SASL Auth Tests Fail on Mail Server

carlosinfl · 11-23-2009, 04:04 PM

I followed the CentOS Wiki guide for configuring my Postfix server for SASL / TLS. I don't get any errors and I assume it's working but when I try and test SASL (saslauthd), I don't get the response noted according to the Wiki and I don't understand why.

Code:

[root@mail ~]# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mail.iamghost.com ESMTP
EHLO iamghost.com
250-mail.iamghost.com
250-PIPELINING
250-SIZE 20480000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3QAdGVzdDEyMzQ=
538 5.7.0 Encryption required for requested authentication mechanism

I don't understand why this is...

I checked my logs and I can send email find in Thunderbird when configuring all to use SASL / TLS.

Code:

Nov 23 14:27:42 mail postfix/smtpd[28320]: 9F80F77A1D6: client=tunafish.iamghost.com[192.168.6.108], sasl_method=PLAIN, sasl_username=test

So from above when I send an email from my 'test' account, I can see the above in my logs. Can someone tell me what is wrong and why I get the "538" error when I test SASL via Telnet. I am very confused.

rweaver · 11-23-2009, 04:16 PM

This is the command if memory serves...

Code:

openssl s_client -starttls smtp -crlf -connect your.ip.goes.here:25

Which should open a open things up encrypted then let you do the same test. The reason it's doing that is you haven't specified that smtp auth is ok without tls.

Code:

smtpd_tls_auth_only = no

carlosinfl · 11-24-2009, 08:23 AM

Quote:

Originally Posted by rweaver

Which should open a open things up encrypted then let you do the same test. The reason it's doing that is you haven't specified that smtp auth is ok without tls.

Code:

smtpd_tls_auth_only = no

I did not try the command you suggested above but the code section of your post made me think to change 'smtpd_tls_auth_only = yes' in my main.cf so I changed it to "no" and tried my test again and it worked.

Code:

235 2.0.0 Authentication successful

I am sorry but can you explain why this worked when I made the change? I don't really follow what TLS impacts on SASL authentication.

Lastly, I noticed the service saslauthd is not set to start during server startup. Does 'saslauthd' need to be running in order for SASL and TLS to work on my mail server?

rweaver · 11-24-2009, 02:04 PM

basically smtpd_tls_auth_only=yes means you must be using an encryption to use smtpd auth, if it's set to no then you can use it over a plaintext connection which can be sniffed from the network and the encoding is not nearly as strong as real encryption even though it's not human readable.

Yes, saslauthd has to be running for the smtp auth to work.

Code:

chkconfig saslauthd on