How to debug smtp client sasl auth and sender dependent pw maps?
Georg Sauthoff
I want to configure multiple relay hosts with postfix (depending
on the sender address) - but the problem is that the postfix
smptp client does not do sasl authentication (or does not use the
authentication data).
I am using the Ubuntu 10.04 postfix package (2.7.0) and started with a
distribution provided local-delivery-only default config.
Following http://www.postfix.org/SASL_README.html I extended my main.cf
like this:
relayhost =
default_transport = smtp
relay_transport = smtp
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
# only for testing, should be the most permissive
smtp_sasl_security_options = noanonymous
where file sasl_passwd (permissions 600 and root:root) is:
na...@example.org user:pw
[smarthost.example.org] user:pw
(2nd line is only for testing)
and sender_relay:
na...@example.org [smarthost.example.org]
I build both with postmap:
# postmap sasl_passwd
# postmap sender_relay
And reload the config:
# postfix reload
But with a simple test, the postfix smtp client does not do any
authentication:
# echo foo | sendmail -f na...@example.org -oi ju...@example.net
-> postfix correctly relays it to smarthost.example.org but does not
authenticate, e.g. the smarthost rejects it:
Relay access denied (in reply to RCPT TO command)
That means:
* Postfix uses the sender_dependent_relayhost_maps file as
expected
* It is unclear, if postfix can't match the sender _or_ the hostname in
sasl_passwd or if it is just ignores the sasl_passwd file
About sasl client support: postconf displays:
# postconf -A
cyrus
And the libsasl2-modules and libsasl2-2 packages are installed.
Thus my questions:
1) How can I debug whether postfix is actually using the
smtp_sasl_password_maps file and what it is trying to match there?
2) Is there is some Debian/Ubuntu specific postfix modification that
maybe disables somehow the sasl feature?
Best regards
Georg
PS: The remote smarthost is not under my control, but running postfix -
installing for testing exim, sasl client authentication works with the
same account data.
Georg Sauthoff
Hi,
> Please read: http://www.postfix.com/DEBUG_README.html
> In particular section: Reporting problems to postfi...@postfix.org
> Recommended:
[..]
> If the problem is SASL related, consider including the output from the
> saslfinger tool. This can be found at
> http://postfix.state-of-mind.de/patrick.koetter/saslfinger/.
Yeah, I saw that minutes after posting.
saslfinger outputs no mechanisms:
-- mechanisms on na...@example.org --
-- mechanisms on [smarthost.example.org] --
And indeed, using directly nc:
$ nc example.org 25
EHLO computer.private
250-smarthost.example.org
250-PIPELINING
250-SIZE 202400000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
AUTH is missing ...
Perhaps it is only available after STARTTLS?!?
$ openssl s_client -connect smarthost.example.org:25 -starttls smtp
[..]
250 DSN
EHLO lenovo.private
250-smarthost.example.org
[..]
250-AUTH PLAIN LOGIN
[..]
Yes, sasl authentication is only available after STARTTLS.
Thus, adding
smtp_use_tls = yes
to main.cf fixes the issue for me.
In this situation smtp_tls_security_level also would makes sense, I guess.
May I suggest a few things?
1) Adding a pointer to saslfinger to http://www.postfix.org/SASL_README.html
2) a) Adding an AUTH test with openssl ... -starttls to the saslfinger script.
b) Fixing saslfinger such that is does not try to connect to email addresses
(or [host] names) and understands a relayhost map?
c) Fixing saslfinger such that it prints a warning if no mechanisms are found
3) Making the postfinger and saslfinger scripts available from a checksummed
version control repository (e.g. git/mercurial).
Best regards
Georg