22
-rw-r--r--  1 root root 19094 2006-12-14 02:52 liblogin.a
-rw-r--r--  1 root root   835 2006-12-14 02:52 liblogin.la
-rw-r--r--  1 root root 16424 2006-12-14 02:52 liblogin.so
-rw-r--r--  1 root root 16424 2006-12-14 02:52 liblogin.so.2
-rw-r--r--  1 root root 16424 2006-12-14 02:52 liblogin.so.2.0.22
-rw-r--r--  1 root root 38700 2006-12-14 02:52 libntlm.a
-rw-r--r--  1 root root   829 2006-12-14 02:52 libntlm.la
-rw-r--r--  1 root root 32520 2006-12-14 02:52 libntlm.so
-rw-r--r--  1 root root 32520 2006-12-14 02:52 libntlm.so.2
-rw-r--r--  1 root root 32520 2006-12-14 02:52 libntlm.so.2.0.22
-rw-r--r--  1 root root 19134 2006-12-14 02:52 libplain.a
-rw-r--r--  1 root root   835 2006-12-14 02:52 libplain.la
-rw-r--r--  1 root root 16392 2006-12-14 02:52 libplain.so
-rw-r--r--  1 root root 16392 2006-12-14 02:52 libplain.so.2
-rw-r--r--  1 root root 16392 2006-12-14 02:52 libplain.so.2.0.22
-rw-r--r--  1 root root 29100 2006-12-14 02:52 libsasldb.a
-rw-r--r--  1 root root   856 2006-12-14 02:52 libsasldb.la
-rw-r--r--  1 root root 21456 2006-12-14 02:52 libsasldb.so
-rw-r--r--  1 root root 21456 2006-12-14 02:52 libsasldb.so.2
-rw-r--r--  1 root root 21456 2006-12-14 02:52 libsasldb.so.2.0.22
-rw-r--r--  1 root root    90 2008-06-11 16:10 smtpd.conf

-- listing of /usr/lib/sasl2 --
total 808
drwxr-xr-x  2 root root  4096 2008-06-11 16:10 .
drwxr-xr-x 49 root root 12288 2008-06-19 11:31 ..
-rw-r--r--  1 root root 18868 2006-12-14 02:52 libanonymous.a
-rw-r--r--  1 root root   855 2006-12-14 02:52 libanonymous.la
-rw-r--r--  1 root root 15792 2006-12-14 02:52 libanonymous.so
-rw-r--r--  1 root root 15792 2006-12-14 02:52 libanonymous.so.2
-rw-r--r--  1 root root 15792 2006-12-14 02:52 libanonymous.so.2.0.22
-rw-r--r--  1 root root 21754 2006-12-14 02:52 libcrammd5.a
-rw-r--r--  1 root root   841 2006-12-14 02:52 libcrammd5.la
-rw-r--r--  1 root root 19184 2006-12-14 02:52 libcrammd5.so
-rw-r--r--  1 root root 19184 2006-12-14 02:52 libcrammd5.so.2
-rw-r--r--  1 root root 19184 2006-12-14 02:52 libcrammd5.so.2.0.22
-rw-r--r--  1 root root 60216 2006-12-14 02:52 libdigestmd5.a
-rw-r--r--  1 root root   864 2006-12-14 02:52 libdigestmd5.la
-rw-r--r--  1 root root 48504 2006-12-14 02:52 libdigestmd5.so
-rw-r--r--  1 root root 48504 2006-12-14 02:52 libdigestmd5.so.2
-rw-r--r--  1 root root 48504 2006-12-14 02:52 libdigestmd5.so.2.0.22
-rw-r--r--  1 root root 19094 2006-12-14 02:52 liblogin.a
-rw-r--r--  1 root root   835 2006-12-14 02:52 liblogin.la
-rw-r--r--  1 root root 16424 2006-12-14 02:52 liblogin.so
-rw-r--r--  1 root root 16424 2006-12-14 02:52 liblogin.so.2
-rw-r--r--  1 root root 16424 2006-12-14 02:52 liblogin.so.2.0.22
-rw-r--r--  1 root root 38700 2006-12-14 02:52 libntlm.a
-rw-r--r--  1 root root   829 2006-12-14 02:52 libntlm.la
-rw-r--r--  1 root root 32520 2006-12-14 02:52 libntlm.so
-rw-r--r--  1 root root 32520 2006-12-14 02:52 libntlm.so.2
-rw-r--r--  1 root root 32520 2006-12-14 02:52 libntlm.so.2.0.22
-rw-r--r--  1 root root 19134 2006-12-14 02:52 libplain.a
-rw-r--r--  1 root root   835 2006-12-14 02:52 libplain.la
-rw-r--r--  1 root root 16392 2006-12-14 02:52 libplain.so
-rw-r--r--  1 root root 16392 2006-12-14 02:52 libplain.so.2
-rw-r--r--  1 root root 16392 2006-12-14 02:52 libplain.so.2.0.22
-rw-r--r--  1 root root 29100 2006-12-14 02:52 libsasldb.a
-rw-r--r--  1 root root   856 2006-12-14 02:52 libsasldb.la
-rw-r--r--  1 root root 21456 2006-12-14 02:52 libsasldb.so
-rw-r--r--  1 root root 21456 2006-12-14 02:52 libsasldb.so.2
-rw-r--r--  1 root root 21456 2006-12-14 02:52 libsasldb.so.2.0.22
-rw-r--r--  1 root root    90 2008-06-11 16:10 smtpd.conf

-- content of /usr/lib64/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login

-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

-- mechanisms on localhost --
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN


-- end of saslfinger output --

Yours faithfully,
Andrey.
Reply | Threaded
Open this post in threaded view
|

Re: postfix + saslauthd problem

Андрей-21
In reply to this post by Ralf Hildebrandt
On Wednesday 02 July 2008 13:14:48 Ralf Hildebrandt wrote:

> * Андрей <[hidden email]>:
> > I'm testing  postfix this way:
> >
> > telnet hosting.vpcit.ru 25
> > Trying 91.192.168.241...
> > Connected to hosting.vpcit.ru.
> > Escape character is '^]'.
> > 220 Welcome to ESMTP llc. Gercon
> > helo andreyv
> > 250 mail.1vp.ru
> > auth plain
> > 334
> > AGR1a2VudWtlbUB2cGNpdC5ydQBzdGFydGVy
> > 535 5.7.0 Error: authentication failed: generic failure
> >
> > In syslog I see:
> > Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: SASL
> > authentication failure: cannot connect to saslauthd server: No such file
> > or directory
>
> Is smtpd chrooted?

oh, yes, for unix socket, here is piece of my /etc/postfix/master.cf:
        # service type  private unpriv  chroot  wakeup  maxproc command + args
        #               (yes)   (yes)   (yes)   (never) (100)
        <...>
        smtp      inet  n       -       n       -       -       smtpd
        <...>
        smtp      unix  -       -       -       -       -       smtp

Yours faithfully,
Andrey.
Reply | Threaded
Open this post in threaded view
|

Re: postfix + saslauthd problem

Andreas Winkelmann
> On Wednesday 02 July 2008 13:14:48 Ralf Hildebrandt wrote:

>> > I'm testing  postfix this way:
>> >
>> > telnet hosting.vpcit.ru 25
>> > Trying 91.192.168.241...
>> > Connected to hosting.vpcit.ru.
>> > Escape character is '^]'.
>> > 220 Welcome to ESMTP llc. Gercon
>> > helo andreyv
>> > 250 mail.1vp.ru
>> > auth plain
>> > 334
>> > AGR1a2VudWtlbUB2cGNpdC5ydQBzdGFydGVy
>> > 535 5.7.0 Error: authentication failed: generic failure
>> >
>> > In syslog I see:
>> > Jul  2 12:18:38 hosting postfix/smtpd[31141]: warning: SASL
>> > authentication failure: cannot connect to saslauthd server: No such
>> file
>> > or directory
>>
>> Is smtpd chrooted?
>
> oh, yes, for unix socket, here is piece of my /etc/postfix/master.cf:
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> <...>
> smtp      inet  n       -       n       -       -       smtpd

Your smtpd is not chroot()ed. Your saslauthd is:

...
OPTIONS="-m /var/spool/postfix/var/run/saslauthd"
...

Change either the one or the other.

> <...>
> smtp      unix  -       -       -       -       -       smtp

--
Andreas