* Patrick Ben Koetter <p...@state-of-mind.de>: > * suomi <post...@ayni.com>: > > Hi listers, > > I just can't make postfix change from sasl2 auxprop to sasl2 saslauthd > > (with LDAP). postfix never reads /usr/lib/sasl/smtpd.conf. > > Postfix on Fedora will not look for smtpd.conf in /usr/lib/sasl/. > It will either search in /usr/lib/sasl2/ or in /etc/sasl2/. The latter is the > right way[tm] to do it.
On second thought: Your test log shows that your mail client attempts to use CRAM-MD5 as authentication mechanism. CRAM-MD5 is a shared secret mechanism and saslauthd cannot handle this group of mechanisms. Solution a. Reduce your mech_list in smtpd.conf to "plain login" only. Then you should required TLS before clients may use these plaintext mechanisms, because passwords will be transmitted plaintext. b. Use a different password check method to access your LDAP server i.e. the Cyrus SASL ldapdb plugin. This allows for shared secret mechanisms, but requires you to store passwords in plaintext (required by shared secret mechanisms) in your LDAP database backend. p...@rick > > p...@rick > > > > > > > > postfix-2.5.6-3.fc11.i586 > > > > [r...@myhost ~]# postconf -n > > alias_database = hash:/etc/postfix/aliases > > alias_maps = hash:/etc/postfix/aliases > > anvil_rate_time_unit = 60s > > command_directory = /usr/sbin > > config_directory = /etc/postfix > > content_filter = > > daemon_directory = /usr/libexec/postfix > > data_directory = /data/postfix/cache > > debug_peer_level = 2 > > defer_transports = > > disable_dns_lookups = no > > header_checks = pcre:/etc/postfix/discardthem, > > pcre:/etc/postfix/header_checks > > html_directory = no > > inet_protocols = all > > local_recipient_maps = proxy:ldap:/etc/postfix/ldap-alias.cf > > mail_owner = postfix > > mailbox_command = > > mailbox_transport = > > mailq_path = /usr/bin/mailq.postfix > > manpage_directory = /usr/share/man > > masquerade_classes = envelope_sender, header_sender, header_recipient > > masquerade_domains = > > masquerade_exceptions = root > > mime_header_checks = pcre:/etc/postfix/mime_header_checks > > mydestination = localhost.$mydomain > > mydomain = $myhostname > > myhostname = myhost.mydomain.com > > mynetworks = 192.168.97.0/24, 1xx.1xx.243.160/27 > > myorigin = $mydomain > > newaliases_path = /usr/bin/newaliases.postfix > > queue_directory = /data/postfix/queues > > readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES > > relay_domains = permit_sasl_authenticated, permit_mynetworks > > relayhost = > > sample_directory = /usr/share/doc/postfix-2.5.6/samples > > sendmail_path = /usr/sbin/sendmail.postfix > > setgid_group = postdrop > > smtpd_client_connection_count_limit = 5 > > smtpd_client_connection_rate_limit = 22 > > smtpd_client_event_limit_exceptions = $mynetworks > > smtpd_client_recipient_rate_limit = 100 > > smtpd_client_restrictions = permit_sasl_authenticated, > > hash:/etc/postfix/whitelist, hash:/etc/postfix/access > > smtpd_delay_reject = yes > > smtpd_helo_required = yes > > smtpd_helo_restrictions = permit_mynetworks, check_helo_access > > hash:/etc/postfix/helo_checks, reject_invalid_hostname > > smtpd_recipient_restrictions = permit_mynetworks, > > permit_sasl_authenticated, reject_unauth_destination, > > check_recipient_access hash:/etc/postfix/check_recipients, > > check_recipient_access hash:/etc/postfix/access, reject_rbl_client > > mail-abuse.org, reject_rbl_client sbl-xbl.spamhaus.org, > > reject_rbl_client blackholes.easynet.nl, reject_rbl_client > > cbl.abuseat.org, reject_rhsbl_client mail-abuse.org, > > reject_rhsbl_client sbl-xbl.spamhaus.org, reject_rhsbl_client > > blackholes.easynet.nl, reject_rhsbl_client cbl.abuseat.org > > check_recipient_access ldap:/etc/postfix/ldap-spamfilter.cf, > > permit > > smtpd_sasl_auth_enable = yes > > smtpd_sasl_local_domain = postfix > > smtpd_sender_restrictions = permit_mynetworks, > > permit_sasl_authenticated, reject_unknown_sender_domain, > > hash:/etc/postfix/whitelist, check_sender_access > > hash:/etc/postfix/access, reject_rhsbl_sender dsn.rfc-ignorant.org > > strict_rfc821_envelopes = no > > transport_maps = hash:/etc/postfix/transport > > unknown_local_recipient_reject_code = 550 > > virtual_alias_maps = proxy:ldap:/etc/postfix/ldap-alias.cf > > virtual_gid_maps = static:89 > > virtual_mailbox_base = /data/postfix/maildrop/ > > virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap-domain.cf > > virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-mailbox.cf > > virtual_minimum_uid = 51 > > virtual_transport = virtual > > virtual_uid_maps = static:89 > > [r...@myhost ~]# > > > > > > The actual /usr/lib/sasl2/smtpd.conf reads like: > > pwcheck_method: saslauthd > > mech_list: plain login cram-md5 digest-md5 > > > > There is another similar file in /usr/lib/sasl/smtpd.conf, which reads like: > > pwcheck_method: saslauthd > > mech_list: plain login > > saslauthd_version: 2 > > > > I also checked to see whether there is another smtpd.conf file in > > /etc/postfix/sasl (there is a hint to that in > > http://www.postfix.org/SASL_README.html): there is none. > > > > It must have been about seven times that i restarted postfix from the > > moment, when i changed /usr/lib/sasl2/smtpd.conf > > > > But when I send a message from a client to this smtpd host, in the > > /var/log/maillog I get > > > > Sep 21 08:58:07 myhost postfix/smtpd[7240]: connect from > > lunix.mydomain.com[1xx.1xx.243.162] > > Sep 21 08:58:07 myhost postfix/smtpd[7240]: warning: SASL authentication > > problem: unable to open Berkeley db /etc/sasldb2: No such file or > > directory > > Sep 21 08:58:07 myhost postfix/smtpd[7240]: warning: SASL authentication > > problem: unable to open Berkeley db /etc/sasldb2: No such file or > > directory > > Sep 21 08:58:07 myhost postfix/smtpd[7240]: warning: SASL authentication > > failure: no secret in database > > Sep 21 08:58:07 myhost postfix/smtpd[7240]: warning: > > lunix.mydomain.com[1xx.1xx.243.162]: SASL CRAM-MD5 authentication > > failed: authentication failure > > Sep 21 08:58:08 myhost postfix/smtpd[7240]: warning: SASL authentication > > problem: unable to open Berkeley db /etc/sasldb2: No such file or > > directory > > Sep 21 08:58:08 myhost postfix/smtpd[7240]: warning: SASL authentication > > problem: unable to open Berkeley db /etc/sasldb2: No such file or > > directory > > Sep 21 08:58:08 myhost postfix/smtpd[7240]: 4AA8015004B: > > client=lunix.mydomain.com[1xx.1xx.243.162], sasl_method=PLAIN, > > sasl_username=myu...@postfix > > Sep 21 08:58:08 myhost postfix/cleanup[7243]: 4AA8015004B: > > message-id=<4ab723ff.70...@mydomain.com> > > > > This is because i moved away /etc/sasldb2 in order to prevent postfix to > > read it. > > > > That means, postfix doesn't care a damn to contact the saslauthd. It > > continues to read /etc/sasldb2. It should have contacted the saslauthd > > in any case, i.e. if it had read either smtpd.conf. > > > > > > [r...@myhost /usr]# saslauthd -v > > saslauthd 2.1.22 > > authentication mechanisms: getpwent kerberos4 kerberos5 pam rimap shadow > > ldap > > > > [r...@myhost /usr]# > > > > [r...@myhost /usr]# ps xa |grep saslauthd > > 6935 ? Ss 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a > > ldap > > 6936 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a > > ldap > > 6938 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a > > ldap > > 6939 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a > > ldap > > 6940 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a > > ldap > > 7497 pts/0 R+ 0:00 grep saslauthd > > [r...@myhost /usr]# > > > > I did extensive tests to check proper functionning of saslauthd using > > testsaslauthd > > [r...@myhost /usr]# testsaslauthd -u myuser -p secret > > 0: OK "Success." > > [r...@myhost /usr]# > > > > What did i miss? > > > > suomi > > > > -- > All technical questions asked privately will be automatically answered on the > list and archived for public access unless privacy is explicitely required and > justified. > > saslfinger (debugging SMTP AUTH): > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/> -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
