Hello Viktor ,
I am attatching the outputs of "Postconf -nf" and "Postconf -Mf" for your
persual , please excuse me if they look lame . : )
Thanks and Regards, Vamsi B.
-----Original Message-----
From: [email protected] <[email protected]> On
Behalf Of Viktor Dukhovni
Sent: Monday, April 27, 2020 6:21 AM
To: [email protected]
Subject: Re: Trying to setup SASL auth to use a LDAP server on postfix and
having issues .
CAUTION: This email originated outside P&G. Please exercise caution when
opening any links or attachments.
On Mon, Apr 27, 2020 at 12:25:06AM +0000, Bandaru, Vamsi wrote:
> > LDAP auxprop plugin. Did you install it?
>
> Yes , these are the installed packages on my side for Cyrus-Sasl
>
> cyrus-sasl-2.1.26-23.el7.x86_64
> cyrus-sasl-devel-2.1.26-23.el7.x86_64
>
> cyrus-sasl-ldap-2.1.26-23.el7.x86_64 >>>
> ( Description : The cyrus-sasl-ldap package contains the Cyrus SASL plugin
> which supports using
> : a directory server, accessed using LDAP, for storing shared
> secrets.
> )
On a Fedora 31 system I see:
cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL
Name : cyrus-sasl-ldap
Version : 2.1.27
Release : 3.fc31
Architecture : x86_64
Size : 20 k
Source : cyrus-sasl-2.1.27-3.fc31.src.rpm
Repository : updates
Summary : LDAP auxprop support for Cyrus SASL
URL : https://www.cyrusimap.org/sasl/
License : BSD with advertising
Description : The cyrus-sasl-ldap package contains the Cyrus SASL plugin
which supports using
: a directory server, accessed using LDAP, for storing shared
secrets.
So, yes that looks like the right one. But...[
> - have added 'postfix' user to the ' saslauthd ' group .
That's likely unnecessary. I think you're trying to use LDAP directly from the
SASL library, not saslauthd.
> When I run : ps -ef | grep saslauthd
>
> /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r /usr/sbin/saslauthd
> -m /run/saslauthd -a ldap -r /usr/sbin/saslauthd -m /run/saslauthd -a
> ldap -r /usr/sbin/saslauthd -m /run/saslauthd -a ldap -r
I don't see how that's relevant, if Postfix were to use saslauthd, it would not
be directly loading the LDAP plugin. You need to decide between saslauthd and
direct use of the plugin.
> Some blogs suggest moving the ' /run/saslauthd ' file to under '
> /var/spool/postfix '
Don't pay attention to bad advice. Once they start suggesting ad-hoc
restructuring of your filesystem, make a mental note they're incompetent and
move on.
> Suggested steps :
>
> rm -r /var/run/saslauthd/
> mkdir -p /var/spool/postfix/var/run/saslauthd
> ln -s /var/spool/postfix/var/run/saslauthd /var/run chgrp sasl
> /var/spool/postfix/var/run/saslauthd
> adduser postfix sasl
>
> I am not sure if I have to do this .
Your scepticism is healthy.
> My permissions under
>
> # ll /run/saslauthd
> srwxrwxrwx. 1 root root 0 Apr 26 06:54 mux -rw-------. 1 root root 0
> Apr 26 06:54 mux.accept -rw-------. 1 root root 6 Apr 26 06:54
> saslauthd.pid
But you have "pwcheck_method: auxprop", which is not saslauthd, so saslauthd is
irrelevant.
> postfix/submission/smtpd[94812]: _sasl_plugin_load failed on
> sasl_auxprop_plug_init for plugin: ldapdb
> postfix/submission/smtpd[94812]: _sasl_plugin_load failed on
> sasl_canonuser_init for plugin: ldapdb
Perhaps you sasl library directory is not set correctly. Do you have a custom
setting of "cyrus_sasl_config_path"? Did you ever post full "postconf -nf" and
"postconf -Mf" output.
On Fedora systems, the SASL plugins are generally in: /usr/lib64/sasl2 with
configuration files in: /etc/sasl2
What are the permissions on these? What are the library dependencies of your
/usr/libexec/postfix/smtpd llbrary (from "ldd")?
What are the library dependencies of the SASL ldap plugin?
> could you suggest if I have to move : ' /run/saslauthd ' file to under '
> /var/spool/postfix ' for postfix to load the plugin .
Nothing of the sort is necessary or wise.
--
Viktor.
alias_database =
alias_maps =
append_dot_mydomain = no
authorized_submit_users =
body_checks = pcre:$config_directory/body_checks.pcre
bounce_queue_lifetime = 1d
command_directory = /usr/sbin
config_directory = /etc/postfix-in-1
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix-in-1
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_database_type = hash
disable_vrfy_command = yes
fast_flush_domains = $relay_domains
header_checks = pcre:$config_directory/subject_logging.pcre
html_directory = /usr/share/doc/postfix-2.10.1-documentation/html
inet_interfaces = x.x.x.x
inet_protocols = ipv4
local_recipient_maps =
local_transport = error:5.1.1 Mailbox unavailable
mail_owner = postfix
mailbox_size_limit = $message_size_limit
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_queue_lifetime = $bounce_queue_lifetime
message_size_limit = 36700160
multi_instance_enable = yes
multi_instance_group = postfix-in
multi_instance_name = postfix-in-1
mydestination =
myhostname = x.x.x.x.x
newaliases_path = /usr/bin/newaliases.postfix
proxy_interfaces = x.x.x.x
qmgr_message_active_limit = 100
queue_directory = /var/spool/postfix-in-1
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains = $config_directory/relay_domains
relay_recipient_maps = hash:$config_directory/relay_rcpt.db
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_bind_address = x.x.x.x
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_discard_ehlo_keywords = etrn
smtpd_etrn_restrictions = reject
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_path = /usr/lib64/sasl2
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CApath = $config_directory/certs
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certs/xxxxxx.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:$config_directory/tls/smtpd_scache
smtpd_tls_session_cache_timeout = 60s
soft_bounce = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:$config_directory/transport.db
unknown_local_recipient_reject_code = 550
submission inet n - n - - smtpd
-o syslog_name=postfix-in-1/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_tls_auth_only=yes
-o smtpd_recipient_restrictions=
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
