Hello, I'm having trouble to get saslauthd running on a centos-5.3. I can't autheticate via testsaslauthd. Here's what I do using a fresh /etc/sasldb2: 1) start saslauthd in debug mode: saslauthd -d -a shadow -O /usr/lib64/sasl2/smtpd.conf -r -l 2) saslpasswd2 -c -a mail -u mail testuser 3) testsaslauthd -u testomat -p <mypassword> -s smtp -r mail shell output of testsaslauthd: 0: NO "authentication failed"
shell output of saslauthd: [root@x02-new ~]# saslauthd -d -a shadow -O /usr/lib64/sasl2/smtpd.conf -r -l saslauthd[1936] :main : num_procs : 5 saslauthd[1936] :main : mech_option: /usr/lib64/sasl2/smtpd.conf saslauthd[1936] :main : run_path : /var/run/saslauthd saslauthd[1936] :main : auth_mech : shadow saslauthd[1936] :detach_tty : master pid is: 0 saslauthd[1936] :ipc_init : listening on socket: /var/run/saslauthd/mux saslauthd[1936] :main : using process model saslauthd[1936] :have_baby : forked child: 1937 saslauthd[1936] :have_baby : forked child: 1938 saslauthd[1936] :have_baby : forked child: 1939 saslauthd[1936] :have_baby : forked child: 1941 saslauthd[1937] :do_auth : auth failure: [user=testomat@mail] [service=smtp] [realm=mail] [mech=shadow] [reason=Unknown] saslauthd[1937] :do_request : response: NO
output in /var/log/messages: Aug 26 07:41:31 x02-new saslauthd[1673]: server_exit : master exited: 0 Aug 26 07:41:33 x02-new saslauthd[1936]: detach_tty : master pid is: 0 Aug 26 07:41:33 x02-new saslauthd[1936]: ipc_init : listening on socket: /var/run/saslauthd/mux Aug 26 07:41:38 x02-new saslauthd[1937]: do_auth : auth failure: [user=testomat@mail] [service=smtp] [realm=mail] [mech=shadow] [reason=Unknown]
output of saslfinger: ==================================================== #csaslfinger -s saslfinger - postfix Cyrus sasl configuration Mi 26. Aug 07:43:47 CEST 2009 version: 1.0.2 mode: server-side SMTP AUTH
-- basics -- Postfix: 2.3.3 System: CentOS release 5.3 (Final)
-- smtpd is linked to -- libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00002b0ffbdee000)
-- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = mail smtpd_sasl_security_options = noanonymous
-- listing of /usr/lib64/sasl2 -- insgesamt 2916 drwxr-xr-x 2 root root 4096 26. Aug 07:34 . drwxr-xr-x 52 root root 20480 26. Aug 00:32 .. -rwxr-xr-x 1 root root 890 7. Jan 2007 libanonymous.la -rwxr-xr-x 1 root root 15880 7. Jan 2007 libanonymous.so -rwxr-xr-x 1 root root 15880 7. Jan 2007 libanonymous.so.2 -rwxr-xr-x 1 root root 15880 7. Jan 2007 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root 862 7. Jan 2007 liblogin.la -rwxr-xr-x 1 root root 16480 7. Jan 2007 liblogin.so -rwxr-xr-x 1 root root 16480 7. Jan 2007 liblogin.so.2 -rwxr-xr-x 1 root root 16480 7. Jan 2007 liblogin.so.2.0.22 -rwxr-xr-x 1 root root 862 7. Jan 2007 libplain.la -rwxr-xr-x 1 root root 16448 7. Jan 2007 libplain.so -rwxr-xr-x 1 root root 16448 7. Jan 2007 libplain.so.2 -rwxr-xr-x 1 root root 16448 7. Jan 2007 libplain.so.2.0.22 -rwxr-xr-x 1 root root 936 7. Jan 2007 libsasldb.la -rwxr-xr-x 1 root root 892920 7. Jan 2007 libsasldb.so -rwxr-xr-x 1 root root 892920 7. Jan 2007 libsasldb.so.2 -rwxr-xr-x 1 root root 892920 7. Jan 2007 libsasldb.so.2.0.22 -rw-r--r-- 1 root root 167 26. Aug 07:34 smtpd.conf
-- listing of /usr/lib/sasl2 -- insgesamt 2912 drwxr-xr-x 2 root root 4096 26. Aug 07:41 . drwxr-xr-x 30 root root 12288 26. Aug 00:33 .. -rwxr-xr-x 1 root root 884 7. Jan 2007 libanonymous.la -rwxr-xr-x 1 root root 14372 7. Jan 2007 libanonymous.so -rwxr-xr-x 1 root root 14372 7. Jan 2007 libanonymous.so.2 -rwxr-xr-x 1 root root 14372 7. Jan 2007 libanonymous.so.2.0.22 -rwxr-xr-x 1 root root 856 7. Jan 2007 liblogin.la -rwxr-xr-x 1 root root 14752 7. Jan 2007 liblogin.so -rwxr-xr-x 1 root root 14752 7. Jan 2007 liblogin.so.2 -rwxr-xr-x 1 root root 14752 7. Jan 2007 liblogin.so.2.0.22 -rwxr-xr-x 1 root root 856 7. Jan 2007 libplain.la -rwxr-xr-x 1 root root 14848 7. Jan 2007 libplain.so -rwxr-xr-x 1 root root 14848 7. Jan 2007 libplain.so.2 -rwxr-xr-x 1 root root 14848 7. Jan 2007 libplain.so.2.0.22 -rwxr-xr-x 1 root root 930 7. Jan 2007 libsasldb.la -rwxr-xr-x 1 root root 905200 7. Jan 2007 libsasldb.so -rwxr-xr-x 1 root root 905200 7. Jan 2007 libsasldb.so.2 -rwxr-xr-x 1 root root 905200 7. Jan 2007 libsasldb.so.2.0.22
-- listing of /etc/sasl2 -- insgesamt 24 drwxr-xr-x 2 root root 4096 26. Aug 07:36 . drwxr-xr-x 85 root root 12288 26. Aug 07:38 ..
-- content of /usr/lib64/sasl2/smtpd.conf -- auto_transition: true pwcheck_method: auxprop saslauthd_version: 2 auxprop_plugin: sasldb allowanonymouslogin: 0 allowplaintext: 1 mech_list: PLAIN LOGIN log_level: 3
-- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o fallback_relay= showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} old-cyrus unix - n n - - pipe flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} cyrus unix - n n - - pipe user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
-- mechanisms on localhost --
-- end of saslfinger output --
====================================================
content of /etc/pam.d/smtp : #%PAM-1.0 auth include system-auth account include system-auth
What's working well: testsaslauthd -u root -p <myrootpassword> -s smtp 0: OK "Success."
I don't know what's going on - it seems that testsaslauthd doesn't lookup the user 'testomat' in /etc/sasldb2 Have you got an idea? - Thanks in advance Regards Michael
Michael Kress wrote:
- saslpasswd2 -c -a mail -u mail testuser
That's a typo - the user is testomat. But, with the same result. :-(
- testsaslauthd -u testomat -p <mypassword> -s smtp -r mail
shell output of testsaslauthd: 0: NO "authentication failed"
You are mixing things. saslauthd and sasldb are exclusive: either use one or the other (at least on CentOS).
saslauthd -v
prints out the available authentication mechanisms (better to say backends).
On CentOS sasldb can only be used as a plugin by auxprop mechanism. You will have to decided for one way to store your credentials.
I using the saslauthd keep in mind that you can't use shared secret mechanisms.
Alexander
Hi, Alexander Dalloz wrote:
- saslpasswd2 -c -a mail -u mail testuser
That's a typo - the user is testomat. But, with the same result. :-(
- testsaslauthd -u testomat -p <mypassword> -s smtp -r mail
shell output of testsaslauthd: 0: NO "authentication failed"
You are mixing things. saslauthd and sasldb are exclusive: either use one or the other (at least on CentOS).
ok - I think we're coming closer to the point. It will certainly be sasldb2, because I have an old machine with SMTP AUTH users who are contained in /etc/sasldb2 I want to transfer these users to the new machine without having them to assign new passwords. Given the scenario that I copy the old /etc/sasldb2 to the new machine, how could postfix there authenticate these SMTP AUTH users?
On CentOS sasldb can only be used as a plugin by auxprop mechanism. You will have to decided for one way to store your credentials.
see above - the decision is already taken by the fact of the migration.
Regards Michael
Hi, Alexander Dalloz wrote:
[ ... ]
You are mixing things. saslauthd and sasldb are exclusive: either use one or the other (at least on CentOS).
ok - I think we're coming closer to the point. It will certainly be sasldb2, because I have an old machine with SMTP AUTH users who are contained in /etc/sasldb2 I want to transfer these users to the new machine without having them to assign new passwords. Given the scenario that I copy the old /etc/sasldb2 to the new machine, how could postfix there authenticate these SMTP AUTH users?
That is pretty easy.
First you will have to configure Postfix through main.cf:
smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = mail.example.com <-- this sets the realm[1] broken_sasl_auth_clients = yes smtpd_sasl_security_options = noanonymous
[1] Using saslpasswd2 it is "-u DOM", which is if not specified by default the hostname. For your existing sasldb2 BDB you can use "sasldblistusers2" to list the usernames.
At a proper place in smtpd_*_restrictions define "permit_sasl_authenticated".
Next you have to make the link between Postfix and Cyrus-SASL in /usr/lib{64}/sasl2/smtpd.conf:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: login plain cram-md5 digest-md5 <- adjust to your needs
You are done.
On CentOS sasldb can only be used as a plugin by auxprop mechanism. You will have to decided for one way to store your credentials.
see above - the decision is already taken by the fact of the migration.
I understand.
Regards Michael
Hope this helps. If questions or trouble remain, feel free to ask.
Best regards
Alexander
Alexander Dalloz wrote:
First you will have to configure Postfix through main.cf:
...
Next you have to make the link between Postfix and Cyrus-SASL in /usr/lib{64}/sasl2/smtpd.conf:
...
You are done.
Yes I am! :-) In fact, I DID all the above (with more or less variants), but I was wondering why the command testsaslauthd wouldn't allow me to test authentication. Now I don't care anymore - what I need it for is: "postfix with SASL AUTH agains smtp clients" and for THAT I only need a properly filled and protected (postfix will have to be able to read the file) /etc/sasldb2 file. I was also wondering because on the machine that I'm migrating away from the testsaslauthd command worked. Same config and both using the same centos release. Ok - nevermind, the authentication works, a nice thing to start a thursday with.
Thanks @Alexander, Kai and Nataraj and all others who cared! Kind regards Michael
Alexander Dalloz wrote:
First you will have to configure Postfix through main.cf:
...
Next you have to make the link between Postfix and Cyrus-SASL in /usr/lib{64}/sasl2/smtpd.conf:
...
You are done.
Yes I am! :-) In fact, I DID all the above (with more or less variants), but I was wondering why the command testsaslauthd wouldn't allow me to test authentication. Now I don't care anymore - what I need it for is: "postfix with SASL AUTH agains smtp clients" and for THAT I only need a properly filled and protected (postfix will have to be able to read the file) /etc/sasldb2 file. I was also wondering because on the machine that I'm migrating away from the testsaslauthd command worked. Same config and both using the same centos release. Ok - nevermind, the authentication works, a nice thing to start a thursday with.
Thanks @Alexander, Kai and Nataraj and all others who cared! Kind regards Michael
Hello Michael,
glad that you managed to migrate to the new server.
If testsaslauthd gives an OK, this just means that saslauthd is running and could verify the given credentials against the backend. If that backend (-a) is shadow, then auth is checked against system users within the shadow file. If the backend is pam, then a more complex setup is possible. Besides checking too against system users in shadow, PAM could be configured to test against an SQL database or an LDAP server.
If testsaslauthd is successful, it does not mean that Postfix client auth must be successful too. That's because Postfix can be configured to use a different authentication scheme: like as you did to use cyrus-sasl's auxprop or even to use dovecot's sasl.
You can easily imagine a situation where the admin fills a sasldb with users and their password and where all these users can be found as well as system accounts within the shadow file. It may be intention by the admin or just lack of understanding. Postfix using cyrus-sasl may be configured to auth against the sasldb data, while saslauthd would work as well. (Here with the difference that usernames in sasldb are of format user@domain.tld where using saslauthd -a shadow the usernames can just be <user>.)
You may counter check what the smtpd.conf file contained on your old host. It could be that saslauthd was the primary mechanism, but set as well the option "auto_transition". You find that explained in /usr/share/doc/cyrus-sasl*/options.html. Running that it will fill the sasldb by itself. So you may have the impression that sasldb was your primary authentication pool.
One final note: For cyrus-sasl using auxprop with plugin sasldb is the default and fault back. If nothing is configured or the configured setup fails, then cyrus-sasl test with auxprop and sasldb.
Best regards
Alexander
Michael Kress wrote on Wed, 26 Aug 2009 07:50:33 +0200:
I don't know what's going on - it seems that testsaslauthd doesn't lookup the user 'testomat' in /etc/sasldb2
Should it really do that with auth-mech=shadow?
Kai
-
Alexander Dalloz -
Kai Schaetzl -
Michael Kress