From: Patrick Ben Koetter (p at state-of-mind dot de)
Date: Wed Jun 01 2005 - 10:23:56 EDT
* Jonatan Arango <>:
> Hi Patrick, thank you for help me.
>
> This is the saslfinger output
>
> saslfinger - postfix Cyrus sasl configuration Wed Jun 1 08:46:38 COT
> 2005
> version: 0.9.9.1
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.2.2
> System: Fedora Core release 3 (Heidelberg)
>
> -- smtpd is linked to --
> libsasl.so.7 => /usr/lib/libsasl.so.7 (0x00125000)
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00101000)
Can you build Postfix so that it is linked to SASL2 (libsasl2.so.2) only?
See the build_spec (or so) file in Simon SRPMs.
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_application_name = smtpd
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_security_options = noanonymous
> smtpd_tls_cert_file = /etc/postfix/smtpd.pem
> smtpd_tls_key_file = /etc/postfix/smtpd-key.pem
> smtpd_tls_loglevel = 1
> smtpd_use_tls = yes
Set
smtpd_use_tls = no
while you configure SMTP AUTH.
>
> -- listing of /usr/lib/sasl --
> total 488
> drwxr-xr-x 2 root root 4096 May 31 22:08 .
> drwxr-xr-x 124 root root 69632 Jun 1 04:26 ..
> -rw-r--r-- 1 root root 4630 Oct 7 2004 libanonymous.a
> -rwxr-xr-x 1 root root 871 May 31 22:03 libanonymous.la
> -rwxr-xr-x 1 root root 5748 May 31 22:03 libanonymous.so
> -rwxr-xr-x 1 root root 5748 May 31 22:03 libanonymous.so.1
> -rwxr-xr-x 1 root root 5748 May 31 22:03 libanonymous.so.1.0.17
> -rw-r--r-- 1 root root 9754 Oct 7 2004 libcrammd5.a
> -rwxr-xr-x 1 root root 857 May 31 22:03 libcrammd5.la
> -rwxr-xr-x 1 root root 9884 May 31 22:03 libcrammd5.so
> -rwxr-xr-x 1 root root 9884 May 31 22:03 libcrammd5.so.1
> -rwxr-xr-x 1 root root 9884 May 31 22:03 libcrammd5.so.1.0.19
> -rw-r--r-- 1 root root 34260 Oct 7 2004 libdigestmd5.a
> -rwxr-xr-x 1 root root 880 May 31 22:03 libdigestmd5.la
> -rwxr-xr-x 1 root root 30804 May 31 22:03 libdigestmd5.so
> -rwxr-xr-x 1 root root 30804 May 31 22:03 libdigestmd5.so.0
> -rwxr-xr-x 1 root root 30804 May 31 22:03 libdigestmd5.so.0.0.20
> -rw-r--r-- 1 root root 11318 Oct 7 2004 libgssapiv2.a
> -rwxr-xr-x 1 root root 906 May 31 15:15 libgssapiv2.la
> -rwxr-xr-x 1 root root 11952 May 31 15:16 libgssapiv2.so
> -rwxr-xr-x 1 root root 11952 May 31 15:16 libgssapiv2.so.1
> -rwxr-xr-x 1 root root 11952 May 31 15:16 libgssapiv2.so.1.0.19
> -rw-r--r-- 1 root root 6594 Oct 7 2004 liblogin.a
> -rwxr-xr-x 1 root root 847 Oct 7 2004 liblogin.la
> -rwxr-xr-x 1 root root 7248 Oct 7 2004 liblogin.so
> -rwxr-xr-x 1 root root 7248 Oct 7 2004 liblogin.so.0
> -rwxr-xr-x 1 root root 7248 Oct 7 2004 liblogin.so.0.0.7
> -rw-r--r-- 1 root root 6146 Oct 7 2004 libplain.a
> -rwxr-xr-x 1 root root 849 Oct 7 2004 libplain.la
> -rwxr-xr-x 1 root root 7000 Oct 7 2004 libplain.so
> -rwxr-xr-x 1 root root 7000 Oct 7 2004 libplain.so.1
> -rwxr-xr-x 1 root root 7000 Oct 7 2004 libplain.so.1.0.16
>
> -- listing of /usr/lib/sasl2 --
> total 3568
> drwxr-xr-x 2 root root 4096 May 31 22:15 .
> drwxr-xr-x 124 root root 69632 Jun 1 04:26 ..
> -rwxr-xr-x 1 root root 875 May 31 22:03 libanonymous.la
> -rwxr-xr-x 1 root root 12820 May 31 22:03 libanonymous.so
> -rwxr-xr-x 1 root root 12820 May 31 22:03 libanonymous.so.2
> -rwxr-xr-x 1 root root 12820 May 31 22:03 libanonymous.so.2.0.19
> -rwxr-xr-x 1 root root 863 May 31 22:03 libcrammd5.la
> -rwxr-xr-x 1 root root 15216 May 31 22:03 libcrammd5.so
> -rwxr-xr-x 1 root root 15216 May 31 22:03 libcrammd5.so.2
> -rwxr-xr-x 1 root root 15216 May 31 22:03 libcrammd5.so.2.0.19
> -rwxr-xr-x 1 root root 884 May 31 22:03 libdigestmd5.la
> -rwxr-xr-x 1 root root 42964 May 31 22:03 libdigestmd5.so
> -rwxr-xr-x 1 root root 42964 May 31 22:03 libdigestmd5.so.2
> -rwxr-xr-x 1 root root 42964 May 31 22:03 libdigestmd5.so.2.0.19
> -rwxr-xr-x 1 root root 911 May 31 15:15 libgssapiv2.la
> -rwxr-xr-x 1 root root 22292 May 31 15:16 libgssapiv2.so
> -rwxr-xr-x 1 root root 22292 May 31 15:16 libgssapiv2.so.2
> -rwxr-xr-x 1 root root 22292 May 31 15:16 libgssapiv2.so.2.0.19
> -rwxr-xr-x 1 root root 851 Oct 7 2004 liblogin.la
> -rwxr-xr-x 1 root root 13296 Oct 7 2004 liblogin.so
> -rwxr-xr-x 1 root root 13296 Oct 7 2004 liblogin.so.2
> -rwxr-xr-x 1 root root 13296 Oct 7 2004 liblogin.so.2.0.19
> -rwxr-xr-x 1 root root 851 Oct 7 2004 libplain.la
> -rwxr-xr-x 1 root root 13360 Oct 7 2004 libplain.so
> -rwxr-xr-x 1 root root 13360 Oct 7 2004 libplain.so.2
> -rwxr-xr-x 1 root root 13360 Oct 7 2004 libplain.so.2.0.19
> -rwxr-xr-x 1 root root 923 May 31 22:03 libsasldb.la
> -rwxr-xr-x 1 root root 784960 May 31 22:03 libsasldb.so
> -rwxr-xr-x 1 root root 784960 May 31 22:03 libsasldb.so.2
> -rwxr-xr-x 1 root root 784960 May 31 22:03 libsasldb.so.2.0.19
> -rwxr-xr-x 1 root root 901 May 31 22:03 libsql.la
> -rwxr-xr-x 1 root root 232608 May 31 22:03 libsql.so
> -rwxr-xr-x 1 root root 232608 May 31 22:03 libsql.so.2
> -rwxr-xr-x 1 root root 232608 May 31 22:03 libsql.so.2.0.19
> -rw-r--r-- 1 root root 25 Sep 1 2004 Sendmail.conf
> -rw-r--r-- 1 root root 325 May 31 22:10 smtpd.conf
>
>
>
>
> -- content of /usr/lib/sasl2/smtpd.conf --
> #pwcheck_method:saslauthd
>
> sasl_pwcheck_method:auxprop
> sasl_auxprop_plugin:sql
> sasl_sql_engine: mysql
> sasl_mech_list: plain login
> sasl_sql_hostnames: localhost
> sql_user: --- replaced ---
> sql_passwd: --- replaced ---
> sasl_sql_database: postfix
> sasl_sql_verbose:yes
> sasl_sql_select:SELECT password FROM mailbox WHERE username='%u@%r'
You've experimented with the smtpd.conf parameters. They are wrong now...
This is how they should be:
pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: mysql
mech_list: plain login cram-md5 digest-md5
sql_hostnames: localhost
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: postfix
sql_verbose:yes
sql_select:SELECT password FROM mailbox WHERE username='%u@%r'
Have you tested authentication using sasl2-sample-server and
sasl2-sample-client? If not read the SASL_README that comes with Postfix and
look for sections describing how to test using "server" and "client". They are
pretty much the same as sasl2-sample-server and sasl2-sample-client, but FC
gave them different names.
If authentication with sasl2-sample-* works, proceed to test with Postfix.
p at rick
> -- active services in /etc/postfix/master.cf --
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> smtp inet n - n - - smtpd
> pickup fifo n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> tlsmgr unix - - n 1000? 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> smtp unix - - n - - smtp
> relay unix - - n - - smtp
> -o fallback_relay=
> showq unix n - n - - showq
> error unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> old-cyrus unix - n n - - pipe
> flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
> cyrus unix - n n - - pipe
> user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension}
> ${user}
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender -
> $nexthop!rmail.postfix ($recipient)
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
>
> filter unix - n n - - pipe
> flags=Rq user=vacation argv=/CORREO/vacation/mailfilter -f ${sender}
> -- ${recipient}
> policy unix - n n - - spawn
> user=nobody argv=/usr/bin/perl /etc/postfix/spf-policy.pl
>
> -- mechanisms on localhost --
> 250-AUTH CRAM-MD5 DIGEST-MD5 PLAIN LOGIN GSSAPI
> 250-AUTH=CRAM-MD5 DIGEST-MD5 PLAIN LOGIN GSSAPI
>
>
> -- end of saslfinger output --
>
>
> El mié, 01-06-2005 a las 00:31, Patrick Ben Koetter escribió:
>
> > I reset the thread because I think you hijacked it... anyway....
> >
> > Let's see...
> >
> > * Jonatan Arango <>:
> > > I need to implement smtp authentication but after trying for a day I
> > > couldn't do it the virtual users and domains are stored in mysql and I need
> > > the smtp authentication be done with the same table, after googleing I see
> > > that is posible
> > >
> > > Any help is apreciated or please point me to a clear howto
> > >
> > > postfix-2.2.2-3
> > > MySQL-server-4.0.24-0
> > > cyrus-sasl-gssapi-2.1.19-3
> > > cyrus-sasl-devel-2.1.19-3
> > > cyrus-sasl-2.1.19-3
> > > cyrus-sasl-md5-2.1.19-3
> > > cyrus-sasl-plain-2.1.19-3
> > > cyrus-sasl-sql-2.1.19-3
> > > pam-0.77-65
> > >
> > > ldd /usr/sbin/postfix
> > > libldap-2.2.so.7 => /usr/lib/libldap-2.2.so.7 (0x06f40000)
> > > liblber-2.2.so.7 => /usr/lib/liblber-2.2.so.7 (0x00117000)
> > > libmysqlclient.so.12 => /usr/lib/libmysqlclient.so.12
> > > (0x0049b000)
> > > libm.so.6 => /lib/tls/libm.so.6 (0x064f6000)
> > > libpq.so.3 => /usr/lib/libpq.so.3 (0x0047f000)
> > > libcrypt.so.1 => /lib/libcrypt.so.1 (0x0764c000)
> > > libsasl.so.7 => /usr/lib/libsasl.so.7 (0xf6fdf000)
> >
> > SASL1 support
> >
> > > libssl.so.4 => /lib/libssl.so.4 (0x00dbf000)
> > > libcrypto.so.4 => /lib/libcrypto.so.4 (0x00cbf000)
> > > libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00da9000)
> > > libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00c35000)
> > > libcom_err.so.2 => /lib/libcom_err.so.2 (0x00ba6000)
> > > libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00c9c000)
> > > libresolv.so.2 => /lib/libresolv.so.2 (0x00675000)
> > > libdl.so.2 => /lib/libdl.so.2 (0x00467000)
> > > libz.so.1 => /usr/lib/libz.so.1 (0x0046d000)
> > > libdb-4.2.so => /lib/tls/i686/libdb-4.2.so (0x00843000)
> > > libnsl.so.1 => /lib/libnsl.so.1 (0x072bf000)
> > > libc.so.6 => /lib/tls/libc.so.6 (0x00319000)
> > > libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xf6fc8000)
> >
> > SASL2 support
> >
> > > libnss_files.so.2 => /lib/libnss_files.so.2 (0x002e8000)
> > > libnss_dns.so.2 => /lib/libnss_dns.so.2 (0x002f5000)
> > > /lib/ld-linux.so.2 (0x00300000)
> > > libpthread.so.0 => /lib/tls/libpthread.so.0 (0x00558000)
> > > libgdbm.so.2 => /usr/lib/libgdbm.so.2 (0x00442000)
> > > libpam.so.0 => /lib/libpam.so.0 (0x00590000)
> > >
> > > /usr/lib/sasl2/smtpd.conf
> > >
> > > pwcheck_method:auxprop
> > > auxprop_plugin:sql
> > > sql_engine: mysql
> > > mech_list: plain login
> >
> > With "auxprop:sql" you can expand the mech_list to offer also CRAD-MD5 and
> > DIGEST-MD5.
> >
> > > sql_hostnames: localhost
> > > sql_user: postfix
> > > sql_passwd: ********
> > > sql_database: postfix_db
> > > sql_select:SELECT password FROM mailbox WHERE username='%u@%r'
> > >
> > > /etc/sysconfig/saslauthd
> > > MECH=pam
> >
> > You don't need saslauthd if you use an auxprop. you can skip the whole
> > saslauthd and PAM stuff.
> >
> > > /etc/pam.d/smtp
> > > auth sufficient pam_mysql.so user=postfix passwd=postfix host=localhost
> > > db=postfix table=mailbox usercolumn=username passwdcolumn=password
> > > crypt=1
> > > account required pam_mysql.so user=postfix passwd=postfix host=localhost
> > > db=postfix table=mailbox usercolumn=username passwdcolumn=password
> > > crypt=1
> > >
> > > # postconf -n|grep sasl
> > >
> > > broken_sasl_auth_clients = yes
> > > smtpd_sasl_application_name = smtpd
> > > smtpd_sasl_auth_enable = yes
> > > smtpd_sasl_local_domain =
> > > smtpd_sasl_security_options = noanonymous
> > >
> > > the maillog says
> > >
> > > May 31 18:50:00 mx01 postfix/smtpd[12539]: warning:
> > > joarango.telecorp.net[200.24.76.9]: SASL LOGIN authentication failed
> >
> > Which AUTH mechanisms does a telnet session to joarango.telecorp.net on port
> > 25 show after a EHLO?
> >
> > > If I try
> > >
> > > testsaslauthd -u '' -p 'password' -s smtpd
> > > 0: OK "Success."
> > > testsaslauthd -u '' -p 'password' -s smtp
> > > 0: OK "Success."
> >
> > That's fine, but you don't need saslauthd.
> >
> > > The mysql_log shows ok the sql_select
> >
> > IF you want to use saslauthd, then change smtpd.conf like this:
> >
> > pwcheck_method: saslauthd
> > mech_list: plain login
> >
> > and remove the rest.
> >
> > > I think postfix is not talking to saslauthd or pam or auxprop
> >
> > Postfix might be running chrooted or/and unable to access the socket.
> >
> > Can you send output from "saslfinger -s"? See below for URL to saslfinger.
> >
>
> p at rick
> --
> Ing. Jonatan Arango
> Depto Ingeniería y Tecnología
> Telecorp Ltda
> Tel 6292901 Ext111 6211841/6211745
> E-mail:
-- The Book of Postfix <http://www.postfix-book.com> SMTP AUTH debug utility: <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
|
|
|