LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-19-2008, 06:58 AM   #1
GuyWood13
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Rep: Reputation: 0
SMTP authentication with postfix using sasl


Hi I'm trying to get postfix working with smtp authentication using sasl.

I have the following packages installed:
cyrus-sasl-saslauthd-2.1.21-18.4
cyrus-sasl-devel-2.1.21-18.4
cyrus-sasl-plain-2.1.21-18.4
cyrus-sasl-2.1.21-18.4

I have recompiled postfix by doing the following:
<postfix src dir># make tidy
blah
blah
blah
<postfix src dir># make makefiles CCARGS="-DUSE_SASL_AUTH -I/usr/include/sasl" AUXLIBS="-L/usr/lib -lsasl2" (I have checked these are the correct dir's)
blah
blah
blah
<postfix src dir># postfix stop
<postfix src dir># make install
blah
blah
blah
(and all seems okay to this point)

I then add the following lines to the /etc/postfix/main.cf file
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Then I start postfix again and to test, I try telnet the localhost on port 25 so I can run an ehlo command and see if AUTH is there. But, when I do this it just hangs.

Soooooooooooo I checked the logs and it can't spawn the smtp daemon (as below):
Mar 18 23:30:35 mailserver postfix/smtpd[3680]: warning: unsupported SASL server implementation: cyrus
Mar 18 23:30:35 mailserver postfix/smtpd[3680]: fatal: SASL per-process initialization failed
Mar 18 23:30:36 mailserver postfix/master[3528]: warning: process /usr/libexec/postfix/smtpd pid 3680 exit status 1
Mar 18 23:30:36 mailserver postfix/master[3528]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

I am having this same problem in both FC6 and Suse Enterprise 10.

Any ideas? The CBT I am following for this shows this up and running (with suse)
 
Old 03-19-2008, 07:49 AM   #2
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
You probably need to add -DUSE_CYRUS_SASL as per the SASL readme. What does
Code:
postconf -a
show? Does it show only dovecot support?

Last edited by Berhanie; 03-19-2008 at 07:50 AM.
 
Old 03-20-2008, 07:11 AM   #3
GuyWood13
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks Berhanie, you were right... Managed to get SASL running now!

Unfortunately though, I can't get a remote client to authenticate now. After I recompiled postfix and got it working with sasl in the corrent manner, I did the following:

# vi /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
<write + quit>
# service saslauthd start
Starting...
# postfix reload (for good measure)
Reloading...
#

Now again according to the CBT I am using and the postfix documentation, this should just work for plain authentication when somebody tries to relay using smtp. But its not When I try authenticate, it doesn't accept my username/password as stated in the /etc/passwd and /etc/shadow files...

The logs show the following when I try send an email from remote client using outlook/thunderbird.

Mar 20 00:39:46 mailserver postfix/smtpd[14793]: connect from 123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123]
Mar 20 00:39:46 mailserver postfix/smtpd[14793]: warning: 123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123]: SASL LOGIN authentication failed: authentication failure
Mar 20 00:39:46 mailserver postfix/smtpd[14793]: lost connection after AUTH from 123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123]
Mar 20 00:39:46 mailserver postfix/smtpd[14793]: disconnect from 123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123]

Have I missed a step along the way here?

As I said, i am trying to authenticate using the username and password in the /etc/passwd and /etc/shadow files. All the relevant firewall ports are open. I am definetely using the right password :-)
 
Old 03-20-2008, 11:37 AM   #4
GuyWood13
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Original Poster
Rep: Reputation: 0
Also I don't know if this is relevant but when I try send an email using Thunderbird as apposed to Outlook... My log records are slightly different, see below:

Mar 20 16:33:27 mailserver postfix/smtpd[22618]: connect from 123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123]
Mar 20 16:33:35 mailserver postfix/smtpd[22618]: warning: SASL authentication failure: Password verification failed
Mar 20 16:33:35 mailserver postfix/smtpd[22618]: warning: 123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123]: SASL PLAIN authentication failed: authentication failure
Mar 20 16:33:35 mailserver postfix/smtpd[22618]: warning: 123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123]: SASL LOGIN authentication failed: authentication failure

I'm obviously doing something blatently wrong here because I've got this exact same problem in FC6 and Suse Enterprise 10.

So somebody please... Call me stupid and tell me what I'm doing wrong :-)

Guy
 
Old 03-20-2008, 07:45 PM   #5
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
For saslauthd to check the shadow file, it needs to be called with '-a shadow'. On redhat, you can do it with MECH=shadow in /etc/sysconfig/saslauthd. By default, it's MECH=pam, which may end up doing the same thing, depending on your pam config. Also, you can set FLAGS=-d in the same file to turn on debugging.
 
Old 03-20-2008, 08:20 PM   #6
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Did you start saslauthd? Certainly on RH systems it runs as a service
 
Old 03-21-2008, 08:59 AM   #7
GuyWood13
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Original Poster
Rep: Reputation: 0
Berhanie, I've managed to get sasluthd runing with -a shadow.
# ps -ax | grep sasl
29100 pts/2 T 0:00 /bin/sh /sbin/service saslauthd restart
29105 pts/2 Z 0:00 [saslauthd] <defunct>
29113 pts/2 T 0:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow -d
29114 ? Z 0:00 [saslauthd] <defunct>
29370 pts/2 T 0:00 /bin/sh /sbin/service saslauthd start
29375 pts/2 Z 0:00 [saslauthd] <defunct>
29378 pts/2 T 0:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow -d
29379 ? Z 0:00 [saslauthd] <defunct>
29463 pts/2 T 0:00 /bin/sh /sbin/service saslauthd stop
29468 pts/2 Z 0:00 [saslauthd] <defunct>
29539 ? Ss 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
29540 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
29541 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
29542 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
29544 ? S 0:00 /usr/sbin/saslauthd -m /var/run/saslauthd -a shadow
29552 pts/2 R+ 0:00 grep sasl
#

I thought this would get it working. But when I try authenticate... It yields the same problem as before.

Also, when I add FLAGS=-d to the /etc/sysconfig/saslauthd file, it messes the service up and won't start, restart, stop or anything.
 
Old 03-21-2008, 06:26 PM   #8
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
Also, when I add FLAGS=-d to the /etc/sysconfig/saslauthd file, it messes the service up and won't start, restart, stop or anything.
saslauthd just doesn't go into the background when you do that, so you can see the authentication attempts on the screen. Keep the FLAGS=-d, start saslauthd, open another terminal, run "testsaslauthd -u username -p password", and watch the first terminal for clues.
 
Old 03-21-2008, 06:55 PM   #9
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Ok, I went through the steps on a CentOS 4 system, which I hope is similar enough to your setup. Here are details.

/etc/sysconfig/saslauthd:
Code:
SOCKETDIR=/var/run/saslauthd
MECH=shadow
FLAGS=
/etc/postfix/main.cf:
Code:
...
smtpd_sasl_auth_enable = yes
Code:
[machine ~]# testsaslauthd -u berhanie -p bigsecret
0: OK "Success."
[machine ~]# echo -ne '\0berhanie\0bigsecret' | openssl enc -base64
AGJlcmhhbmllAGJpZ3NlY3JldA==
[machine ~]# telnet localhost 25
220 machine.example.com ESMTP Postfix
EHLO localhost
250-machine.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AGJlcmhhbmllAGJpZ3NlY3JldA==
235 2.0.0 Authentication successful

Last edited by Berhanie; 03-21-2008 at 06:56 PM.
 
Old 03-21-2008, 07:34 PM   #10
GuyWood13
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Original Poster
Rep: Reputation: 0
Hi again Berhanie... thanks for spending the time with me on this.

My config files match and my tests yield the following.

[root@mailserver ~]# testsaslauthd -u guy -psuperbigsecret
0: NO "authentication failed"

[root@mailserver ~]# echo -ne \0guy\0superbigsecret | openssl enc -base64
LKNkad89293d99lsiio1==

[root@mailserver ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 mailserver.linux.mydomain.com ESMTP Postfix
ehlo localhost
250-mailserver.linux.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN LKNkad89293d99lsiio1==
535 5.7.8 Error: authentication failed: bad protocol / cancel

When run in -d mode, the original console which I left running didn't do anything when running these tests. Just stayed on the restarting process screen. I also run the test auth tests without -d.

Last edited by GuyWood13; 03-21-2008 at 08:19 PM.
 
Old 03-21-2008, 08:46 PM   #11
GuyWood13
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Original Poster
Rep: Reputation: 0
Woooooohooooo, I've managed to obtain some working'ness. I've managed to get SMTP authentication using sasl to work with my suse installation. All the latest testing/attempts had been done with FC but with suse, the changes work! See below:

Mar 22 01:34:51 mailserver postfix/smtpd[11065]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Mar 22 01:34:51 mailserver postfix/smtpd[11065]: connect from 123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123]
Mar 22 01:34:51 mailserver postfix/smtpd[11065]: 61A6CF824D: client=123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123], sasl_method=PLAIN, sasl_username=guy
Mar 22 01:34:51 mailserver postfix/cleanup[11069]: 61A6CF824D: message-id=<47E46279.7070208@linux.mydomain.com>
Mar 22 01:34:51 mailserver postfix/qmgr[10984]: 61A6CF824D: from=<guy@linux.mydomain.com>, size=592, nrcpt=1 (queue active)
Mar 22 01:34:51 mailserver postfix/smtpd[11065]: disconnect from 123-123-123-123.cable.ubr10.blah.ISPprovider.co.uk[123.123.123.123]
Mar 22 01:34:51 mailserver postfix/smtp[11070]: 61A6CF824D: to=<guy@myotheremail.com>, relay=smtp.myrelay.co.uk[123.123.456.456]:25, delay=0.14, delays=0.02/0.01/0.08/0.04, dsn=2.0.0, status=sent (250 OK id=1Jcscn-000594-US)
Mar 22 01:34:51 mailserver postfix/qmgr[10984]: 61A6CF824D: removed

Just thought I'd share some working logs for a change! :-)

Now although this works, the following test still fails:

mailserver:~ # echo -ne \0guy\0superbigsecret | openssl enc -base64
HGUwijx82djkBLAHf90==
mailserver:~ # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailserver.linux.mydomain.com ESMTP Postfix
ehlo localhost
250-mailserver.linux.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN HGUwijx82djkBLAHf90==
535 5.7.8 Error: authentication failed: bad protocol / cancel

But, the other one works...

mailserver:~ # testsaslauthd -u guy -psuperbigsecret
0: OK "Success."

Strange huh? What's even stranger is this exact same setup doesn't work in FC6 :-(

Anyway, thank you for your help Berhanie - couldn't have got this working on my own!!!
 
Old 03-21-2008, 09:06 PM   #12
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
You need to use quotes around the user/password string:
Code:
echo -ne '\0guy\0superbigsecret'
 
Old 03-22-2008, 09:52 AM   #13
GuyWood13
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Original Poster
Rep: Reputation: 0
Yey! Well spotted Berhanie, that test works now also :-)

Any ideas why this isn't working in FC6? Shall I just conclude that its an imcompatiability?
 
Old 03-22-2008, 10:23 AM   #14
Berhanie
Senior Member
 
Registered: Dec 2003
Location: phnom penh
Distribution: Fedora
Posts: 1,625

Rep: Reputation: 165Reputation: 165
Quote:
Any ideas why this isn't working in FC6?
We know that the problem is with saslauthd, since not even testsaslauthd works. You should search the logs if you haven't already (e.g. grep -r saslauthd /var/log). You should also have selinux turned off. Apart from that, I don't have any ideas.

By the way, why did you have to compile postfix? Isn't the Fedora rpm already compiled against the cyrus libraries?
 
Old 03-23-2008, 07:23 AM   #15
GuyWood13
LQ Newbie
 
Registered: Mar 2008
Posts: 11

Original Poster
Rep: Reputation: 0
I didn't use a postfix RPM as I wanted to demonstrate it being installed from source for the purposes of my university of project. Thus, I had to recompile to allow the use of Cyrus SASL.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Postfix + Mysql + Sasl SMTP Auth Problem Jukas Linux - Server 0 10-30-2007 10:10 PM
Postfix smtp with SASL from ANY ip to ANY address alexxxis Debian 20 01-06-2007 02:47 PM
Postfix +SASL smtp working, but not from ANY ip to ANY address? alexxxis Linux - Server 1 01-01-2007 04:12 PM
Postfix - SASL LOGIN authentication failed micko_escalade Linux - Networking 1 02-03-2006 01:53 AM
sasl/postfix smtp relay problems 5teve-o Red Hat 0 04-02-2005 03:50 PM


All times are GMT -5. The time now is 11:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration