Postfix/SASL/MySQL "SASL LOGIN authentication failed"

Temujin_12 · 10-04-2008, 01:07 AM

Okay, here we go...

I'm trying to get SMTP to work using postfix/sasl/mysql on an Ubuntu 6.06.2 LTS server. I followed a really good guide in setting this up.

I've turned off TLS so I can test things in basic LOGIN mode. I've turned up logging as much as I can figure out how to do. Here's what I'm seeing:

Client:

Code:

$telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 mydomain.com ESMTP Postfix
EHLO mydomain.com
250-mydomain.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
250-AUTH=DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
[BASE_64_ENCODED_USERNAME]
334 UGFzc3dvcmQ6
[BASE_64_ENCODED_PASSWORD]
535 Error: authentication failed

Here's what I see in my mail.log:

Code:

Oct  4 00:52:38 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 220 mydomain.com ESMTP Postfix
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: < localhost.localdomain[127.0.0.1]: EHLO localhost
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 250-mydomain.com
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 250-PIPELINING
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 250-SIZE 10240000
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 250-ETRN
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: match_list_match: localhost.localdomain: no match
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: match_list_match: 127.0.0.1: no match
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 250-AUTH=DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
Oct  4 00:52:44 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 250 8BITMIME
Oct  4 00:52:48 mydomain postfix/smtpd[4942]: < localhost.localdomain[127.0.0.1]: AUTH LOGIN
Oct  4 00:52:48 mydomain postfix/smtpd[4942]: smtpd_sasl_authenticate: sasl_method LOGIN
Oct  4 00:52:48 mydomain postfix/smtpd[4942]: smtpd_sasl_authenticate: uncoded challenge: Username:
Oct  4 00:52:48 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 334 VXNlcm5hbWU6
Oct  4 00:52:58 mydomain postfix/smtpd[4942]: < localhost.localdomain[127.0.0.1]: [BASE64_ENCODED_USERNAME]
Oct  4 00:52:58 mydomain postfix/smtpd[4942]: smtpd_sasl_authenticate: decoded response: myusername@mydomain.com
Oct  4 00:52:58 mydomain postfix/smtpd[4942]: smtpd_sasl_authenticate: uncoded challenge: Password:
Oct  4 00:52:58 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 334 UGFzc3dvcmQ6
Oct  4 00:53:05 mydomain postfix/smtpd[4942]: < localhost.localdomain[127.0.0.1]: [BASE64_ENCODED_PASSWORD]
Oct  4 00:53:05 mydomain postfix/smtpd[4942]: smtpd_sasl_authenticate: decoded response: [MY_PASSWORD]
Oct  4 00:53:06 mydomain postfix/smtpd[4942]: warning: localhost.localdomain[127.0.0.1]: SASL LOGIN authentication failed
Oct  4 00:53:06 mydomain postfix/smtpd[4942]: > localhost.localdomain[127.0.0.1]: 535 Error: authentication failed

My biggest frustration is the seeming "SASL LOGIN authentication failed" dead end. I can't for the life of me get the logs to tell my why SASL authentication failed. I've turned on MySQL logging and it is making the queries as specified in my postfix configuration files.

My question is how can I figure out what exactly is causing the SASL authentication failure? Most SASL errors I've seen other people having with this have a bit more information about what caused the SASL authentication failure. Is there a way to turn the SASL logging up?

Mr. C. · 10-04-2008, 01:13 AM

SASL troubles can be debugged using saslfinger: http://postfix.state-of-mind.de/patr...er/saslfinger/

You are using LOGIN I assume because you have Outlook* clients?

Temujin_12 · 10-04-2008, 10:57 AM

Quote:

ou are using LOGIN I assume because you have Outlook* clients?

No, I'm just doing it in telnet.

Quote:

SASL troubles can be debugged using saslfinger: http://postfix.state-of-mind.de/patr...er/saslfinger/

I've run saslfinger and here's the output:
saslfinger -s:

Code:

saslfinger - postfix Cyrus sasl configuration Sat Oct  4 10:54:33 CDT 2008
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.2.10
System: Ubuntu 6.06.2 LTS \n \l

-- smtpd is linked to --
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00002aaaab4f1000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = no


-- listing of /usr/lib64/sasl2 --
total 1088
[EXCLUDED]

-- listing of /usr/lib/sasl2 --
total 1088
[EXCLUDED]




-- content of /etc/postfix/sasl/smtpd.conf --
log_level: 7
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: plain login cram-md5 digest-md5
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: maildb
sql_select: select password from mailbox where username='%u@%r' and active = 1


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       -       -       -       smtpd      -v
          -o cleanup_service_name=pre-cleanup
smtps    inet  n       -       n       -       -       smtpd
        -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
587     inet   n       -       n       -       -       smtpd
        -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
        -o mime_header_checks=
        -o nested_header_checks=
        -o body_checks=
        -o header_checks=
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       300     1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
amavis    unix  -       -       -       -       2       smtp
          -o smtp_data_done_timeout=1200
          -o smtp_send_xforward_command=yes
127.0.0.1:10025 inet n  -       -       -       -       smtpd
          -o content_filter=
          -o local_recipient_maps=
          -o relay_recipient_maps=
          -o smtpd_restriction_classes=
          -o smtpd_client_restrictions=
          -o smtpd_helo_restrictions=
          -o smtpd_sender_restrictions=
          -o smtpd_recipient_restrictions=permit_mynetworks,reject
          -o strict_rfc821_envelopes=yes
          -o mynetworks=127.0.0.0/8
          -o smtpd_error_sleep_time=0
          -o smtpd_soft_error_limit=1001
          -o smtpd_hard_error_limit=1001
pre-cleanup unix n      -       -       -       0       cleanup
          -o virtual_alias_maps=
          -o canonical_maps=
          -o sender_canonical_maps=
          -o recipient_canonical_maps=
          -o masquerade_domains=
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

-- mechanisms on localhost --
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
250-AUTH=DIGEST-MD5 CRAM-MD5 PLAIN LOGIN


-- end of saslfinger output --

saslfinger -c:

Code:

saslfinger - postfix Cyrus sasl configuration Sat Oct  4 10:52:43 CDT 2008
version: 1.0.2
mode: client-side SMTP AUTH

-- basics --
Postfix: 2.2.10
System: Ubuntu 6.06.2 LTS \n \l

-- smtp is linked to --
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00002aaaab4f1000)

-- active SMTP AUTH and TLS parameters for smtp --
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes


-- listing of /usr/lib64/sasl2 --
total 1088
[EXCLUDED]

-- listing of /usr/lib/sasl2 --
total 1088
[EXCLUDED]


Cannot find the smtp_sasl_password_maps parameter in main.cf.
Client-side SMTP AUTH cannot work without this parameter!

I noticed that it says I needed the "smtp_sasl_password_maps" property in order for client side login. Not knowing exactly what MySQL config is needed to do this, I borrowed config from a how to for postfix/sasl/mysql. Now when I run:

Code:

saslfinger -c

...it no longer shows that error. Restarting postfix/sasl, I still get the same SASL authentication failure. What's confusing is that I'm not seeing any additional MySQL queries in my query log, which leads me to believe that the authentication failure is happening before it involves the "smtp_sasl_password_maps" config.

Does anyone see anything else in my saslfinger outputs that indicates where the problem may be coming from?

Temujin_12 · 10-04-2008, 12:27 PM

Thought I'd include MySQL logging to provide some more information:

Code:

                   2262 Connect     mail@localhost on maildb
                   2262 Query       START TRANSACTION
                   2262 Query       select password from mailbox where username='myusername@mydomain.com' and active = 1
                   2262 Query       COMMIT
                   2262 Quit

Here's my mailbox table:

Code:

mysql> select * from mailbox limit 1 \G
*************************** 1. row ***************************
username: myusername@mydomain.com
password: {SHA}3da541559918a808c2402bba5012f6c60b27661c
    name: My Name
 maildir: myusername@mydomain.com/
   quota: 0
  domain: mydomain.com
 created: 2008-10-01 23:36:57
modified: 2008-10-01 23:36:57
  active: 1
1 row in set (0.00 sec)

Mr. C. · 10-04-2008, 08:46 PM

The :

Code:

Cannot find the smtp_sasl_password_maps parameter in main.cf.
Client-side SMTP AUTH cannot work without this parameter!

is for client side (note the smtp_* paramters). This is used when you want your Postfix smtp to act as a client and authenticate with a remote SMTP server. If you are not configuring your smtp client to send w/authentication, you can comment out all the smtp_sasl* parameters, and there is no need to run saslfinger -c.

Your SASL authentication failures are for smtpd, the Postfix smtp server. The smtpd daemon is for clients attempting to submit mail for relay/delivery, and in your case authenticate themselves to do so.

Cyrus SASL does not support encrypted passwords via MySQL. See this thread:

http://tech.groups.yahoo.com/group/p...message/241701

Temujin_12 · 10-04-2008, 08:59 PM

Quote:

This is used when you want your Postfix smtp to act as a client and authenticate with a remote SMTP server. If you are not configuring your smtp client to send w/authentication, you can comment out all the smtp_sasl* parameters, and there is no need to run saslfinger -c.

Good to know. Thanks for the info! I'm not planning on doing any relaying, so I'll comment those out.

However, the problem I'm having is with clients connecting to my server, not with my server connecting as a client to other servers. Does anyone know how to further debug the SASL authentication failure as described before.

Mr. C. · 10-04-2008, 09:02 PM

Right, see my last lines re: encrypted MySQL passwords. Go to plain text w/MySQL.

Temujin_12 · 10-04-2008, 09:55 PM

Quote:

Cyrus SASL does not support encrypted passwords via MySQL. See this thread:

http://tech.groups.yahoo.com/group/p...message/241701

Ah. Rereading your reply, that makes sense now.

Sure enough, going into my DB and setting the password to the plain text value allows me to login.

Well, that sucks. I don't want to store plain-text passwords in my DB. Are there any simple alternatives that anyone knows about to avoid having to store clear-text passwords in the DB? If not, I guess I'll have to store the clear-text passwords (as much as it pains me to do so).

Mr. C. · 10-04-2008, 10:37 PM

Please read the entire thread, esp. post 4 and 5.