Hi, I’ve just discovered than my smtpd/ldapd configuration is not 100% working. The submission part seem to not do the whole LDAP process to verify password.
I have OpenSMTPD 5.4.4 running on OpenBSD 5.7 amd64. Here’s my smtpd.conf # OpenSMTPD configuration # table vusers ldap:/etc/mail/ldap.conf table vdomains ldap:/etc/mail/ldap.conf pki www.tumfatig.net certificate "/etc/ssl/gandi.crt" pki www.tumfatig.net key "/etc/ssl/private/gandi.key" listen on lo0 listen on egress tls pki www.tumfatig.net auth-optional #listen on egress port submission tls-require pki www.tumfatig.net auth listen on egress port submission tls-require pki www.tumfatig.net auth <vusers> accept from any for domain <vdomains> virtual <vusers> deliver to lmtp "/var/dovecot/lmtp" accept from local for any relay Here’s the ldap.con table # Mail domains # domain_filter (&(objectClass=domain)(dc=%s)) domain_attributes dc # SMTP submission / authentication # credentials_filter (&(objectClass=posixAccount)(uid=%s)) credentials_attributes uid,userPassword # SMTP delivery / IMAP authentication # userinfo_filter (&(objectClass=posixAccount)(uid=%s)) userinfo_attributes uid,uidNumber,gidNumber,homeDirectory # SMTP aliases # alias_filter (&(objectClass=nisMailAlias)(cn=%s)) alias_attributes rfc822MailMember Here’s the error part smtp-in: Started TLS on session 1d599982ae8ff186: version=TLSv1/SSLv3, cipher=ECDHE-RSA-CHACHA20-POLY1305, bits=256 debug: lka: authenticating for vusers:ptijo debug: table_ldap: ldap_query: filter=(&(objectClass=posixAccount)(uid=ptijo)), ret=1 smtp-in: Authentication failed for user ptijo on session 1d599982ae8ff186 smtp-in: Failed command on session 1d599982ae8ff186: "AUTH [...]" => 535 Authentication failed smtp-in: Received disconnect from session 1d599982ae8ff186 Here’s the LDAP debug session log Aug 2 09:42:01.415 [606] consumed 126 bytes Aug 2 09:42:01.415 [606] got request type 3, id 13 Aug 2 09:42:01.415 [606] base dn = dc=tumfatig,dc=net, scope = 2 Aug 2 09:42:01.415 [606] requesting 01 access to dc=tumfatig,dc=net by cn=service,dc=tumfatig,dc=net, in namespace dc=tumfatig,dc=net Aug 2 09:42:01.415 [606] init index scan on [objectclass=posixaccount,] Aug 2 09:42:01.415 [606] found index objectclass=posixaccount,uid=ptijo,ou=users, Aug 2 09:42:01.415 [606] lookup indexed key [uid=ptijo,ou=users,dc=tumfatig,dc=net] Aug 2 09:42:01.415 [606] found dn uid=ptijo,ou=users,dc=tumfatig,dc=net Aug 2 09:42:01.415 [606] requesting 01 access to uid=ptijo,ou=users,dc=tumfatig,dc=net by cn=service,dc=tumfatig,dc=net, in namespace dc=tumfatig,dc=net Aug 2 09:42:01.416 [606] found index objectclass=top,cn=service, Aug 2 09:42:01.416 [606] scanned past index prefix [objectclass=posixaccount,] Aug 2 09:42:01.416 [606] 3 scanned, 1 matched, 0 dups Aug 2 09:42:01.416 [606] sending response 5 with result 0 Aug 2 09:42:01.416 [606] finished search on msgid 13 Aug 2 09:42:02.818 [606] accepted connection from 192.168.0.50 on fd 17 Aug 2 09:42:02.818 [606] ssl_session_init: switching to SSL Aug 2 09:42:02.818 [606] ssl_session_accept: accepting client Aug 2 09:42:02.822 [606] ssl_session_accept: accepting client Aug 2 09:42:02.824 [606] ssl_session_accept: accepted ssl client Aug 2 09:42:02.824 [606] consumed 14 bytes Aug 2 09:42:02.824 [606] got request type 0, id 0 Aug 2 09:42:02.824 [606] bind dn = Aug 2 09:42:02.824 [606] anonymous bind Aug 2 09:42:02.824 [606] sending response 1 with result 0 Aug 2 09:42:02.824 [606] consumed 7 bytes Aug 2 09:42:02.824 [606] got request type 2, id 1 Aug 2 09:42:02.824 [606] current bind dn = (null) Aug 2 09:42:02.824 [606] end-of-file on connection 17 Aug 2 09:42:02.824 [606] closing connection 17 Aug 2 09:42:02.824 [606] accepted connection from 127.0.0.1 on fd 17 Aug 2 09:42:02.824 [606] consumed 14 bytes Aug 2 09:42:02.824 [606] got request type 0, id 0 Aug 2 09:42:02.824 [606] bind dn = Aug 2 09:42:02.824 [606] anonymous bind Aug 2 09:42:02.824 [606] sending response 1 with result 0 Aug 2 09:42:02.824 [606] consumed 7 bytes Aug 2 09:42:02.824 [606] got request type 2, id 1 Aug 2 09:42:02.824 [606] current bind dn = (null) Aug 2 09:42:02.824 [606] closing connection 17 Seems to me that the lookup is done but not the password check. I would expect another bind with the found DN and the password provided by session ; or at least a password comparison. Any idea ? TIA, Jo
