* Ann Onemouse <[EMAIL PROTECTED]>:
> Hello, all.
>
> I am having a problem getting postfix to authenticate users with Cyrus-
> SASL's 'auxprop' method and the 'sasldb2' internal user database. The
> system is question is a freshly-installed CentOS 5.2 server with Cyrus-
> SASL version 2.1.22.4 (installed from RPM), and Postfix version 2.3.3,
> release 2.1.el5_2 (also the latest RPM). I have carefully followed the
> following directions, from chapters 15 and 16 of "The Book of
> Postfix"...
>
> Step 1 - Create the Posftix application config file for SASL:
> =============================================
> [EMAIL PROTECTED] ~]# ll /etc/sasl2/smtpd.conf
> -rw-r----- 1 root postfix 103 Nov 19 10:58 /etc/sasl2/smtpd.conf
RedHat installs a smtpd.conf per default in /usr/lib/sasl2/smtpd.conf and has
it call the saslauthd password verification service.
If /usr/lib/sasl2/smtpd.conf is there, it is used instead of
/etc/sasl2/smtpd.conf.
> [EMAIL PROTECTED] ~]# cat /etc/sasl2/smtpd.conf
> log_level: 3
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> auxprop_plugin: sasldb
> =============================================
> As you can see, the file is readable by postfix, and directs postfix to
> use SASL's internal database of users.
>
>
> Step 2 - Create a test user in the database, and make sure postfix can
> read the database file:
> =============================================
> [EMAIL PROTECTED] ~]# postconf -h myhostname
> emailrelay.mydomain.org
>
> [EMAIL PROTECTED] ~]# echo 'testpass' | saslpasswd2 -pc -u `postconf -h
> myhostname` relay
> [EMAIL PROTECTED] ~]# sasldblistusers2
> [EMAIL PROTECTED]: userPassword
>
> [EMAIL PROTECTED] ~]# chmod 0640 /etc/sasldb2 ; chgrp postfix /etc/
> sasldb2
>
> [EMAIL PROTECTED] ~]# ls -l /etc/sasldb2
> -rw-r----- 1 root postfix 12288 Nov 19 13:04 /etc/sasldb2
>
> [EMAIL PROTECTED] ~]# sudo -u postfix sasldblistusers2
> [EMAIL PROTECTED]: userPassword
> =============================================
> Here you can see that the domain is the fully-qualified hostname. The
> user name is "relay", and the (temporary) password is "testpass". The
> database file can be read by postfix. The last command actually runs as
> the postfix user, and lists the users in the file.
>
>
> Step 3 - Test the authentication through SASL tools only. In one
> terminal, I run the following:
> =============================================
> [EMAIL PROTECTED] etc]# sasl2-sample-server -s rcmd -p 8000
> trying 10, 1, 6
> trying 2, 1, 6
> bind: Address already in use
> =============================================
> I don't know why the "Address already in use" appears. In fact, the
> server binds to port 8000 just fine, as verified by the following test,
> using the SASL sample client:
Ignore that warning. It always seems to pop up, but things work ...
> =============================================
> [EMAIL PROTECTED] ~]# sasl2-sample-client -s rcmd -p 8000 -m PLAIN
> localhost
> receiving capability list... recv: {31}
> LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
> LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
> please enter an authentication id: relay
> please enter an authorization id: relay
Must be [EMAIL PROTECTED] and not "relay". I wonder why it works!
You don't happen to have user "relay" in passwd, too?
> Password: [ here I type "testpass" ]
> send: {5}
> PLAIN
> send: {1}
> Y
> send: {20}
> relay[0]relay[0]testpass
> successful authentication
> closing connection
> =============================================
> This test is clearly succeeding. On the server terminal, I also see the
> supplied password echoed back:
> =============================================
> accepted new connection
> send: {31}
> LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
> recv: {5}
> PLAIN
> recv: {1}
> Y
> recv: {20}
> relay[0]relay[0]testpass
> successful authentication 'relay'
> closing connection
> =============================================
> So, it seems that I have created my credentials correctly, and SASL is
> happy. On to Postfix configuration...
>
>
> Step 4 - Configure Postfix to allow relaying based on SASL
> authentication. After editing the main.cf file, I run the following
> commands to verify the correct settings:
> =============================================
> [EMAIL PROTECTED] ~]# postconf -h smtpd_sasl_auth_enable
> smtpd_sasl_local_domain
> yes
> emailrelay.mydomain.org
>
> [EMAIL PROTECTED] ~]# postconf -h smtpd_recipient_restrictions
> permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
>
> [EMAIL PROTECTED] ~]# postconf -h smtpd_sasl_security_options
> noanonymous
> =============================================
> According to Chapter 16 of "The Book of Postfix", this looks correct.
yep.
> Step 5 - Test server-side authentication using telnet. After setting the
> smtp server to verbose output in master.cf and restarting postfix, I
> first generate the Base64-encoded authentication string required by the
> protocol:
> =============================================
> [EMAIL PROTECTED] ~]# perl -MMIME::Base64 -e 'print encode_base64("relay
> \0relay\0testpass");'
> cmVsYXkAcmVsYXkAdGVzdHBhc3M=
> =============================================
> Why must the username be supplied twice? I have no idea, but I guess
> it's part of the ESMTP specification. :-\
Nope, not ESMTP specification. You are actually sending an authentication ID
and an authorization ID. That's part of SASL stuff that isn't used in this
context. Just send it twice and ignore it.
> Anyway, next, I open a telnet session from the same system, and try
> authenticating. Here's the output of the session...
> =============================================
> [EMAIL PROTECTED] ~]# telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 emailrelay.mydomain.org ESMTP Postfix
> EHLO client.mydomain.org
> 250-emailrelay.mydomain.org
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> AUTH PLAIN cmVsYXkAcmVsYXkAdGVzdHBhc3M=
$ ./gen-auth decode cmVsYXkAcmVsYXkAdGVzdHBhc3M=
relayrelaytestpass
> 535 5.7.0 Error: authentication failed: generic failure
> =============================================
What you send is correct.
>
> Here's where a "generic failure" has occurred. Server output for the
> above session follows:
> =============================================
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: connection established
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: master_notify: status 0
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: name_mask: resource
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: name_mask: software
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]:
> xsasl_cyrus_server_create: SASL service=smtp,
> realm=emailrelay.mydomain.org
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: name_mask: noanonymous
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: connect from
> localhost[127.0.0.1]
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_list_match:
> localhost: no match
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_list_match:
> 127.0.0.1: no match
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_list_match:
> localhost: no match
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_list_match:
> 127.0.0.1: no match
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_hostname:
> localhost ~? 127.0.0.0/8
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: match_hostaddr:
> 127.0.0.1 ~? 127.0.0.0/8
> Nov 19 13:45:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 220 emailrelay.mydomain.org ESMTP Postfix
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: < localhost[127.0.0.1]:
> EHLO client.mydomain.org
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 250-emailrelay.mydomain.org
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 250-PIPELINING
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 250-SIZE 10240000
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 250-VRFY
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 250-ETRN
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: match_list_match:
> localhost: no match
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: match_list_match:
> 127.0.0.1: no match
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 250-ENHANCEDSTATUSCODES
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 250-8BITMIME
> Nov 19 13:46:32 emailrelay postfix/smtpd[4234]: > localhost[127.0.0.1]:
> 250 DSN
> Nov 19 13:47:36 emailrelay postfix/smtpd[4234]: < localhost[127.0.0.1]:
> AUTH PLAIN cmVsYXkAcmVsYXkAdGVzdHBhc3M=
> Nov 19 13:47:36 emailrelay postfix/smtpd[4234]:
> xsasl_cyrus_server_first: sasl_method PLAIN, init_response
> cmVsYXkAcmVsYXkAdGVzdHBhc3M=
> Nov 19 13:47:36 emailrelay postfix/smtpd[4234]:
> xsasl_cyrus_server_first: decoded initial response relay
> Nov 19 13:47:36 emailrelay postfix/smtpd[4234]: warning: SASL
> authentication failure: cannot connect to saslauthd server: No such file
> or directory
Here you go. SASL looks for saslauthd server. I believe you have
/usr/lib/sasl2/smtpd.conf and should remove it in favor of the settings you
have in /etc/sasl2/smtpd.conf.
> A couple of things strike me as odd with this output. First, why does it
> say "cannot connect to saslauthd server"? As shown above, my smtpd.conf
> clearly specifies "pwcheck_method: auxprop", NOT "pwcheck_method:
$ cat /usr/lib/sasl2/smtpd.conf
[EMAIL PROTECTED]
P.S.
Good error report! Wish all where this way...
--
All technical answers asked privately will be automatically answered on
the list and archived for public access unless privacy is explicitely
required and justified.
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
