Can't get SASL auxprop/sasldb working with postfix/Ubuntu 12.04

7,246

Solution 1

The giveaway is here:

-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd

The smtpd process on the submission port is running in chroot mode (since there is a - in that column which means the default (which is yes) applies and so can't see /etc/sasldb2.

When I copied /etc/sasldb2 to /var/spool/postfix/etc authentication started working fine.

Solution 2

chroot is defnitely the reason, however for my case, copying to /var/spool/postfix/etc did not work.

So I just got rid of chroot and that works for me.

n order to do that you will need to edit /etc/postfix/master.cf locate the following line:

smtp      inet  n       -       -       -       -       smtpd

and modify it as follows:

smtp      inet  n       -       n       -       -       smtpd

Solution 3

Another way to synchronize the sasldb2 file to postfix's default chroot jail is to add a hard link to it:

ln /etc/sasldb2 /var/spool/postfix/etc/

Note that a symlink wont work because symlinks cant be accessed from inside the jail but hard links can. This has the advantage over simply copying the file because future new users and password changes will be automatically synced without even a postfix reload.

Share:
7,246

Related videos on Youtube

QuantumMechanic
Author by

QuantumMechanic

Updated on September 18, 2022

Comments

  • QuantumMechanic
    QuantumMechanic almost 2 years

    I have an Ubuntu 8.04LTS system running Postfix 2.5.1. On that system SMTP AUTH runs fine. The contents of /etc/postfix/sasl/smtpd.conf are:

    pwcheck_method: auxprop
    auxprop_plugin: sasldb
    mech_list: PLAIN
    

    The SASL-related properties are:

    smtpd_sasl_type = cyrus
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_path = smtpd
    smtpd_sasl_security_options = noanonymous
    broken_sasl_auth_clients = yes
    smtpd_sasl_local_domain = $myhostname
    

    When I do sudo sasldblistusers2 I get:

    [email protected]: userPassword
    

    Like I said, that all works fine on the 8.04LTS system.

    However, I am trying to migrate this over to an Ubuntu 12.04LTS system running Postfix 2.9.3 and I just cannot get it to work. I'm doing everything the same, but postfix gives authentication failures every time.

    It's not the /etc/sasldb2 file. I've tried bringing over the file from the old system and that doesn't work. And I've created a new file using:

    saslpasswd2 -c -u mail.mydomain.com authusername
    

    and that doesn't work, though it WILL work on the old system if I copy it to the old system, which is how I know there's nothing wrong with the file.

    Similarly, I know postfix is seeing the smtpd.conf file. If I add more mechanisms to the mech_list line of the file, I see those extra mechanisms being advertised when I connect to the smtpd daemon. And when I remove them they go away again. So /etc/postfix/sasl/smtpd.conf is clearly getting used.

    I am testing both by using an actual mail client and by manually talking to the server after generating a token with this:

    perl -MMIME::Base64 -e 'print encode_base64("\000authusername\000thePassword");'
    

    then:

    openssl s_client -quiet -starttls smtp -connect the.newsystem.com:587
    

    The resulting conversation is:

    250 DSN
    EHLO example.com
    250-the.newsystem.com
    250-PIPELINING
    250-SIZE 20971520
    250-ETRN
    250-AUTH PLAIN
    250-AUTH=PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    AUTH PLAIN theBase64EncodedToken
    535 5.7.8 Error: authentication failed: authentication failure
    

    But if I instead connect to the.oldsystem.com:587 and do the same thing, I get:

    235 2.7.0 Authentication successful
    

    The output of saslfinger on the new machine is:

    # sudoh saslfinger -s
    saslfinger - postfix Cyrus sasl configuration Sat Jul 21 00:24:24 EDT 2012
    version: 1.0.4
    mode: server-side SMTP AUTH
    
    -- basics --
    Postfix: 2.9.3
    System: Ubuntu 12.04 LTS \n \l
    
    -- smtpd is linked to --
            libsasl2.so.2 => /usr/lib/i386-linux-gnu/libsasl2.so.2 (0xb76c5000)
    
    
    -- active SMTP AUTH and TLS parameters for smtpd --
    broken_sasl_auth_clients = yes
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain = $myhostname
    smtpd_sasl_path = smtpd
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_type = cyrus
    smtpd_tls_CAfile = /etc/ssl/certs/MyCA.pem
    smtpd_tls_auth_only = yes
    smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
    smtpd_tls_key_file = /etc/postfix/ssl/server.key
    smtpd_tls_loglevel = 1
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_tls_session_cache_timeout = 3600s
    
    
    -- listing of /usr/lib/sasl2 --
    total 16
    drwxr-xr-x  2 root root 4096 Jul 20 23:00 .
    drwxr-xr-x 67 root root 8192 Jul 20 21:25 ..
    -rw-r--r--  1 root root    1 May  4 00:17 berkeley_db.txt
    
    -- listing of /etc/postfix/sasl --
    total 20
    drwxr-xr-x 2 root root 4096 Jul 20 21:29 .
    drwxr-xr-x 5 root root 4096 Jul 20 23:58 ..
    -rw-r--r-- 1 root root   64 Jul 20 21:29 smtpd.conf
    
    
    
    -- content of /etc/postfix/sasl/smtpd.conf --
    pwcheck_method: auxprop
    auxprop_plugin: sasldb
    mech_list: PLAIN
    
    -- content of /etc/postfix/sasl/smtpd.conf --
    pwcheck_method: auxprop
    auxprop_plugin: sasldb
    mech_list: PLAIN
    
    
    -- active services in /etc/postfix/master.cf --
    # service type  private unpriv  chroot  wakeup  maxproc command + args
    #               (yes)   (yes)   (yes)   (never) (100)
    smtp      inet  n       -       -       -       -       smtpd
    submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
    
    [snipping the rest of the services]
    
    -- mechanisms on localhost --
    
    -- end of saslfinger output --
    

    What could I be missing/doing wrong? As far as I've been able to tell, all the config is the same, yet it will not work on the new system.

  • David Dombrowsky
    David Dombrowsky about 8 years
    This comment put an end to tonight's postfix madness. Also keep in mind that it using this configuration will require the authentication user to be user@$myhostname, and not just "user". That is different between this and my similar exim config for authenticated relay.
  • mrjamesmyers
    mrjamesmyers almost 7 years
    You beauty, I had managed to get a test server Ubuntu 16 relaying , so thought I will just re-implement my changes on the production server Ubuntu 14... all day trying things. Chroot was the reason, but changing to be not chroot gave worse results, so keeping chroot and implementing above solved my issues.