telnet hangs when I enable sasl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

telnet hangs when I enable sasl

Roelof Wobben
Hello,

I have this in my main.cf :

smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes

in my sasl2 config file I have this :

pwcheck_method = auxprop
auxprop_plugin = sasldb
mech_list = plain login cram-md5 digest-md5 ntlm

but when I do telnet 127.0.0.1 25 and I do then ehlo locahost I see now respons
at all.

When I disable the smtpd_sasl_auth_enable_line telnet works but I do not see the
auth headers back.


What can be the culprit here

Roelof
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Wilfried.Essig@Essignetz.de
Hi,


it's rather less information. Please provide information described under
http://www.postfix.org/DEBUG_README.html#mail


Willi


Am 01.06.2017 um 11:36 schrieb Roelof Wobben:

> Hello,
>
> I have this in my main.cf :
>
> smtpd_sasl_path = smtpd
> smtpd_sasl_auth_enable = yes
>
> in my sasl2 config file I have this :
>
> pwcheck_method = auxprop
> auxprop_plugin = sasldb
> mech_list = plain login cram-md5 digest-md5 ntlm
>
> but when I do telnet 127.0.0.1 25 and I do then ehlo locahost I see now respons
> at all.
>
> When I disable the smtpd_sasl_auth_enable_line telnet works but I do not see the
> auth headers back.
>
>
> What can be the culprit here
>
> Roelof
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Wietse Venema
In reply to this post by Roelof Wobben
Roelof Wobben:

> Hello,
>
> I have this in my main.cf :
>
> smtpd_sasl_path = smtpd
> smtpd_sasl_auth_enable = yes
>
> in my sasl2 config file I have this :
>
> pwcheck_method = auxprop
> auxprop_plugin = sasldb
> mech_list = plain login cram-md5 digest-md5 ntlm
>
> but when I do telnet 127.0.0.1 25 and I do then ehlo locahost I see now respons
> at all.

Look in your mail log for error messages.

http://www.postfix.org/DEBUG_README.html#logging

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Roelof Wobben
Both thanks,

I will make the logs as soon as I work with that server.
I think it will be on Tuesday.

Regards,

Roelof



Op 1-6-2017 om 15:27 schreef Wietse Venema:

> Roelof Wobben:
>> Hello,
>>
>> I have this in my main.cf :
>>
>> smtpd_sasl_path = smtpd
>> smtpd_sasl_auth_enable = yes
>>
>> in my sasl2 config file I have this :
>>
>> pwcheck_method = auxprop
>> auxprop_plugin = sasldb
>> mech_list = plain login cram-md5 digest-md5 ntlm
>>
>> but when I do telnet 127.0.0.1 25 and I do then ehlo locahost I see now respons
>> at all.
> Look in your mail log for error messages.
>
> http://www.postfix.org/DEBUG_README.html#logging
>
> Wietse
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Roelof Wobben
In reply to this post by Wilfried.Essig@Essignetz.de
I could reproduce the error on another machine so here the logs :

errors from maillog :

Jun  1 18:07:11 localhost postfix/smtpd[9650]: warning: SASL per-process initialization failed: error when parsing configuration file
Jun  1 18:07:11 localhost postfix/smtpd[9650]: fatal: SASL per-process initialization failed
Jun  1 18:07:12 localhost postfix/master[2315]: warning: process /usr/libexec/postfix/smtpd pid 9650 exit status 1
Jun  1 18:07:12 localhost postfix/master[2315]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
Jun  1 18:08:12 localhost postfix/smtpd[9652]: warning: SASL per-process initialization failed: error when parsing configuration file
Jun  1 18:08:12 localhost postfix/smtpd[9652]: fatal: SASL per-process initialization failed
Jun  1 18:08:13 localhost postfix/master[2315]: warning: process /usr/libexec/postfix/smtpd pid 9652 exit status 1
Jun  1 18:08:13 localhost postfix/master[2315]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
Jun  1 18:09:13 localhost postfix/smtpd[9653]: warning: SASL per-process initialization failed: error when parsing configuration file
Jun  1 18:09:13 localhost postfix/smtpd[9653]: fatal: SASL per-process initialization failed
Jun  1 18:09:14 localhost postfix/master[2315]: warning: process /usr/libexec/postfix/smtpd pid 9653 exit status 1
Jun  1 18:09:14 localhost postfix/master[2315]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
Jun  1 18:11:09 localhost postfix/postfix-script[1540]: starting the Postfix mail system
Jun  1 18:11:09 localhost postfix/master[1542]: daemon started -- version 2.10.1, configuration /etc/postfix


postconf -n 

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = srv.world
myhostname = mail.srv.world
mynetworks = 168.100.189.0/28, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
unknown_local_recipient_reject_code = 550


postconf -Mf : 

smtp       inet  n       -       n       -       -       smtpd
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache


I hope this is enough otherwise I will try to make the logs which are requested. 

Roelof







Op 1-6-2017 om 11:47 schreef [hidden email]:
Hi,


it's rather less information. Please provide information described under
http://www.postfix.org/DEBUG_README.html#mail


Willi


Am 01.06.2017 um 11:36 schrieb Roelof Wobben:
Hello, 

I have this in my main.cf : 

smtpd_sasl_path = smtpd 
smtpd_sasl_auth_enable = yes 

in my sasl2 config file I have this : 

pwcheck_method = auxprop 
auxprop_plugin = sasldb
mech_list = plain login cram-md5 digest-md5 ntlm 

but when I do telnet 127.0.0.1 25 and I do then ehlo locahost I see now respons
at all. 

When I disable the smtpd_sasl_auth_enable_line telnet works but I do not see the
auth headers back. 


What can be the culprit here 

Roelof


    

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Wietse Venema
Roelof Wobben:
> Jun  1 18:08:12 localhost postfix/smtpd[9652]: warning: SASL per-process initialization failed: error when parsing configuration file
> Jun  1 18:08:12 localhost postfix/smtpd[9652]: fatal: SASL per-process initialization failed

You need to fix your SASL configuration file.

> smtp_sasl_path = smtpd
> smtpd_sasl_path = smtpd

The above settings should use different names.

http://www.postfix.org/SASL_README.html#server_cyrus_name
http://www.postfix.org/SASL_README.html#server_cyrus_location
http://www.postfix.org/postconf.5.html#smtpd_sasl_path
http://www.postfix.org/postconf.5.html#smtp_sasl_path

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Roelof Wobben
Thanks,

Changed it but the error stays even after restarting postfix.

Roelof


Op 1-6-2017 om 20:54 schreef Wietse Venema:

> Roelof Wobben:
>> Jun  1 18:08:12 localhost postfix/smtpd[9652]: warning: SASL per-process initialization failed: error when parsing configuration file
>> Jun  1 18:08:12 localhost postfix/smtpd[9652]: fatal: SASL per-process initialization failed
> You need to fix your SASL configuration file.
>
>> smtp_sasl_path = smtpd
>> smtpd_sasl_path = smtpd
> The above settings should use different names.
>
> http://www.postfix.org/SASL_README.html#server_cyrus_name
> http://www.postfix.org/SASL_README.html#server_cyrus_location
> http://www.postfix.org/postconf.5.html#smtpd_sasl_path
> http://www.postfix.org/postconf.5.html#smtp_sasl_path
>
> Wietse
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Wietse Venema
Roelof Wobben:
> Thanks,
>
> Changed it but the error stays even after restarting postfix.

I suppose the contents of the file are incorrect. However, the Cyrus
SASL library is not a Postfix project. Cyrus SASL has its own mailing
list.

        Wietse
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Roelof Wobben
Op 2-6-2017 om 01:49 schreef Wietse Venema:
Roelof Wobben:
Thanks,

Changed it but the error stays even after restarting postfix.
I suppose the contents of the file are incorrect. However, the Cyrus
SASL library is not a Postfix project. Cyrus SASL has its own mailing
list.

	Wietse


oke, you mean this config file :

/etc/sasl/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM

Otherwise I did not change any file.

Roelof



    
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Viktor Dukhovni

> On Jun 2, 2017, at 1:20 AM, Roelof Wobben <[hidden email]> wrote:
>
> oke, you mean this config file :
>
> /etc/sasl/smtpd.conf
>
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM

If your Postfix build supports Cyrus SASL, and that's the
configured SASL driver, and that's the right directory, then
yes that file.  As a wild guess of one possible issue, the
"postfix" user might need read access to the sasldb database.

Typically, one uses saslauthd, rather than direct sasldb
access.  Also storing cleartext passwords is unwise, so
I'd go with PAM as a backend for saslauthd and not support
CRAM-MD5 or DIGEST-MD5, relying instead on TLS for keeping
the passwords safe from network wiretapping.  By far the
greater risk is usually password database disclosure.

Find a good SASL guide and forum, the issues here are largely
not Postfix-specific.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Roelof Wobben
In reply to this post by Roelof Wobben
Op 2-6-2017 om 07:20 schreef Roelof Wobben:
Op 2-6-2017 om 01:49 schreef Wietse Venema:
Roelof Wobben:
Thanks,

Changed it but the error stays even after restarting postfix.
I suppose the contents of the file are incorrect. However, the Cyrus
SASL library is not a Postfix project. Cyrus SASL has its own mailing
list.

	Wietse


oke, you mean this config file :

/etc/sasl/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM

Otherwise I did not change any file.

Roelof




I asked the cyrus-sasl people and they said there is nothing wrong with my sasl.
So I hope someone here can help me further.

I still have the problem if I use dovecot-sasl or cyrus-sasl  there is no respons after I do ehlo localhost
and no error messages in maillog or messages.

Roelof

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Wilfried.Essig@Essignetz.de
Hi,


some thoughts:

Is the postfix user allowed to read /etc/sasl/smtpd.conf?

You could set cyrus_sasl_config_path to /etc/sasl/.

How are the access rights of the postfix user to your sasldb-file
(/etc/sasldb2?)?

In my machines (mostly debian 8) i have the postfix user in sasl group.

And, as Viktor mentioned, look if your postfix is build with sasl support.


Willi

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Roelof Wobben
Op 5-6-2017 om 14:28 schreef [hidden email]:

> Hi,
>
>
> some thoughts:
>
> Is the postfix user allowed to read /etc/sasl/smtpd.conf?
>
> You could set cyrus_sasl_config_path to /etc/sasl/.
>
> How are the access rights of the postfix user to your sasldb-file
> (/etc/sasldb2?)?
>
> In my machines (mostly debian 8) i have the postfix user in sasl group.
>
> And, as Viktor mentioned, look if your postfix is build with sasl support.
>
>
> Willi
>
>

Postfix is build with sasl support.

postconf -a  gives cyrus dovecot
postconf -A gives dovecot

Roelof

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Roelof Wobben
In reply to this post by Roelof Wobben





       

       

       

       



Op 5-6-2017 om 14:28 schreef [hidden email]:
> Hi,
>
>
> some thoughts:
>
> Is the postfix user allowed to read /etc/sasl/smtpd.conf?

At this moment, not.  smtpd.conf has as owner root:root
Schould I change it to postfix:root ?


>
> You could set cyrus_sasl_config_path to /etc/sasl/.
>
> How are the access rights of the postfix user to your sasldb-file
> (/etc/sasldb2?)?

yep, that one has as owner postfix:user

> In my machines (mostly debian 8) i have the postfix user in sasl group.
>
> And, as Viktor mentioned, look if your postfix is build with sasl support.
>


How can I check that on a centos box ?

> Willi
>
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Viktor Dukhovni
In reply to this post by Roelof Wobben
On Mon, Jun 05, 2017 at 02:39:50PM +0200, Roelof Wobben wrote:

> Postfix is build with SASL support.
>
> postconf -a  gives cyrus dovecot
> postconf -A gives dovecot

That's impossible.

       -a     List the available SASL server plug-in types.  The SASL  plug-in
              type  is selected with the smtpd_sasl_type configuration parame-
              ter by specifying one of the names listed below.

              cyrus  This server plug-in is available when  Postfix  is  built
                     with Cyrus SASL support.

              dovecot
                     This  server  plug-in  uses  the  Dovecot  authentication
                     server, and is available when Postfix is built  with  any
                     form of SASL support.

              This feature is available with Postfix 2.3 and later.

       -A     List  the available SASL client plug-in types.  The SASL plug-in
              type is selected with the smtp_sasl_type or lmtp_sasl_type  con-
              figuration  parameters  by  specifying  one  of the names listed
              below.

              cyrus  This client plug-in is available when  Postfix  is  built
                     with Cyrus SASL support.

              This feature is available with Postfix 2.3 and later.

Don't report settings from memory, cut/paste *verbatim* command output that
reports the settings in question.  Also post the output of:

   postconf smtpd_sasl_type smtp_sasl_type

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Wilfried.Essig@Essignetz.de
In reply to this post by Roelof Wobben
Am 05.06.2017 um 14:42 schrieb Roelof Wobben:
...
>> Is the postfix user allowed to read /etc/sasl/smtpd.conf?
>
> At this moment, not.  smtpd.conf has as owner root:root
> Schould I change it to postfix:root ?

Yes, if it's not already world readable.

BTW: Can the postfix user traverse into /etc/sasl?

We can see it on output of "ls -al /etc/sasl".

Are the logs showing still the same errors?


Willi

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Roelof Wobben
In reply to this post by Viktor Dukhovni
Op 5-6-2017 om 15:27 schreef Viktor Dukhovni:

> On Mon, Jun 05, 2017 at 02:39:50PM +0200, Roelof Wobben wrote:
>
>> Postfix is build with SASL support.
>>
>> postconf -a  gives cyrus dovecot
>> postconf -A gives dovecot
> That's impossible.
>
>         -a     List the available SASL server plug-in types.  The SASL  plug-in
>                type  is selected with the smtpd_sasl_type configuration parame-
>                ter by specifying one of the names listed below.
>
>                cyrus  This server plug-in is available when  Postfix  is  built
>                       with Cyrus SASL support.
>
>                dovecot
>                       This  server  plug-in  uses  the  Dovecot  authentication
>                       server, and is available when Postfix is built  with  any
>                       form of SASL support.
>
>                This feature is available with Postfix 2.3 and later.
>
>         -A     List  the available SASL client plug-in types.  The SASL plug-in
>                type is selected with the smtp_sasl_type or lmtp_sasl_type  con-
>                figuration  parameters  by  specifying  one  of the names listed
>                below.
>
>                cyrus  This client plug-in is available when  Postfix  is  built
>                       with Cyrus SASL support.
>
>                This feature is available with Postfix 2.3 and later.
>
> Don't report settings from memory, cut/paste *verbatim* command output that
> reports the settings in question.  Also post the output of:
>
>     postconf smtpd_sasl_type smtp_sasl_type
>

First I did not report from memory. I type all the commands and copy the
outcome here.

Second output of postconf smtpd_sasl_type smtp_sasl_type is :

smtpd_sasl_type = cyrus
smtp_sasl_type = cyrus

Roelof

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Roelof Wobben
In reply to this post by Wilfried.Essig@Essignetz.de
Op 5-6-2017 om 16:31 schreef [hidden email]:
Am 05.06.2017 um 14:42 schrieb Roelof Wobben:
...
Is the postfix user allowed to read /etc/sasl/smtpd.conf?
At this moment, not.  smtpd.conf has as owner root:root
Schould I change it to postfix:root ?
Yes, if it's not already world readable.

BTW: Can the postfix user traverse into /etc/sasl?

We can see it on output of "ls -al /etc/sasl".

Are the logs showing still the same errors?


Willi


Changed it.
output of ls -al /etc/sasl2

totaal 16
drwxr-xr-x.  2 root    root   24  5 jun 13:42 .
drwxr-xr-x. 76 root    root 8192  5 jun 15:26 ..
-rw-r--r--.  1 postfix root   47  5 jun 13:42 smtpd.conf



And the maillogs still give this error message : 

warning : sasl authentication failure: Internal Error -4 in server.c near line 1757
fatal : no sasl authentication mechanisms 

Roelof

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Fernando Maior
Hello, Roelof,

From this:
totaal 16
drwxr-xr-x.  2 root    root   24  5 jun 13:42 .
drwxr-xr-x. 76 root    root 8192  5 jun 15:26 ..
-rw-r--r--.  1 postfix root   47  5 jun 13:42 smtpd.conf
I believe you do not need to change owner/group of smtpd.conf; because postfix user already has access to read the file. You see, you have read+execute on the directory, and read on the file, for all users. So, postfix user *will* access and read the file.
The problem is not that. Find it on another place.
By the way, which is your distro?
Regards!


Atenciosamente,
---
Fernando Maciel Souto Maior
Projetos e Soluções de Tecnologia
(31) 99226-9440 TIM

2017-06-05 12:58 GMT-03:00 Roelof Wobben <[hidden email]>:
Op 5-6-2017 om 16:31 schreef [hidden email]:
Am 05.06.2017 um 14:42 schrieb Roelof Wobben:
...
Is the postfix user allowed to read /etc/sasl/smtpd.conf?
At this moment, not.  smtpd.conf has as owner root:root
Schould I change it to postfix:root ?
Yes, if it's not already world readable.

BTW: Can the postfix user traverse into /etc/sasl?

We can see it on output of "ls -al /etc/sasl".

Are the logs showing still the same errors?


Willi


Changed it.
output of ls -al /etc/sasl2

totaal 16
drwxr-xr-x.  2 root    root   24  5 jun 13:42 .
drwxr-xr-x. 76 root    root 8192  5 jun 15:26 ..
-rw-r--r--.  1 postfix root   47  5 jun 13:42 smtpd.conf



And the maillogs still give this error message : 

warning : sasl authentication failure: Internal Error -4 in server.c near line 1757
fatal : no sasl authentication mechanisms 

Roelof


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: telnet hangs when I enable sasl

Wilfried.Essig@Essignetz.de
In reply to this post by Roelof Wobben
Am 05.06.2017 um 17:58 schrieb Roelof Wobben:

> Op 5-6-2017 om 16:31 schreef [hidden email]:
>> Am 05.06.2017 um 14:42 schrieb Roelof Wobben:
>> ...
>>>> Is the postfix user allowed to read /etc/sasl/smtpd.conf?
>>> At this moment, not.  smtpd.conf has as owner root:root
>>> Schould I change it to postfix:root ?
>> Yes, if it's not already world readable.
>>
>> BTW: Can the postfix user traverse into /etc/sasl?
>>
>> We can see it on output of "ls -al /etc/sasl".
>>
>> Are the logs showing still the same errors?
>>
>>
>> Willi
>>
>
> Changed it.
> output of ls -al /etc/sasl2
>
> totaal 16
> drwxr-xr-x.  2 root    root   24  5 jun 13:42 .
> drwxr-xr-x. 76 root    root 8192  5 jun 15:26 ..
> -rw-r--r--.  1 postfix root   47  5 jun 13:42 smtpd.conf
I assume, postfix had seen the config all the time ;-)


> And the maillogs still give this error message :
>
> warning : sasl authentication failure: Internal Error -4 in server.c near line 1757
> fatal : no sasl authentication mechanisms

The error message changed, compared to your mail from 01.06.2017 18:23
+0200. Look for "Internal Error -4 in server.c" in the searchengine of
your confidence.

Good luck.


Willi

12
Loading...