sasl with postfix on aix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

sasl with postfix on aix

Ole Heiberg Michaelsen
Hi

I need some help getting cyrus-sasl-2.1.26 working on postfix-2.10.3 on AIX
6.1.

I want to use it only for upstream authentication, that is I am not running it
as a daemon on the machine, I only want postfix to use authentication when it
contacts it upstream mailrelay.

It appears that it does not even try to authenticate.

SASL is compiled into postfix, or at least that's what 'nm
/usr/libexec/postfix/smtp' shows, fx

# nm /usr/libexec/postfix/smtp|grep ^smtp_sasl
smtp_sasl_activate:F-1 -        2548
smtp_sasl_auth_cache d   536891376           4
smtp_sasl_auth_cache.c -     2763092
smtp_sasl_auth_cache.c -     2763104
smtp_sasl_auth_cache.c -     2763134
smtp_sasl_auth_cache.c -     2763206
smtp_sasl_auth_cache.c -     2763254
smtp_sasl_auth_cache.c -     2763254
smtp_sasl_auth_cache.c -     2763290
smtp_sasl_auth_cache.c -     2763302
smtp_sasl_auth_cache.c -     2763320
smtp_sasl_auth_cache.c -     2763350
smtp_sasl_auth_cache.c f           -
smtp_sasl_auth_cache:S1748=*1742 -           0
smtp_sasl_auth_cache_find:F-1 -         540
smtp_sasl_auth_cache_init:F1713=*1710 -         180
smtp_sasl_auth_cache_make_pass:f74 -           0
smtp_sasl_auth_cache_store:F-11 -        1216
smtp_sasl_authenticate:F-1 -        1252
smtp_sasl_cleanup:F-11 -        2212
smtp_sasl_connect:F-11 -         932
smtp_sasl_glue.c     f           -
smtp_sasl_helo_auth:F-11 -           0
smtp_sasl_helo_login:F-1 -         724
smtp_sasl_impl       d   536890756           4
smtp_sasl_impl:S1747=*649 -           4
smtp_sasl_initialize:F-11 -         600
smtp_sasl_mechs      B   536924364           4
smtp_sasl_mechs      d   536891348           4
smtp_sasl_mechs:G1749=*557 -        3616
smtp_sasl_passivate:F-11 -        2492
smtp_sasl_passwd_lookup:F-1 -           0
smtp_sasl_passwd_map d   536890644           4
smtp_sasl_passwd_map:S734 -           8
smtp_sasl_proto.c    -     2761304
smtp_sasl_proto.c    -     2761406
smtp_sasl_proto.c    f           -
smtp_sasl_start:F-11 -        1008
#

ldd shows:

# ldd /usr/libexec/postfix/smtp
/usr/libexec/postfix/smtp needs:
         /usr/lib/libc.a(shr.o)
         /usr/lib/libdb.a(libdb.so)
         /usr/lib/libcrypto.a(libcrypto.so.1.0.0)
         /usr/lib/libssl.a(libssl.so.1.0.0)
         /unix
         /usr/lib/libcrypt.a(shr.o)
         /usr/lib/libpthread.a(shr_xpg5.o)
         /usr/lib/libpthreads.a(shr_xpg5.o)
         /usr/lib/libpthreads.a(shr_comm.o)
#

# postconf -A
cyrus
# postconf -a
cyrus
dovecot
#

# postconf -n|grep sasl
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = btree:/etc/postfix/sasl/sasl_pw
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_auth_enable = no
#

# cat sasl_pw
[upstreamrelay]:25 user01:xxxxxxxxxxx

/etc/postfix/sasl
# ls -al
total 40
drwx------    2 root     system          256 Aug 20 13:38 .
drwxr-xr-x    4 root     system         4096 Aug 21 14:54 ..
-rw-------    1 root     system          120 Aug 20 14:03 sasl_pw
-rw-------    1 root     system         8192 Aug 21 14:56 sasl_pw.db



Aug 26 13:46:49 xxxxxxxxxxxx mail:info postfix/smtpd[20250712]: connect from loopback[127.0.0.1]
Aug 26 13:47:10 xxxxxxxxxxxx mail:info postfix/smtpd[20250712]: 76B8B1002F: client=loopback[127.0.0.1]
Aug 26 13:47:12 xxxxxxxxxxxx mail:info postfix/cleanup[10682504]: 76B8B1002F: message-id=<[hidden email]>
Aug 26 13:47:12 xxxxxxxxxxxx mail:info postfix/qmgr[23396402]: 76B8B1002F: from=<username@xxxxxxx>, size=325, nrcpt=1 (queue active)
Aug 26 13:47:12 xxxxxxxxxxxx mail:info postfix/smtp[10813452]: Verified TLS connection established to upstreamrelay[xx.xx.xx.xx]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 26 13:47:13 xxxxxxxxxxxx mail:info postfix/smtpd[20250712]: disconnect from loopback[127.0.0.1]
Aug 26 13:47:24 xxxxxxxxxxxx mail:info postfix/smtp[10813452]: 76B8B1002F: to=<[hidden email]>, relay=upstreamrelay[xx.xx.xx.xx]:25, delay=19, delays=6.8/0.02/0.34/12, dsn=5.7 .1, status=bounced (host xxxxxxxxxxxxxxxx[xxx.xxx.xxx.xx] said: 554 5.7.1 <[hidden email]>: Relay access denied (in reply to RCPT TO command))
Aug 26 13:47:24 xxxxxxxxxxxxx mail:info postfix/cleanup[10682504]: D8CEA10036: message-id=<[hidden email]>
Aug 26 13:47:24 xxxxxxxxxxxxx mail:info postfix/bounce[25362678]: 76B8B1002F: sender non-delivery notification: D8CEA10036
Aug 26 13:47:24 xxxxxxxxxxxxx mail:info postfix/qmgr[23396402]: D8CEA10036: from=<>, size=2362, nrcpt=1 (queue active)
Aug 26 13:47:24 xxxxxxxxxx mail:info postfix/qmgr[23396402]: 76B8B1002F: removed

It does not say the password in sasl_pw is wrong, it just says I am not
allowed to relay.

In the logfile on the upstream relay it says "client dropped", again like
I am not even attempting to authenticate.

Can I get postfix to show more about what it actually happening?

Thanks in advance,

Ole M
Denmark
Reply | Threaded
Open this post in threaded view
|

Re: sasl with postfix on aix

Viktor Dukhovni
On Tue, Aug 26, 2014 at 08:33:22PM +0200, Ole Heiberg Michaelsen wrote:

> # cat sasl_pw
> [upstreamrelay]:25 user01:xxxxxxxxxxx

Is the nexthop relay (relayhost in main.cf or transport
nexthop) specified as:

    1. upstreamrelay
    2. [upstreamrelay]
    3. upstreamrelay:25
    4. [upstreamrelay]:25

Anything other than "4" will not match the sasl_pw table.

> Aug 26 13:47:12 xxxxxxxxxxxx mail:info postfix/smtp[10813452]: Verified TLS connection established to upstreamrelay[xx.xx.xx.xx]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Aug 26 13:47:24 xxxxxxxxxxxx mail:info postfix/smtp[10813452]: 76B8B1002F: to=<[hidden email]>, relay=upstreamrelay[xx.xx.xx.xx]:25, delay=19, delays=6.8/0.02/0.34/12, dsn=5.7 .1, status=bounced (host xxxxxxxxxxxxxxxx[xxx.xxx.xxx.xx] said: 554 5.7.1 <[hidden email]>: Relay access denied (in reply to RCPT TO command))

Sure looks no attempt to authenticate.  Almost certainly because
the nexthop is not *verbatim* what is in the sasl_pw table.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: sasl with postfix on aix

Ole Heiberg Michaelsen
On Tue, Aug 26, 2014 at 06:42:04PM +0000, Viktor Dukhovni wrote:

> > # cat sasl_pw
> > [upstreamrelay]:25 user01:xxxxxxxxxxx
>
> Is the nexthop relay (relayhost in main.cf or transport
> nexthop) specified as:
>
>     1. upstreamrelay
>     2. [upstreamrelay]
>     3. upstreamrelay:25
>     4. [upstreamrelay]:25
>
> Anything other than "4" will not match the sasl_pw table.
>
> Sure looks no attempt to authenticate.  Almost certainly because
> the nexthop is not *verbatim* what is in the sasl_pw table.
>
That helped a lot, thank you. It now attempts to authenticate. Almost!

I get these errors about "no worthy mechs found", and next "no mechanism
available".

Aug 29 20:19:06 xxxxxxxx mail:info postfix/qmgr[26149056]: DD6821002F: from=<[hidden email]>, size=330, nrcpt=1 (queue active)
Aug 29 20:19:06 xxxxxxxx mail:info postfix/smtp[7602316]: Verified TLS connection established to upstreamrelay[xx.xx.xx.xx]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Aug 29 20:19:06 xxxxxxxx mail:warn|warning postfix/smtp[7602316]: warning: SASL authentication failure: No worthy mechs found
Aug 29 20:19:06 xxxxxxxx mail:info postfix/smtp[7602316]: DD6821002F: to=<myself@xxxx>, relay=upstreamrelay[xx.xx.xx.xx]:25, delay=210369, delays=210368/0.06/0.3/0, dsn =4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server upstreamrelay[xx.xx.xx.xx]: no mechanism available)

This host I'm trying to setup has the peculiar setup that it is not the
primary network interface card which can connect to the upstream relay, so I
can not just telnet port 25 and debug from there (and unfortunately the
openssl binary cannot use another IP address as source address (and I cannot
manage to combine netcat with openssl to do that either...)). But from another
machine, that IS possible, and this is what it looks like:

openssl s_client -starttls smtp -crlf -connect upstreamrelay:25

[...]

EHLO upstreamrelay
250-upstreamrelay
250-PIPELINING                                                                                                  
250-SIZE 10240000                                                                                                
250-ETRN                                                                                                        
250-AUTH LOGIN PLAIN                                                                                            
250-ENHANCEDSTATUSCODES                                                                                          
250 8BITMIME                                                                                                    

So it supports LOGIN and PLAIN. And I can send email using SASL and TLS, "by
hand", from this other machine. So I am quite confident my SASL username and
password works.

This is sasl part of my configuration:

# postconf -n|grep sasl
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = btree:/etc/postfix/sasl/sasl_pw
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_auth_enable = no

I read that if /usr/lib/sasl2 does not contain libplain and liblogin, it would
give those errors. But those files are there

# ls -al
total 3944
drwxr-xr-x    2 root     system         4096 Aug 27 09:27 .
drwxr-xr-x    5 root     system          256 Aug 27 09:27 ..
-rw-r--r--    1 root     system       186241 Aug 27 09:27 libanonymous.a
-rwxr-xr-x    1 root     system          617 Aug 27 09:27 libanonymous.la
-rw-r--r--    1 root     system       193237 Aug 27 09:27 libcrammd5.a
-rwxr-xr-x    1 root     system          611 Aug 27 09:27 libcrammd5.la
-rw-r--r--    1 root     system       302704 Aug 27 09:27 libdigestmd5.a
-rwxr-xr-x    1 root     system          626 Aug 27 09:27 libdigestmd5.la
-rw-r--r--    1 root     system       186375 Aug 27 09:27 liblogin.a
-rwxr-xr-x    1 root     system          605 Aug 27 09:27 liblogin.la
-rw-r--r--    1 root     system       283733 Aug 27 09:27 libotp.a
-rwxr-xr-x    1 root     system          608 Aug 27 09:27 libotp.la
-rw-r--r--    1 root     system       186343 Aug 27 09:27 libplain.a
-rwxr-xr-x    1 root     system          605 Aug 27 09:27 libplain.la
-rw-r--r--    1 root     system       351181 Aug 27 09:27 libsasldb.a
-rwxr-xr-x    1 root     system          617 Aug 27 09:27 libsasldb.la
-rw-r--r--    1 root     system       275287 Aug 27 09:27 libscram.a
-rwxr-xr-x    1 root     system          614 Aug 27 09:27 libscram.la
#

This is how I build sasl:

cd cyrus-sasl-2.1.26
 ./configure --enable-plain --enable-login --enable-digest --enable-anon
make
make install

and postfix:

cd postfix-2.10.3
make tidy
make makefiles CCARGS="-DUSE_TLS -DHAS_DB -DUSE_SASL_AUTH -DUSE_CYRUS_SASL
-I/usr/local/include -I/usr/include/db4" AUXLIBS="-L/usr/local/lib
-L/usr/lib -lsasl2 -ldb -lssl -lcrypto"
make
make install

So ... any idea why it says it cannot find a worth mech and that no mechanisms
are available?

Thanks