Re: sasl authentication
Patrick Ben Koetter
> I try to configure postfix to use SASL for SMTP authentication,
> but when i try to send mail using KMail i receive "5.7.0. Error:
> authentication failed: generic failure."
>
> Then i connect via telnet:
> ehlo 123
> 250-domain.ru
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH PLAIN
> 250-AUTH=PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> auth plain P@$$w0rd
> 535 5.7.0 Error: authentication failed: bad protocol / cancel
The string you send must be a combination of authcid, authzid and password and
it must be base64 encoded. Use <http://jetmore.org/john/code/gen-auth> to
create a usable string.
> auth plain w4AfksxwAJY62
> 535 5.7.0 Error: authentication failed: another step is needed in
> authentication
>
> In mail.log file i see:
> Dec 14 12:16:09 tnk postfix/smtpd[25730]: connect from sg_andrey[10.9.3.20]
> Dec 14 12:16:19 tnk postfix/smtpd[25730]: warning: sg_andrey[10.9.3.20]: SASL
> plain authentication failed: another step is needed in authentication
> Dec 14 12:16:24 tnk postfix/smtpd[25730]: disconnect from sg_andrey[10.9.3.20]
>
> In auth.log i see:
> Dec 14 11:03:43 tnk saslauthd[22620]: detach_tty : master pid is: 22620
> Dec 14 11:03:43 tnk saslauthd[22620]: ipc_init : listening on
> socket: /var/spool/postfix/var/run/saslauthd/mux
> Dec 14 11:11:02 tnk saslauthd[22620]: server_exit : master exited: 22620
> Dec 14 11:11:02 tnk saslauthd[22889]: detach_tty : master pid is: 22889
> Dec 14 11:11:02 tnk saslauthd[22889]: ipc_init : listening on
> socket: /var/spool/postfix/var/run/saslauthd/mux
> Dec 14 11:16:01 tnk saslauthd[22889]: server_exit : master exited: 22889
>
> My main.cf file:
> biff = no
> append_dot_mydomain = no
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 100000000
> recipient_delimiter = +
> inet_interfaces = all
> inet_protocols = ipv4
> append_dot_mydomain = no
> myhostname = mail66.rosfirm.ru
> mydomain = mail66.rosfirm.ru
> myorigin = $mydomain
> mydestination =
> inet_interfaces = all
> unknown_local_recipient_reject_code = 550
> local_recipient_maps = unix:passwd.byname
> mailowner = mail
> mynetworks = 127.0.0.0/8
> smtpd_banner = Welcome to ESMTP Service on mail66.rosfirm.ru
> transport_maps = pgsql:/etc/postfix/transport.cf
> virtual_minimum_uid = 5000
> virtual_uid_maps = pgsql:/etc/postfix/uids.cf
> virtual_minimum_gid = 5000
> virtual_gid_maps = pgsql:/etc/postfix/gids.cf
> virtual_alias_maps = pgsql:/etc/postfix/virtual.cf
> virtual_mailbox_domains = pgsql:/etc/postfix/transport.cf
> virtual_mailbox_base = /var/local/mail
> virtual_mailbox_maps = pgsql:/etc/postfix/mailboxes.cf
> virtual_mailbox_limit = 51200000
> broken_sasl_auth_clients = yes
> smtpd_sasl_authenticated_header = yes
> smtp_sasl_auth_enable = yes
smtp_sasl_auth_enable is not required for the Postfix server to offer SMTP
AUTH.
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = $mydomain
> unknown_local_recipient_reject_code = 450
> smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
> reject_unauth_destination
> smtp_sasl_password_maps = pgsql:/etc/pam_pgsql.conf
>
> My pam_pgsql.conf file:
No way. This is pure fiction. Read the Postfix SASL_README and download
saslfinger (see my signature) to provide further debug output to this list.
p@rick
> dbname = mail
> host = localhost
> user = mailreader
> password = mailreader
> table = user_accounts
> select_field = username, password
> where_field = username, password
> user_column = username
> pwd_column = password
> pw_type = crypt
>
> debug = /var/log/pam_pgsql.log
>
> So what i did incorrect?
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
archa_bhandare
system.
But the command
#lsof -i tcp:25
Is not working..
Can anyone tell me how do I find out which port Postfix is running on?
Regards,
Archa.
Patrick Ben Koetter
If Postfix runs, it binds to port 25 by default.
Open your own thread, please.
p@rick
Войнович Андрей Александрович
> > pwcheck_method: auxprop
> > auxprop_plugin: postfix-pgsql
> > saslauthd_path: /var/run/saslauthd
> > mech_list: plain
>
> You use crypted password in the PostgreSQL database, right?
> Then you will have to setup the saslauthd daemon to connect to
> your PGSQL using the PAM framework. Get the PAM pgsql driver and configure
> /etc/pam.d/smtp to access your PGSQL-server. Then start "saslauthd -a pam"
> and use the 'testsaslauthd' utility to check authentication. Only (!) if
> that works, proceed to configure Postfix <-> Cyrus SASL communication and
> relay authorization in Postfix.
Yes, i use crypted passwords in the PostgreSQL database, and have already
set up Cyrus SASL and configured /etc/pam.d/smtp:
auth required pam_pgsql.so
account required pam_pgsql.so
password required pam_pgsql.so
I changed /etc/postfix/sasl/smtp.conf as you advised and did test:
# saslauthd -a pam
16:20:04 root@tnk:/etc/pam.d
# testsaslauthd -u "voynovicha" -p "P@$$w0rd" -s smtpd
0: NO "authentication failed"
In auth.log:
Dec 14 16:22:13 tnk saslauthd[31346]: pam_unix(smtpd:auth): check pass; user
unknown
Dec 14 16:22:13 tnk saslauthd[31346]: pam_unix(smtpd:auth): authentication
failure; logname= uid=0 euid=0 tty= ruser= rhost=
Dec 14 16:22:15 tnk saslauthd[31346]: DEBUG: auth_pam: pam_authenticate
failed: User not known to the underlying authentication module
Dec 14 16:22:15 tnk saslauthd[31346]: do_auth : auth failure:
[user=voynovicha] [service=smtpd] [realm=] [mech=pam] [reason=PAM auth error]
By the way.. I have dovecot IMAP and it works all-right with the database.
Войнович Андрей Александрович
> * Войнович Андрей Александрович <duke...@vpcit.ru>:
> > > > pwcheck_method: auxprop
> > > > auxprop_plugin: postfix-pgsql
> > > > saslauthd_path: /var/run/saslauthd
> > > > mech_list: plain
> > >
> > > You use crypted password in the PostgreSQL database, right?
> > > Then you will have to setup the saslauthd daemon to connect to
> > > your PGSQL using the PAM framework. Get the PAM pgsql driver and
> > > configure /etc/pam.d/smtp to access your PGSQL-server. Then start
> > > "saslauthd -a pam" and use the 'testsaslauthd' utility to check
> > > authentication. Only (!) if that works, proceed to configure Postfix
> > > <-> Cyrus SASL communication and relay authorization in Postfix.
> >
> > Yes, i use crypted passwords in the PostgreSQL database, and have already
> > set up Cyrus SASL and configured /etc/pam.d/smtp:
> > auth required pam_pgsql.so
> > account required pam_pgsql.so
> > password required pam_pgsql.so
> >
> > I changed /etc/postfix/sasl/smtp.conf as you advised and did test:
>
Oh, yes, my mistake, sure "smtpd.conf", it really is so.
>
> > # saslauthd -a pam
> > 16:20:04 root@tnk:/etc/pam.d
> > # testsaslauthd -u "voynovicha" -p "P@$$w0rd" -s smtpd
>
> Nope. Wrong value! This time you need to send 'smtp' as service name. The
> service name will be passed over to pam, which uses it to locate the
> correct authentiction configuration file i.e. /etc/pam.d/smtp.
>
> So try this:
>
> # testsaslauthd -u "voynovicha" -p "P@$$w0rd" -s smtp
>
Okay,
# testsaslauthd -u "voynovicha" -p "P@$$w0rd" -s smtp
0: NO "authentication failed"
But now it seems to work, but error due to configuration mistake:
auth.log:
Dec 17 09:40:34 tnk saslauthd[24274]: ipc_init : listening on
socket: /var/run/saslauthd/mux
Dec 17 09:40:49 tnk PAM_pgsql[24275]: attempting to authenticate: voynovicha
Dec 17 09:40:49 tnk PAM_pgsql[24275]: voynovicha
Dec 17 09:40:49 tnk PAM_pgsql[24275]: query: SELECT password FROM
user_accounts WHERE username='voynovicha'
Dec 17 09:40:49 tnk saslauthd[24275]: DEBUG: auth_pam: pam_authenticate
failed: Authentication failure
Dec 17 09:40:49 tnk saslauthd[24275]: do_auth : auth failure:
[user=voynovicha] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]
I think there might be problem with database encoding, because when i
configured postfix i recompiled dict_pgsql module to use koi8-r, by default
there was only LATIN1 to use, so maybe i should do the same with
pam-pgsql.so?
> > 0: NO "authentication failed"
> >
> > In auth.log:
> > Dec 14 16:22:13 tnk saslauthd[31346]: pam_unix(smtpd:auth): check pass;
> > user unknown
> > Dec 14 16:22:13 tnk saslauthd[31346]: pam_unix(smtpd:auth):
> > authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> > Dec 14 16:22:15 tnk saslauthd[31346]: DEBUG: auth_pam: pam_authenticate
> > failed: User not known to the underlying authentication module
> > Dec 14 16:22:15 tnk saslauthd[31346]: do_auth : auth failure:
> > [user=voynovicha] [service=smtpd] [realm=] [mech=pam] [reason=PAM auth
> > error]
>
> See the service=smtpd above? This should read [service=smtp].
>
> > By the way.. I have dovecot IMAP and it works all-right with the
> > database.
>
> If you don't want to use Cyrus SASL, you can use Dovecot SASL. The
> SASL_README tells how to do that.
I want to use Cyrus SASL, i just wanted to tell that my database works and
postfix is configured.
Войнович Андрей Александрович
> * Войнович Андрей Александрович <duke...@vpcit.ru>:
> that.
>
>
> p@rick
Thanks a lot, I don't know what I did exactly :-) but now it works, i think
it'll be interesting for you to see my configs. While i was configuring it,
I've been writing small manual for myself including your suggestions, so a
piece what i got:
Stop all the services (postgreSQL, postfix), then Enable Postfix SASL Support:
Add to main.cf:
# Enable SMTP authentication support
smtpd_sasl_type = cyrus
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = yes
# outlook-sasl is borken
broken_sasl_auth_clients = yes
#report authenticated username in headers?
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain
unknown_local_recipient_reject_code = 450
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
smtp_sasl_password_maps = pgsql:/etc/pam_pgsql.conf
Remove smtp and smtpd from chroot in master.cf!!!
master.cf:
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
Configuring SASL2:
/etc/default/saslauthd:
Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page for general information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-m /var/spool/postfix/var/run/saslauthd"
/etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login
Configuring PAM:
/etc/pam_pgsql.conf:
database = mail
host = localhost
user = mailreader
password = mailreader
table = user_accounts
user_column = username
pwd_column = password
pw_type = crypt
debug = /var/log/pam_pgsql.log
/etc/pam.d/smtp:
auth required pam_pgsql.so
account required pam_pgsql.so
password required pam_pgsql.so
Now start all services and test:
telnet 82.193.130.68 26
Trying 82.193.130.68...
Connected to 82.193.130.68.
Escape character is '^]'.
220 Welcome to ESMTP Service on mail66.rosfirm.ru
helo host
250 mail66.rosfirm.ru
auth plain
334
AHZveW5vdmljaGEAUEAkJHcwcmQ=
235 2.0.0 Authentication successful
mail from: swee...@andrusha.net
250 2.1.0 Ok
rcpt to: duke...@vpcit.ru
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
hi there, Admin :)
.
250 2.0.0 Ok: queued as 4FB57138276
quit
221 2.0.0 Bye
Connection closed by foreign host.
duke:~$
To generate auth string use perl module http://jetmore.org/john/code/gen-auth
To collect SASL configuration use script
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Again, thanks a lot!!!
Yours faithfully,
Andrey