Hi all !
I would like to set up authentication between 2 postfix hosted on Debian
Lenny and until now it doesn't work.
Here is a log sample :
warning: SASL authentication failure: No worthy mechs found
SASL authentication failed; cannot authenticate to server
10.0.0.6[10.0.0.6]: no mechanism available
At this time, authentication works between a MUA and both postfix but
not between them when they act as a relay.
MUA -> MTA1 ok
MUA -> MTA2 ok
MUA -> MTA1 -> MTA2 nok
This last line works fine when SASL is not involved.
From what I've seen on the internet, most of the time people miss the
libplain. This is not my case.
Both MTA have the same configuration.
At the end of this email, you can find postconf -n and saslfinger -c.
Clearly the error is visible in saslfinger because it tells this :
-- mechanisms on 10.0.0.6 --
-- mechanisms on 10.0.0.5 --
I don't know how to correct this. I guess there is something wrong with
my smtpd.conf.
Would you please take a look at it ?
The authentication is done in plain using saslauthd which refers to the
shadow file.
The file /etc/postfix/sasl_passwd is like this (for mta1):
10.0.0.6 username:passwd
username (it's obviously not the real one) is a real unix user on the
machine.
Thanks,
Greg.
*** postconf -n ***
mta1:/etc/postfix# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 0
mydestination = mta1.local, localhost.local, , localhost
myhostname = mta1.local
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = 10.0.0.6
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/CA/ca.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certificate/postfix_mta1.crt
smtpd_tls_key_file = /etc/postfix/certificate/postfix_mta1.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
*** saslfinger -c ***
mta1:/etc/postfix# saslfinger -c
saslfinger - postfix Cyrus sasl configuration lundi 19 avril 2010,
18:13:08 (UTC+0200)
version: 1.0.4
mode: client-side SMTP AUTH
-- basics --
Postfix: 2.5.5
System: Debian GNU/Linux 5.0 \n \l
-- smtp is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d2c000)
-- active SMTP AUTH and TLS parameters for smtp --
relayhost = 10.0.0.6
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
-- listing of /usr/lib/sasl2 --
total 680
drwxr-xr-x 2 root root 4096 avr 14 15:43 .
drwxr-xr-x 50 root root 12288 avr 14 15:46 ..
-rw-r--r-- 1 root root 13476 mai 24 2009 libanonymous.a
-rw-r--r-- 1 root root 855 mai 24 2009 libanonymous.la
-rw-r--r-- 1 root root 13016 mai 24 2009 libanonymous.so
-rw-r--r-- 1 root root 13016 mai 24 2009 libanonymous.so.2
-rw-r--r-- 1 root root 13016 mai 24 2009 libanonymous.so.2.0.22
-rw-r--r-- 1 root root 15814 mai 24 2009 libcrammd5.a
-rw-r--r-- 1 root root 841 mai 24 2009 libcrammd5.la
-rw-r--r-- 1 root root 15352 mai 24 2009 libcrammd5.so
-rw-r--r-- 1 root root 15352 mai 24 2009 libcrammd5.so.2
-rw-r--r-- 1 root root 15352 mai 24 2009 libcrammd5.so.2.0.22
-rw-r--r-- 1 root root 46420 mai 24 2009 libdigestmd5.a
-rw-r--r-- 1 root root 864 mai 24 2009 libdigestmd5.la
-rw-r--r-- 1 root root 43500 mai 24 2009 libdigestmd5.so
-rw-r--r-- 1 root root 43500 mai 24 2009 libdigestmd5.so.2
-rw-r--r-- 1 root root 43500 mai 24 2009 libdigestmd5.so.2.0.22
-rw-r--r-- 1 root root 13650 mai 24 2009 liblogin.a
-rw-r--r-- 1 root root 835 mai 24 2009 liblogin.la
-rw-r--r-- 1 root root 13460 mai 24 2009 liblogin.so
-rw-r--r-- 1 root root 13460 mai 24 2009 liblogin.so.2
-rw-r--r-- 1 root root 13460 mai 24 2009 liblogin.so.2.0.22
-rw-r--r-- 1 root root 29076 mai 24 2009 libntlm.a
-rw-r--r-- 1 root root 829 mai 24 2009 libntlm.la
-rw-r--r-- 1 root root 28532 mai 24 2009 libntlm.so
-rw-r--r-- 1 root root 28532 mai 24 2009 libntlm.so.2
-rw-r--r-- 1 root root 28532 mai 24 2009 libntlm.so.2.0.22
-rw-r--r-- 1 root root 13970 mai 24 2009 libplain.a
-rw-r--r-- 1 root root 835 mai 24 2009 libplain.la
-rw-r--r-- 1 root root 14036 mai 24 2009 libplain.so
-rw-r--r-- 1 root root 14036 mai 24 2009 libplain.so.2
-rw-r--r-- 1 root root 14036 mai 24 2009 libplain.so.2.0.22
-rw-r--r-- 1 root root 21710 mai 24 2009 libsasldb.a
-rw-r--r-- 1 root root 866 mai 24 2009 libsasldb.la
-rw-r--r-- 1 root root 18080 mai 24 2009 libsasldb.so
-rw-r--r-- 1 root root 18080 mai 24 2009 libsasldb.so.2
-rw-r--r-- 1 root root 18080 mai 24 2009 libsasldb.so.2.0.22
-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 avr 19 15:54 .
drwxr-xr-x 4 root root 4096 avr 19 17:47 ..
-rw-r--r-- 1 root root 27 avr 19 15:31 smtpd.conf
-- permissions for /etc/postfix/sasl_passwd --
-rw-r--r-- 1 root root 43 avr 19 17:43 /etc/postfix/sasl_passwd
-- permissions for /etc/postfix/sasl_passwd.db --
-rw-r--r-- 1 root root 12288 avr 19 17:43 /etc/postfix/sasl_passwd.db
/etc/postfix/sasl_passwd.db is up to date.
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
-- mechanisms on 10.0.0.6 --
-- mechanisms on 10.0.0.5 --
-- end of saslfinger output --