Alexander Dalloz wrote:
First you will have to configure Postfix through main.cf:
...
Next you have to make the link between Postfix and Cyrus-SASL in /usr/lib{64}/sasl2/smtpd.conf:
...
You are done.
Yes I am! :-) In fact, I DID all the above (with more or less variants), but I was wondering why the command testsaslauthd wouldn't allow me to test authentication. Now I don't care anymore - what I need it for is: "postfix with SASL AUTH agains smtp clients" and for THAT I only need a properly filled and protected (postfix will have to be able to read the file) /etc/sasldb2 file. I was also wondering because on the machine that I'm migrating away from the testsaslauthd command worked. Same config and both using the same centos release. Ok - nevermind, the authentication works, a nice thing to start a thursday with.
Thanks @Alexander, Kai and Nataraj and all others who cared! Kind regards Michael
Hello Michael,
glad that you managed to migrate to the new server.
If testsaslauthd gives an OK, this just means that saslauthd is running and could verify the given credentials against the backend. If that backend (-a) is shadow, then auth is checked against system users within the shadow file. If the backend is pam, then a more complex setup is possible. Besides checking too against system users in shadow, PAM could be configured to test against an SQL database or an LDAP server.
If testsaslauthd is successful, it does not mean that Postfix client auth must be successful too. That's because Postfix can be configured to use a different authentication scheme: like as you did to use cyrus-sasl's auxprop or even to use dovecot's sasl.
You can easily imagine a situation where the admin fills a sasldb with users and their password and where all these users can be found as well as system accounts within the shadow file. It may be intention by the admin or just lack of understanding. Postfix using cyrus-sasl may be configured to auth against the sasldb data, while saslauthd would work as well. (Here with the difference that usernames in sasldb are of format user@domain.tld where using saslauthd -a shadow the usernames can just be <user>.)
You may counter check what the smtpd.conf file contained on your old host. It could be that saslauthd was the primary mechanism, but set as well the option "auto_transition". You find that explained in /usr/share/doc/cyrus-sasl*/options.html. Running that it will fill the sasldb by itself. So you may have the impression that sasldb was your primary authentication pool.
One final note: For cyrus-sasl using auxprop with plugin sasldb is the default and fault back. If nothing is configured or the configured setup fails, then cyrus-sasl test with auxprop and sasldb.
Best regards
Alexander