Postfix SASL Authentication
FreeBSD 6.1 STABLE I have SASL and Postfix installed and for the most part they seem to work all right together. However, there is one small problem. When attempting to send a message from one of the PC's on the network, actually any PC on the network except for the one with Postfix installed on it, this error message is inserted into the maillog file. Aug 8 10:11:32 scorpio postfix/smtpd[1310]: connect from boss.seibercom.net[192.168.0.4] Aug 8 10:11:32 scorpio postfix/smtpd[1310]: warning: SASL authentication failure: no user in db Aug 8 10:11:32 scorpio postfix/smtpd[1310]: 859B9BD6C: client=boss.seibercom.net[192.168.0.4], sasl_method=LOGIN, [EMAIL PROTECTED] All of the users are authenticated. Exactly what is it referring to and how do I correct it? The mail does get relayed however, so it is not a fatal warning. -- Gerard Seibert [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Postfix SASL Authentication
On 8/8/2006 9:20 AM, Gerard Seibert wrote: FreeBSD 6.1 STABLE I have SASL and Postfix installed and for the most part they seem to work all right together. However, there is one small problem. When attempting to send a message from one of the PC's on the network, actually any PC on the network except for the one with Postfix installed on it, this error message is inserted into the maillog file. Aug 8 10:11:32 scorpio postfix/smtpd[1310]: connect from boss.seibercom.net[192.168.0.4] Aug 8 10:11:32 scorpio postfix/smtpd[1310]: warning: SASL authentication failure: no user in db Aug 8 10:11:32 scorpio postfix/smtpd[1310]: 859B9BD6C: client=boss.seibercom.net[192.168.0.4], sasl_method=LOGIN, [EMAIL PROTECTED] All of the users are authenticated. Exactly what is it referring to and how do I correct it? The mail does get relayed however, so it is not a fatal warning. Which version of SASL? v1 or v2? The following is based on ym experience with v2, and I don't know if it applies to v1 or not. As far as the message in you log file, it's attempting to authenticate, but it's not connecting to the user database to verify the user. More than likely it's allowing you to send mail from the local server because you have Postfix configured to allow it to relay mail from localhost, and that this is allowing you to send the email even though authentication is failing. To determine which authentication methods Postfix will accept, telnet to localhost on port 25 and issue a EHLO: mail# telnet localhost 25 Trying ::1... Connected to localhost.domain.com. Escape character is '^]'. 220 mail.domain.com ESMTP Postfix EHLO localhost 250-mail.domain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN In this instance, the AUTH line dictates which authentication mechanisms Postfix will accept. In this case: NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 Check your /usr/local/lib/sasl2/smtpd.conf file and make sure that you have the correct auth mechanism listed. For plain text login that's verified against your existing users, your smtpd.conf file would read as follows: pwcheck_method: saslauthd This will verify against your existing user accounts. There are other methods, such as pwcheck_method: sasldb, that will verify against SASL's own password database, which I've never used. Make sure that you have saslauthd running (which it appears you do). Issue the following: # /usr/local/sbin/testsaslauthd -u username -p password 0: OK Success. If saslauthd is operating correctly, you'll recieve the OK Success. If not, your problem is with saslauthd. If your AUTH line does not list the right AUTH mechanism, the problem is with Postfix. For instance, if you're trying to use SMTP-AUTH from a client on your network, and have pwcheck_method: saslauthd defined in your smtpd.conf file, you have to have PLAIN LOGIN appear in the AUTH line when telnetting. Best regards, Greg Groth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Postfix SASL Authentication
Gerard Seibert wrote: FreeBSD 6.1 STABLE I have SASL and Postfix installed and for the most part they seem to work all right together. However, there is one small problem. When attempting to send a message from one of the PC's on the network, actually any PC on the network except for the one with Postfix installed on it, this error message is inserted into the maillog file. Aug 8 10:11:32 scorpio postfix/smtpd[1310]: connect from boss.seibercom.net[192.168.0.4] Aug 8 10:11:32 scorpio postfix/smtpd[1310]: warning: SASL authentication failure: no user in db Aug 8 10:11:32 scorpio postfix/smtpd[1310]: 859B9BD6C: client=boss.seibercom.net[192.168.0.4], sasl_method=LOGIN, [EMAIL PROTECTED] All of the users are authenticated. Exactly what is it referring to and how do I correct it? The mail does get relayed however, so it is not a fatal warning. Sasl is attempting to use sasldb2 *before* it uses /etc/passwd (or pam, as the case may be.) It's harmless in any case. What do you have in the smtpd.conf file? (/usr/local/lib/sasl2/smtpd.conf) -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ smime.p7s Description: S/MIME Cryptographic Signature
Re: Postfix SASL Authentication
Paul Schmehl wrote: Sasl is attempting to use sasldb2 *before* it uses /etc/passwd (or pam, as the case may be.) It's harmless in any case. What do you have in the smtpd.conf file? (/usr/local/lib/sasl2/smtpd.conf) This is the contents: ## Global Values pwcheck_method: auxprop auxprop_plugin: sasldb log_level: 7 mech_list: PLAIN LOGIN -- Gerard Seibert [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Postfix SASL Authentication
Greg Groth wrote: On 8/8/2006 9:20 AM, Gerard Seibert wrote: FreeBSD 6.1 STABLE I have SASL and Postfix installed and for the most part they seem to work all right together. However, there is one small problem. When attempting to send a message from one of the PC's on the network, actually any PC on the network except for the one with Postfix installed on it, this error message is inserted into the maillog file. Aug 8 10:11:32 scorpio postfix/smtpd[1310]: connect from boss.seibercom.net[192.168.0.4] Aug 8 10:11:32 scorpio postfix/smtpd[1310]: warning: SASL authentication failure: no user in db Aug 8 10:11:32 scorpio postfix/smtpd[1310]: 859B9BD6C: client=boss.seibercom.net[192.168.0.4], sasl_method=LOGIN, [EMAIL PROTECTED] All of the users are authenticated. Exactly what is it referring to and how do I correct it? The mail does get relayed however, so it is not a fatal warning. Which version of SASL? v1 or v2? The following is based on ym experience with v2, and I don't know if it applies to v1 or not. As far as the message in you log file, it's attempting to authenticate, but it's not connecting to the user database to verify the user. More than likely it's allowing you to send mail from the local server because you have Postfix configured to allow it to relay mail from localhost, and that this is allowing you to send the email even though authentication is failing. To determine which authentication methods Postfix will accept, telnet to localhost on port 25 and issue a EHLO: mail# telnet localhost 25 Trying ::1... Connected to localhost.domain.com. Escape character is '^]'. 220 mail.domain.com ESMTP Postfix EHLO localhost 250-mail.domain.com 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN In this instance, the AUTH line dictates which authentication mechanisms Postfix will accept. In this case: NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 This is the output of mine: $ telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 scorpio.seibercom.net ESMTP Postfix (2.4-20060727) ehlo localhost 250-scorpio.seibercom.net 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN I noticed that the first attempt is refused. Why I wonder. Check your /usr/local/lib/sasl2/smtpd.conf file and make sure that you have the correct auth mechanism listed. For plain text login that's verified against your existing users, your smtpd.conf file would read as follows: pwcheck_method: saslauthd This will verify against your existing user accounts. There are other methods, such as pwcheck_method: sasldb, that will verify against SASL's own password database, which I've never used. Make sure that you have saslauthd running (which it appears you do). Issue the following: # /usr/local/sbin/testsaslauthd -u username -p password 0: OK Success. If saslauthd is operating correctly, you'll recieve the OK Success. If not, your problem is with saslauthd. If your AUTH line does not list the right AUTH mechanism, the problem is with Postfix. For instance, if you're trying to use SMTP-AUTH from a client on your network, and have pwcheck_method: saslauthd defined in your smtpd.conf file, you have to have PLAIN LOGIN appear in the AUTH line when telnetting. This is the contents of the smtpd.conf file: ## Global Values pwcheck_method: auxprop auxprop_plugin: sasldb log_level: 7 mech_list: PLAIN LOGIN -- Gerard Seibert [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Postfix SASL Authentication
This is the contents of the smtpd.conf file: ## Global Values pwcheck_method: auxprop auxprop_plugin: sasldb log_level: 7 mech_list: PLAIN LOGIN From postfix.org: This will use the Cyrus SASL password file (default: /etc/sasldb in version 1.5.5, or /etc/sasldb2 in version 2.1.1), which is maintained with the saslpasswd or saslpasswd2 command (part of the Cyrus SASL software). On some poorly-supported systems the saslpasswd command needs to be run multiple times before it stops complaining. The Postfix SMTP server needs read access to the sasldb file - you may have to play games with group access permissions. With the OTP authentication mechanism, the SMTP server also needs WRITE access to /etc/sasldb2 or /etc/sasldb (or the back end SQL database, if used). Have you set up the SASL password file? If not, that's why you're getting the error. If you have, what happens when you test saslauthd on it's own? # /usr/local/sbin/testsaslauthd -u username -p password It should return: status 0: OK Success. If you'd rather authenticate against the exisiting system usernames passwords, change your smtpd.conf file to the following: pwcheck_method: saslauthd and delete the rest. You might have to restart both services if you update the smtpd.conf file: # /usr/local/etc/rc.d/saslauthd restart # postfix reload Best regards, Greg Groth ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Postfix SASL Authentication
Gerard Seibert wrote: Paul Schmehl wrote: Sasl is attempting to use sasldb2 *before* it uses /etc/passwd (or pam, as the case may be.) It's harmless in any case. What do you have in the smtpd.conf file? (/usr/local/lib/sasl2/smtpd.conf) This is the contents: ## Global Values pwcheck_method: auxprop auxprop_plugin: sasldb log_level: 7 mech_list: PLAIN LOGIN Apparently you're using the sasldb2 database for logins? If so, the sasldb2 database needs to be readable by postfix, and it has to be populated with the [EMAIL PROTECTED] that you need. Have you populated the db? You would probably be better off using saslauthd as your pwcheck_method. Then start saslauthd with the -a sasldb flag. (See man 8 saslauthd.) Auxprop is an older method that wasn't very dependable. -- Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/ smime.p7s Description: S/MIME Cryptographic Signature
Re: Postfix SASL Authentication
Paul Schmehl wrote: Apparently you're using the sasldb2 database for logins? If so, the sasldb2 database needs to be readable by postfix, and it has to be populated with the [EMAIL PROTECTED] that you need. Have you populated the db? You would probably be better off using saslauthd as your pwcheck_method. Then start saslauthd with the -a sasldb flag. (See man 8 saslauthd.) Auxprop is an older method that wasn't very dependable. Thanks, that is what I did. I had to modify the /usr/local/lib/smtpd.conf file, but that was about it. I do have one question though. The rc.d file has 'pam' listed rather than sasldb for the '-a ' flag. I changed it there although the directions said not too. Is there any reason that changing it in the rc.d file is a bad thing? I could not figure out what it meant to do otherwise. Was I suppose to create another file that would override that one? If so, what was the syntax of the file suppose to be? Anyway, it works, so that is all I am really interested in at the moment. Ciao! -- Gerard Seibert [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Postfix SASL Authentication
On 8/9/06, Gerard Seibert [EMAIL PROTECTED] wrote: Paul Schmehl wrote: Apparently you're using the sasldb2 database for logins? If so, the sasldb2 database needs to be readable by postfix, and it has to be populated with the [EMAIL PROTECTED] that you need. Have you populated the db? You would probably be better off using saslauthd as your pwcheck_method. Then start saslauthd with the -a sasldb flag. (See man 8 saslauthd.) Auxprop is an older method that wasn't very dependable. Thanks, that is what I did. I had to modify the /usr/local/lib/smtpd.conf file, but that was about it. I do have one question though. The rc.d file has 'pam' listed rather than sasldb for the '-a ' flag. I changed it there although the directions said not too. Is there any reason that changing it in the rc.d file is a bad thing? I could not figure out what it meant to do otherwise. Was I suppose to create another file that would override that one? If so, what was the syntax of the file suppose to be? Anyway, it works, so that is all I am really interested in at the moment. try putting this in your rc.conf: saslauthd_enable=YES saslauthd_flags=-a getpwent HTH ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Postfix SASL Authentication
--On August 8, 2006 7:40:20 PM -0400 Gerard Seibert [EMAIL PROTECTED] wrote: Paul Schmehl wrote: Apparently you're using the sasldb2 database for logins? If so, the sasldb2 database needs to be readable by postfix, and it has to be populated with the [EMAIL PROTECTED] that you need. Have you populated the db? You would probably be better off using saslauthd as your pwcheck_method. Then start saslauthd with the -a sasldb flag. (See man 8 saslauthd.) Auxprop is an older method that wasn't very dependable. Thanks, that is what I did. I had to modify the /usr/local/lib/smtpd.conf file, but that was about it. Glad to hear it. I do have one question though. The rc.d file has 'pam' listed rather than sasldb for the '-a ' flag. I changed it there although the directions said not too. Is there any reason that changing it in the rc.d file is a bad thing? Not a bad thing, but when the port gets updated, your changes will be overwritten. Instead, use /etc/rc.conf: saslauthd_enable=YES saslauthd_flags=-a sasldb I could not figure out what it meant to do otherwise. Was I suppose to create another file that would override that one? If so, what was the syntax of the file suppose to be? Anyway, it works, so that is all I am really interested in at the moment. In general, you want to put variables for startup scripts in /etc/rc.conf, rather than editing the individual startup files. The startup scripts will source the /etc/rc.conf file and get the values of those variables and use them when they run. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas http://www.utdallas.edu/ir/security/
