Next message: Brian Evans: "Re: DKIM without a dedicated port/ip listener?"
Hi All
I'm a little confused here, and I'm not sure if this is a postfix, SASL
or just a Microsoft compatibility issue.
I got SMTP authentication working for all my users, even the latest
Outlook 2007 user. The problem is that every time the Outlook 2007 user
authenticates, I see this message in the log:
May 23 00:28:45 web02 postfix/smtpd[31767]: connect from
79.138.250.228.bredband.3.dk[79.138.250.228]
May 23 00:28:47 web02 postfix/smtpd[31767]: warning: SASL authentication
failure: realm changed: authentication aborted
May 23 00:28:47 web02 postfix/smtpd[31767]: warning:
79.138.250.228.bredband.3.dk[79.138.250.228]: SASL DIGEST-MD5
authentication failed: authentication failure
May 23 00:28:47 web02 postfix/smtpd[31767]: B4E662DA668:
client=79.138.250.228.bredband.3.dk[79.138.250.228], sasl_method=LOGIN,
sasl_username=
It seems like the client tries out DIGEST-MD5 first but this failes
because of "realm changed", and then the client falls back to LOGIN with
success. Is there any way to solve this?
Any solution will actually do here, a configuration change for postfix
or SASL or even a solution for Outlook 2007 would do ;o)
Below is output from saslfinger and postfinger for your refference:
# ./saslfinger -s
saslfinger - postfix Cyrus sasl configuration fre 23 maj 2008 20:30:59 CEST
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.5.1
System: FreeBSD 6.3-STABLE (WEB02) #0: Thu Apr 24 11:10:47 CEST 2008
-- smtpd is linked to --
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28352000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/mail.larsson.it.crt
smtpd_tls_key_file = /etc/ssl/mail.larsson.it.key
smtpd_tls_loglevel = 0
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
-- listing of /usr/local/lib/sasl2 --
total 822
drwxr-xr-x 2 root wheel 1024 14 nov 2007 .
drwxr-xr-x 14 root wheel 4096 21 apr 10:53 ..
-rwxr-xr-x 1 root wheel 736 14 nov 2007 libanonymous.la
-rwxr-xr-x 1 root wheel 44655 14 nov 2007 libanonymous.so
-rwxr-xr-x 1 root wheel 44655 14 nov 2007 libanonymous.so.2
-rwxr-xr-x 1 root wheel 724 14 nov 2007 libcrammd5.la
-rwxr-xr-x 1 root wheel 49216 14 nov 2007 libcrammd5.so
-rwxr-xr-x 1 root wheel 49216 14 nov 2007 libcrammd5.so.2
-rwxr-xr-x 1 root wheel 745 14 nov 2007 libdigestmd5.la
-rwxr-xr-x 1 root wheel 95905 14 nov 2007 libdigestmd5.so
-rwxr-xr-x 1 root wheel 95905 14 nov 2007 libdigestmd5.so.2
-rwxr-xr-x 1 root wheel 712 14 nov 2007 liblogin.la
-rwxr-xr-x 1 root wheel 45946 14 nov 2007 liblogin.so
-rwxr-xr-x 1 root wheel 45946 14 nov 2007 liblogin.so.2
-rwxr-xr-x 1 root wheel 712 14 nov 2007 libplain.la
-rwxr-xr-x 1 root wheel 45240 14 nov 2007 libplain.so
-rwxr-xr-x 1 root wheel 45240 14 nov 2007 libplain.so.2
-rwxr-xr-x 1 root wheel 732 14 nov 2007 libsasldb.la
-rwxr-xr-x 1 root wheel 57521 14 nov 2007 libsasldb.so
-rwxr-xr-x 1 root wheel 57521 14 nov 2007 libsasldb.so.2
-rwxr-xr-x 1 root wheel 744 14 nov 2007 libsql.la
-rwxr-xr-x 1 root wheel 61509 14 nov 2007 libsql.so
-rwxr-xr-x 1 root wheel 61509 14 nov 2007 libsql.so.2
-rw-rw---- 1 root wheel 258 14 dec 14:55 smtpd.conf
-- content of /usr/local/lib/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sql
log_level: 0
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_hostnames: localhost
sql_database: mail
sql_select: select clearpass from mailbox where user = '%u@%r' and login
= 1 and disablesmtp != 1
sql_verbose: 0
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
amavis-lmtp unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
proxywrite unix - - n - 1 proxymap
-- mechanisms on localhost --
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
-- end of saslfinger output --
# postfinger
postfinger - postfix configuration on Fri May 23 21:06:29 CEST 2008
version: 1.30
Warning: postfinger output may show private configuration information,
such as ip addresses and/or domain names which you do not want to show
to the public. If this is the case it is your responsibility to modify
the output to hide this private information. [Remove this warning with
the --nowarn option.]
--System Parameters--
mail_version = 2.5.1
hostname = web02.larsson.it
uname = FreeBSD web02.larsson.it 6.3-STABLE FreeBSD 6.3-STABLE #0: Thu
Apr 24 11:10:47 CEST 2008
:/usr/obj/usr/src/sys/WEB02 i386
--Packaging information--
looks like this postfix comes from BSD package:
--main.cf non-default parameters--
biff = no
broken_sasl_auth_clients = yes
content_filter = amavis-lmtp:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/checks_header.regexp
mailq_path = /usr/libexec/postfix/mailq
message_size_limit = 25600000
mydestination = web02.larsson.it
myhostname = mail.larsson.it
mynetworks = 127.0.0.0/8
myorigin = web02.larsson.it
newaliases_path = /usr/libexec/postfix/newaliases
notify_classes = bounce, 2bounce, delay, resource, software
owner_request_special = no
parent_domain_matches_subdomains =
proxy_interfaces = 213.185.13.10
queue_directory = /home/mail/postfix
readme_directory = /etc/postfix/readme
recipient_delimiter = +
sample_directory = /etc/postfix/sample
sendmail_path = /usr/libexec/postfix/sendmail
show_user_unknown_table_name = no
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
mysql:/etc/postfix/access_client.mysql
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated,
check_helo_access mysql:/etc/postfix/access_helo.mysql
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_recipient,
reject_unauth_pipelining, check_recipient_access
mysql:/etc/postfix/access_recipient.mysql, check_recipient_access
mysql:/etc/postfix/access_aliases.mysql, reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender, check_sender_access
mysql:/etc/postfix/access_sender.mysql, check_sender_access
regexp:/etc/postfix/access_sender.regexp
smtpd_soft_error_limit = 2
smtpd_tls_cert_file = /etc/ssl/mail.larsson.it.crt
smtpd_tls_key_file = /etc/ssl/mail.larsson.it.key
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_exchange_name = /var/lib/postfix/prng_exch
transport_maps = mysql:/etc/postfix/maps_transport.mysql
virtual_alias_maps = mysql:/etc/postfix/maps_aliases.mysql
virtual_gid_maps = mysql:/etc/postfix/maps_virtualid.mysql
virtual_mailbox_base = /
virtual_mailbox_maps = mysql:/etc/postfix/maps_mailbox.mysql
virtual_uid_maps = mysql:/etc/postfix/maps_virtualid.mysql
--master.cf--
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
amavis-lmtp unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
proxywrite unix - - n - 1 proxymap
-- end of postfinger output --
Best regards
Henrik
