|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
[PLUG] Postfix + sasl + TB3?
|
So Lucid has Thunderbird 3, which exposes a bug in my Postfix and Cyrus
sasl config that TB2 masked. Basically, my config doesn't work.
As far as I can tell, from spending at least 6+ hours on it so far, my
config should work, but it doesn't.
NOTE: this is all port 587 now and Postfix is chroot'ed per the Debian
Lenny default. Stock Lenny Postfix, sasl, etc.:
postfix-2.5.5-1.1
libsasl2-2-2.1.22.dfsg1-23+lenny1
libsasl2-modules-2.1.22.dfsg1-23+lenny1
sasl2-bin-2.1.22.dfsg1-23+lenny1
I've gotten at least 5-8 different error messages, at one time or
another, as I tweaked things, but I've gotten it down to "authentication
failure":
Jun 8 15:24:10 hamilton postfix/smtpd[9114]: connect from
...fios...[173.49.x.x]
Jun 8 15:24:10 hamilton postfix/smtpd[9114]: setting up TLS connection
from ...fios...[173.49.x.x]
Jun 8 15:24:11 hamilton postfix/smtpd[9114]: Anonymous TLS connection
established from ...fios...[173.49.x.x]: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Jun 8 15:24:11 hamilton postfix/smtpd[9114]: warning: SASL
authentication failure: Password verification failed
Jun 8 15:24:11 hamilton postfix/smtpd[9114]: warning:
...fios...[173.49.x.x]: SASL PLAIN authentication failed: authentication
failure
Jun 8 15:24:11 hamilton postfix/smtpd[9114]: warning:
...fios...[173.49.x.x]: SASL LOGIN authentication failed: authentication
failure
Jun 8 15:24:15 hamilton postfix/smtpd[9114]: disconnect from
...fios...[173.49.x.x]
BUT...
[root@hamilton:T1:L1:C4231:J0:2010-06-08_15:31:59_EDT]
/root# testsaslauthd -u jp -p passwd -f
/var/spool/postfix/var/run/saslauthd/mux
0: OK "Success."
FYI:
[root@hamilton:T1:L1:C4237:J0:2010-06-08_15:41:38_EDT]
/root# cat /etc/debian_version
5.0.4
[root@hamilton:T1:L1:C4238:J0:2010-06-08_15:45:42_EDT]
/root# uname -a
Linux hamilton 2.6.26-1-686 #1 SMP Sat Jan 10 18:29:31 UTC 2009 i686
GNU/Linux
FILES / CONFIGS:
/etc/default/saslauthd
[...]
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
[...]
MECHANISMS="pam"
## Also tried shadow
[...]
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
/etc/postfix/main.cf
[...]
smtpd_sasl_path = /etc/postfix/sasl/smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
[...]
/etc/postfix/master.cf
[...]
smtp inet n - - - - smtpd
submission inet n - - - - smtpd
# -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#submission inet n - - - - smtpd
# -o smtpd_etrn_restrictions=reject
[...]
/etc/postfix/sasl/smtpd.conf
saslauthd_path: /var/run/saslauthd
#saslauthd_path: /var/spool/postfix/var/run/saslauthd
#saslauthd_version: 2
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
[root@hamilton:T1:L1:C4234:J0:2010-06-08_15:35:43_EDT]
/root# ps auwx | egrep '[p]ostfix|[s]mtp|[s]asl'
root 2001 0.0 0.3 5620 1812 ? Ss 13:00 0:00
/usr/lib/postfix/master
postfix 2008 0.0 0.3 5772 2000 ? S 13:00 0:00 qmgr -l
-t fifo -u -c
postfix 2210 0.0 0.3 5688 1908 ? S 13:03 0:00 tlsmgr
-l -t unix -u -c
postfix 8028 0.0 0.3 5632 1788 ? S 14:52 0:00 pickup
-l -t fifo -u -c
postfix 9212 0.0 0.7 6852 3712 ? S 15:34 0:00 smtpd
-n smtp -t inet -u -c -o stress
root 27334 0.0 0.1 8360 772 ? Ss Jun07 0:00
/usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 2
root 27335 0.0 0.2 8584 1196 ? S Jun07 0:00
/usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 2
If you check from outside, you won't see the AUTH lines until you STARTTLS:
[root@hamilton:T1:L1:C4236:J0:2010-06-08_15:41:02_EDT]
/root# openssl s_client -connect mail.jpsdomain.org:587 -starttls smtp
CONNECTED(00000003)
depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing
Authority/emailAddress=support@cacert.org
[...]
250 DSN
ehlo test
250-smtp.jpsdomain.org
250-PIPELINING
250-SIZE
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5 NTLM DIGEST-MD5
250-AUTH=PLAIN LOGIN CRAM-MD5 NTLM DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
read:errno=0
I've read that the "CRAM-MD5 NTLM DIGEST-MD5" stuff should not be there,
and I omitted it from /etc/postfix/sasl/smtpd.conf:
mech_list: plain login
So I'm confused as to where "CRAM..." etc. is coming from. It's
possible that /etc/postfix/sasl/smtpd.conf is not actually being read.
OTOH, the auth failures are for PLAIN and LOGIN, so maybe this is a red
herring.
I can't find any way of logging more details anywhere. I have no idea
what user ID or password is actually being checked, though I'm putting
the same data as I used above in 'testsaslauthd' into TB3 so in theory
it should work.
The next step is to put up stock Lenny & Lucid VMs, and build the config
from scratch one line at a time. But that'll be tedious, even though I
already have the VMs.
Any clues?
JP
PS--I'm planning to attend PLUG N tonight if anyone wants to bring a
clue stick or for interactive t-shooting. :)
----------------------------|:::======|-------------------------------
JP Vossen, CISSP |:::======| http://bashcookbook.com/
My Account, My Opinions |=========| http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|