RE: Trying to setup SASL auth to use a LDAP server on postfix and having issues .

[Bandaru, Vamsi]

Thanks Viktor for the response ,

> To be clear, it sounds like you want to use LDAP bind as a "password oracle", 
> that is the PLAIN (or LOGIN) SASL credentials of submissio users are verified 
> by making an LDAP connection with the provided credentials.  Is that right?

Correct , I am trying to do the same , Authenticate users who are trying to 
send email via POSTFIX relay server against our Organization's  LDAP server .

After your recommendation this is what I have done :

1. commented out smtp service for inbound 

#smtp      inet  n       -       n       -       200       smtpd -vv

2. 
 Configured Submission service as suggested , with few limitations ( I am 
running mail_version of 2.10.1 , and few of the suggested parameters aren't 
available ) 

master.cf:
    submission inet  n       -       n       -       -       smtpd 
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_tls_auth_only=yes
      -o smtpd_reject_unlisted_recipient=no

      -o smtpd_client_restrictions=$mua_client_restrictions     ( mua_client / 
helo / sender _restrictions , also not available under the version I am using )
      -o smtpd_helo_restrictions=$mua_helo_restrictions
      -o smtpd_sender_restrictions=$mua_sender_restrictions

      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING


Under main.cf  , this parameter isn't available : smtpd_sasl_mechanism_filter 

**********************************************************************

Now when I do a telnet on port 25 : 

# telnet x.x.x.x 25
Trying x.x.x.x ...
telnet: connect to address x.x.x.x : Connection refused   ( rightly )

on port 587  ( responds )

# telnet x.x.x.x 587
Trying x.x.x.x...
Connected to x.x.x.x .
Escape character is '^]'.
220 < hostname > ESMTP Postfix
ehlo localhost
250-< hostname >
250-PIPELINING
250-SIZE 36700160
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS

************************************

Connect to server on port 587 via openssl_client 

< openssl s_client -debug -starttls smtp -crlf -connect x.x.x.x:587 > 

250 DSN
ehlo localhost
write to 0xa04550 [0xa1fc13] (45 bytes => 45 (0x2D))
read from 0xa04550 [0xa1b6c8] (190 bytes => 190 (0xBE))
250- < hostname >
250-PIPELINING
250-SIZE 36700160

250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN    ( Available AUTH Mechanisms 
advertised )

250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

AUTH LOGIN

write to 0xa04550 [0xa1fc13] (41 bytes => 41 (0x29))
read from 0xa04550 [0xa1b6c3] (5 bytes => 5 (0x5))

334 VXNlcm5hbWU6   ( prompts for username )

435 4.7.8 Error: authentication failed: authentication failure  

( Authentication however fails )

The auth.log under /var/log records this :


postfix/submission/smtpd[94812]: _sasl_plugin_load failed on 
sasl_auxprop_plug_init for plugin: ldapdb
postfix/submission/smtpd[94812]: _sasl_plugin_load failed on 
sasl_canonuser_init for plugin: ldapdb

postfix/submission/smtpd[95522]: _sasl_plugin_load failed on 
sasl_auxprop_plug_init for plugin: ldapdb
postfix/submission/smtpd[95522]: _sasl_plugin_load failed on 
sasl_canonuser_init for plugin: ldapdb

postfix/submission/smtpd[96590]: _sasl_plugin_load failed on 
sasl_auxprop_plug_init for plugin: ldapdb
postfix/submission/smtpd[96590]: _sasl_plugin_load failed on 
sasl_canonuser_init for plugin: ldapdb


*************************************

This is my :  /etc/saslauthd.conf  file


ldap_servers: ldaps://x.x.x:636
ldap_version: 3
ldap_auth_method: bind
ldap_search_base: ou=xx,ou=xx,o=xx
ldap_scope: sub
ldap_bind_dn: uid=xxxx,ou=xx,ou=xx,o=xx
ldap_bind_pw: xx
ldap_filter: ShortName=%U
auxprop_plugin: ldapdb


This is my  smtpd.conf file setting :   @ /etc/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: ldapdb
mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
ldapdb_uri: ldaps://x.x.x:636
ldapdb_id: uid=xxx,ou=xx,ou=xx,o=xx
ldapdb_pw: xx
ldapdb_mech: LOGIN
ldap_version: 3
ldap_auth_method: bind




Thanks and Regards,  Vamsi.


-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On 
Behalf Of Viktor Dukhovni
Sent: Monday, April 27, 2020 1:00 AM
To: postfix-users@postfix.org
Subject: Re: Trying to setup SASL auth to use a LDAP server on postfix and 
having issues .

CAUTION: This email originated outside P&G. Please exercise caution when 
opening any links or attachments.


On Fri, Apr 24, 2020 at 11:27:58AM +0000, Bandaru, Vamsi wrote:

> I am sorry if this query doesn't belong here , but I am trying to 
> configure Cyrus SASL on Postfix to use our LDAP servers for 
> authentication.

To be clear, it sounds like you want to use LDAP bind as a "password oracle", 
that is the PLAIN (or LOGIN) SASL credentials of submissio users are verified 
by making an LDAP connection with the provided credentials.  Is that right?

> The moment I turn on SASL auth on main.cf, telnet to the system on 
> port 25 starts to fail,

Firstly, you should generally limit SASL support to just ports 587 and/or 465, 
and of course only when TLS is enabled.  SASL on port 25 is unnecessarily, and 
just invites abuse.

> I see the below errors in maillog :

> Apr 24 11:07:09 XXXXXXXX postfix/smtpd[19352]: 
> xsasl_cyrus_server_create: SASL service=smtp, realm=(null) Apr 24 
> 11:07:09 xxxxxxxxxx postfix/smtpd[19352]: name_mask: noanonymous Apr 
> 24 11:07:09 xxxxxxxxxx postfix/smtpd[19352]: name_mask: noplaintext 
> Apr 24 11:07:09 xxxxxxxxxx postfix/smtpd[19352]: warning: 
> xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms 
> Apr 24 11:07:09 xxxxxxxxxx postfix/smtpd[19352]: fatal: no SASL 
> authentication mechanisms

What are your setting of:

    smtpd_sasl_mechanism_filter
    smtpd_sasl_security_options
    smtpd_sasl_tls_security_options

This would be a good time to post your "postconf -nf" and "postconf -Mf"
output, if you've done that already upthread.

> My smtpd.conf file :
>
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb
> mech_list: PLAIN LOGIN
> ldapdb_uri: ldaps://xxxxxxxxxxx:636
> ldapdb_id: uid=xxxxx,ou=people,ou=xxx,o=World
> ldapdb_pw: xxxxxxxxxx
> #ldapdb_mech: DIGEST-MD5

You only enable PLAIN and LOGIN, but perhaps you have:

    smtpd_sasl_security_options = noanonymous, noplaintext

which leaves no mechanisms available.  Instead, set:

  main.cf:
    smtpd_sasl_auth_enable = no
    smtpd_tls_auth_only = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_mechanism_filter = plain, login

  master.cf:
    submission inet  n       -       n       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_tls_auth_only=yes
      -o smtpd_reject_unlisted_recipient=no
      -o smtpd_client_restrictions=$mua_client_restrictions
      -o smtpd_helo_restrictions=$mua_helo_restrictions
      -o smtpd_sender_restrictions=$mua_sender_restrictions
      -o smtpd_recipient_restrictions=
      -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING

which enables SASL only for submission, and only over TLS, with plaintext 
mechanisms not disabled.

--
    Viktor.