JP Vossen on 8 Jun 2010 13:14:08 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] Postfix + sasl + TB3?


So Lucid has Thunderbird 3, which exposes a bug in my Postfix and Cyrus 
sasl config that TB2 masked.  Basically, my config doesn't work.

As far as I can tell, from spending at least 6+ hours on it so far, my 
config should work, but it doesn't.

NOTE: this is all port 587 now and Postfix is chroot'ed per the Debian 
Lenny default.  Stock Lenny Postfix, sasl, etc.:
	postfix-2.5.5-1.1
	libsasl2-2-2.1.22.dfsg1-23+lenny1
	libsasl2-modules-2.1.22.dfsg1-23+lenny1
	sasl2-bin-2.1.22.dfsg1-23+lenny1


I've gotten at least 5-8 different error messages, at one time or 
another, as I tweaked things, but I've gotten it down to "authentication 
failure":

Jun  8 15:24:10 hamilton postfix/smtpd[9114]: connect from 
...fios...[173.49.x.x]
Jun  8 15:24:10 hamilton postfix/smtpd[9114]: setting up TLS connection 
from ...fios...[173.49.x.x]
Jun  8 15:24:11 hamilton postfix/smtpd[9114]: Anonymous TLS connection 
established from ...fios...[173.49.x.x]: TLSv1 with cipher 
DHE-RSA-AES256-SHA (256/256 bits)
Jun  8 15:24:11 hamilton postfix/smtpd[9114]: warning: SASL 
authentication failure: Password verification failed
Jun  8 15:24:11 hamilton postfix/smtpd[9114]: warning: 
...fios...[173.49.x.x]: SASL PLAIN authentication failed: authentication 
failure
Jun  8 15:24:11 hamilton postfix/smtpd[9114]: warning: 
...fios...[173.49.x.x]: SASL LOGIN authentication failed: authentication 
failure
Jun  8 15:24:15 hamilton postfix/smtpd[9114]: disconnect from 
...fios...[173.49.x.x]


BUT...

[root@hamilton:T1:L1:C4231:J0:2010-06-08_15:31:59_EDT]
/root#   testsaslauthd -u jp -p passwd -f 
/var/spool/postfix/var/run/saslauthd/mux
0: OK "Success."

FYI:
[root@hamilton:T1:L1:C4237:J0:2010-06-08_15:41:38_EDT]
/root# cat /etc/debian_version
5.0.4

[root@hamilton:T1:L1:C4238:J0:2010-06-08_15:45:42_EDT]
/root# uname -a
Linux hamilton 2.6.26-1-686 #1 SMP Sat Jan 10 18:29:31 UTC 2009 i686 
GNU/Linux



FILES / CONFIGS:

/etc/default/saslauthd
[...]
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
[...]
MECHANISMS="pam"
	## Also tried shadow
[...]
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"


/etc/postfix/main.cf
[...]
smtpd_sasl_path = /etc/postfix/sasl/smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
[...]


/etc/postfix/master.cf
[...]
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
#       -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
#submission inet n      -       -       -       -       smtpd
#       -o smtpd_etrn_restrictions=reject
[...]


/etc/postfix/sasl/smtpd.conf
saslauthd_path: /var/run/saslauthd
#saslauthd_path: /var/spool/postfix/var/run/saslauthd
#saslauthd_version: 2
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true


[root@hamilton:T1:L1:C4234:J0:2010-06-08_15:35:43_EDT]
/root# ps auwx | egrep '[p]ostfix|[s]mtp|[s]asl'
root      2001  0.0  0.3   5620  1812 ?        Ss   13:00   0:00 
/usr/lib/postfix/master
postfix   2008  0.0  0.3   5772  2000 ?        S    13:00   0:00 qmgr -l 
-t fifo -u -c
postfix   2210  0.0  0.3   5688  1908 ?        S    13:03   0:00 tlsmgr 
-l -t unix -u -c
postfix   8028  0.0  0.3   5632  1788 ?        S    14:52   0:00 pickup 
-l -t fifo -u -c
postfix   9212  0.0  0.7   6852  3712 ?        S    15:34   0:00 smtpd 
-n smtp -t inet -u -c -o stress
root     27334  0.0  0.1   8360   772 ?        Ss   Jun07   0:00 
/usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 2
root     27335  0.0  0.2   8584  1196 ?        S    Jun07   0:00 
/usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 2


If you check from outside, you won't see the AUTH lines until you STARTTLS:

[root@hamilton:T1:L1:C4236:J0:2010-06-08_15:41:02_EDT]
/root# openssl s_client -connect mail.jpsdomain.org:587 -starttls smtp
CONNECTED(00000003)
depth=2 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing 
Authority/emailAddress=support@cacert.org
[...]
250 DSN
ehlo test
250-smtp.jpsdomain.org
250-PIPELINING
250-SIZE
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5 NTLM DIGEST-MD5
250-AUTH=PLAIN LOGIN CRAM-MD5 NTLM DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
read:errno=0


I've read that the "CRAM-MD5 NTLM DIGEST-MD5" stuff should not be there, 
and I omitted it from /etc/postfix/sasl/smtpd.conf:
	mech_list: plain login

So I'm confused as to where "CRAM..." etc. is coming from.  It's 
possible that /etc/postfix/sasl/smtpd.conf is not actually being read. 
OTOH, the auth failures are for PLAIN and LOGIN, so maybe this is a red 
herring.

I can't find any way of logging more details anywhere.  I have no idea 
what user ID or password is actually being checked, though I'm putting 
the same data as I used above in 'testsaslauthd' into TB3 so in theory 
it should work.

The next step is to put up stock Lenny & Lucid VMs, and build the config 
from scratch one line at a time.  But that'll be tedious, even though I 
already have the VMs.


Any clues?
JP

PS--I'm planning to attend PLUG N tonight if anyone wants to bring a 
clue stick or for interactive t-shooting.  :)
----------------------------|:::======|-------------------------------
JP Vossen, CISSP            |:::======|      http://bashcookbook.com/
My Account, My Opinions     |=========|      http://www.jpsdomain.org/
----------------------------|=========|-------------------------------
"Microsoft Tax" = the additional hardware & yearly fees for the add-on
software required to protect Windows from its own poorly designed and
implemented self, while the overhead incidentally flattens Moore's Law.
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug