OK, first question is will I be able to setup smtpd.conf so that it
will support MULTIPLE authentication methods (sql and PAM)? But first,
to get it working.
I am running on a custom port right now to avoid mucking with 587
until everything is working:
2525 inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o syslog_name=submit-tls
If I authenticate against users in the sasldb file, with a smtpd.conf
of:
$ cat /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: auxprop
mech_list: PLAIN LOGIN
everything works fine. I authenticate and maillog shows the
authentication. No problem at all.
If I change smtpd.conf to :
pwcheck_method: auxprop
mech_list: PLAIN LOGIN
auxprop_plugin: sql
sql_verbose: yes
sql_engine: mysql
sql_hostnames: localhost
sql_user: *user*
sql_passwd: *passwd*
sql_database: postfix
sql_select: select password from mailbox where username = '%u'
authdaemon_path=/var/run/authdaemond/socket
$ ls -ls /var/run/authdaemond/socket
0 srwxrwxrwx 1 root courier 0 Mar 17 01:49 /var/run/authdaemond/
socket
authentication fails:
submit-tls/smtpd[31779]: initializing the server-side TLS engine
submit-tls/smtpd[31779]: connect from
c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]
submit-tls/smtpd[31779]: setting up TLS connection from
c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]
submit-tls/smtpd[31779]:
c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]: TLS cipher list
"ALL:+RC4:@STRENGTH"
submit-tls/smtpd[31779]: SSL_accept:before/accept initialization
submit-tls/smtpd[31779]: SSL_accept:SSLv3 read client hello B
submit-tls/smtpd[31779]: SSL_accept:SSLv3 write server hello A
submit-tls/smtpd[31779]: SSL_accept:SSLv3 write certificate A
submit-tls/smtpd[31779]: SSL_accept:SSLv3 write server done A
submit-tls/smtpd[31779]: SSL_accept:SSLv3 flush data
submit-tls/smtpd[31779]: SSL_accept:SSLv3 read client key exchange A
submit-tls/smtpd[31779]: SSL_accept:SSLv3 read finished A
submit-tls/smtpd[31779]: SSL_accept:SSLv3 write change cipher spec A
submit-tls/smtpd[31779]: SSL_accept:SSLv3 write finished A
submit-tls/smtpd[31779]: SSL_accept:SSLv3 flush data
submit-tls/smtpd[31779]:
c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]: save session
7EDABA540FC825A33F40BEC39254E374881EE12B0285025A20F73AF83FB2F4E5
&s=2525 to smtpd cache
submit-tls/smtpd[31779]: Anonymous TLS connection established from
c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]: TLSv1 with cipher
AES128-SHA (128/128 bits)
submit-tls/smtpd[31779]: warning: SASL authentication failure:
Password verification failed
submit-tls/smtpd[31779]: warning:
c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]: SASL PLAIN
authentication failed: authentication failure
submit-tls/smtpd[31779]: disconnect from
c-67-164-162-51.hsd1.co.comcast.net[67.164.162.51]
this is what my MUA logs:
220 mail.covisp.net ESMTP Postfix 2.5.6
EHLO cerebus.hsd1.co.comcast.net
250-mail.covisp.net
250-PIPELINING
250-SIZE 15728640
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
EHLO cerebus.hsd1.co.comcast.net
250-mail.covisp.net
250-PIPELINING
250-SIZE 15728640
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
***********************************************
535 5.7.8 Error: authentication failed: authentication failure
QUIT
Manually, I cannot get that far:
$ telnet mail 2525
Trying 75.148.117.93...
Connected to akane.
Escape character is '^]'.
220 mail.covisp.net ESMTP Postfix 2.5.6
EHLO cerebus.hsd1.co.comcast.net
250-mail.covisp.net
250-PIPELINING
250-SIZE 15728640
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
EHLO cerebus.hsd1.co.comcast.net
Connection closed by foreign host.
I rebuilt cyrus-sasl2 so I'd be sure of exactly what configuration
options were used:
configure: running /bin/sh './configure' --prefix=/usr/local '--
sysconfdir=/usr/local/etc' '--with-configdir=/usr/local/lib/sasl2:/usr/
local/etc/sasl2' '--with-plugindir=/usr/local/lib/sasl2' '--with-
dbpath=/usr/local/etc/sasldb2' '--includedir=/usr/local/include' '--
enable-static' '--enable-auth-sasldb' '--with-rc4=openssl' '--with-
saslauthd=/var/run/saslauthd' '--with-dblib=berkeley' '--with-bdb-
libdir=/usr/local/lib' '--with-bdb-incdir=/usr/local/include/db41' '--
with-bdb=db41' '--with-mysql=/usr/local' '--without-pgsql' '--without-
sqlite' '--enable-sql' '--with-authdaemond=/var/run/authdaemond/
socket' '--enable-login' '--enable-ntlm' '--enable-gssapi' '--disable-
krb4' '--with-openssl=/usr/local' '--prefix=/usr/local' '--mandir=/usr/
local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-
freebsd6.2' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe -
march=athlon-xp' 'LDFLAGS= -rpath=/usr/local/lib' 'build_alias=i386-
portbld-freebsd6.2' --cache-file=.././config.cache --srcdir=.
as you can see, enable-sql and --with-mysql are both present.
$ postconf -n | egrep "(sasl|tls)"
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_sender_domain,
reject_invalid_hostname, permit_mynetworks, check_client_access hash:
$config_directory/pbs, permit_sasl_authenticated,
reject_unauth_destination, reject_unlisted_sender, check_client_access
cidr:/var/db/dnswl/postfix-dnswl-permit check_helo_access pcre:
$config_directory/helo_checks.pcre, check_sender_access pcre:
$config_directory/sender_access.pcre, check_client_access pcre:
$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:
$config_directory/recipient_checks.pcre, check_client_access hash:
$config_directory/access, reject_rbl_client zen.spamhaus.org, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = check_client_access hash:$config_directory/
pbs, permit_sasl_authenticated, permit_mynetworks
smtpd_starttls_timeout = 90s
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 2
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_sessions
smtpd_tls_session_cache_timeout = 1800s
the server.pem file looks like this:
----BEGIN RSA PRIVATE KEY-----
MII[ Stuff ]==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII[ Stuff ]=
--
Ten Minutes ago you beat a man senseless.
He was senseless before I beat him.
