Upgrading to Debian 7: Postfix Auth fails
I Solved it!
It took a lot of debugging, but everything works again with the following settings:
In /etc/postfix/smtpd.conf:
pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux
mech_list: PLAIN LOGIN
# DO NOT SPECIFY THE AUX_PROP PLUGIN!!
#auxprop_plugin: ldapdb
In /etc/saslauthd.conf:
...
ldap_auth_method: bind
#ldap_filter: (mail=%u)
ldap_filter: (mail=%u@%r)
...
Originally I had this filter, but because I saw in the LDAP log loginattempts for [email protected]@
, I had changed the filter (see my original post).
!! All I needed was to comment out the auxprop_plugin setting !!
Please note, however, that in my sasl setup I ONLY use the ldap backend.
Marcel
Related videos on Youtube
Marcel van Dorp
Updated on September 18, 2022Comments
-
Marcel van Dorp almost 2 years
I'm upgrading various Debian 6 servers to Debian 7. There are a few minor issues, but this one is a show stopper.
On Debian, Postfix runs in a chrooted environment. That environment is setup correctly (it was working perfectly on Debian6).
I only use software from the stable releases from the debian repository
The relevant (parts of the) configs (anonymised):
in /etc/default/saslauthd:
START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="ldap" MECH_OPTIONS="" THREADS=5 PARAMS=" -m /var/spool/postfix/run/saslauthd -O /etc/saslauthd.conf" OPTIONS=" -m /var/spool/postfix/run/saslauthd -O /etc/saslauthd.conf" PIDFILE="/var/spool/postfix/run/saslauthd/saslauthd.pid"
in /etc/saslauthd.conf:
# With multiple servers, separate URIs with a space ldap_servers: ldaps://my.ldap.server # Don't use SASL to connect to LDAP!! (Use SSL) #ldap_version: 3 ldap_use_sasl: no ldap_bind_dn: uid=courier,ou=roles,dc=mydomain,dc=tld #watch out for trailing whitespace after the pasword! ldap_bind_pw: ####### ldap_timeout: 10 ldap_time_limit: 10 ldap_scope: sub ldap_search_base: ou=people,dc=mydomain,dc=tld ldap_auth_method: bind ldap_filter: (mail=%u) #ldap_filter: (mail=%u@%r) ldap_debug: 1 ldap_verbose: off ldap_referrals: yes # Settings below are needed for ldaps URIs ldap_ssl: yes ldap_start_tls: no ldap_tls_cacert_file: /etc/ssl/certs/allcacerts.pem ldap_tls_cert: /etc/ssl/certs/myserver.mydomain.tld.crt ldap_tls_key: /etc/ssl/private/myserver.mydomain.tld.key
in /etc/postfix/sasl/smtpd.conf:
#global parameters log_level: 5 # WARNING !!! POSTFIX runs in a chrooted jail!! # Need to adjust paths to get the socket available! # adjust this in /etc/defaults/saslauthd # eg: PARAMS=/var/spool/postfix/run/saslauthd/ # real saslauthd_path: /var/spool/postfix/run/saslauthd/mux pwcheck_method: saslauthd saslauthd_path: /run/saslauthd/mux mech_list: PLAIN LOGIN auxprop_plugin: ldapdb #allow_plaintext: true #the database used is /var/spool/postfix/etc/sasldb2
in /etc/postfix/main.cf
#sasl configuration smtpd_sasl_auth_enable = yes smtpd_sasl_path= smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = #broken_sasl_auth_clients = yes # TLS configuration smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_key_file = /etc/ssl/private/myserver.mydomain.tld.key #smtpd_tls_cert_file = /etc/ssl/certs/myserver.mydomain.tld.crt smtpd_tls_cert_file = /etc/ssl/certs/myserver.mydomain.tld.pem tls_random_source = dev:/dev/urandom # CAfile is read BEFORE entering chroot jail smtpd_tls_CAfile = /etc/ssl/certs/allcacerts.pem # CApath is used withIN chroot jail #smtpd_tls_CApath = /usr/share/ssl/certs/
Cyrus SASL has it's socket in
/var/spool/postfix/run/saslauthd/mux
I test with:
testsaslauthd -s smtpd -f /var/spool/postfix/run/saslauthd/mux -u [email protected] -p PASSWD
Gives:
0: OK "Success."
FYI: With incorrect credentials is does fail :)
With these results my conclusion is that sasl is working correctly.
When I use 'swaks' to test ESMTP Auth:
swaks -s myserver.mydomain.tld -p 25 -ehlo myclient.mydomain.tld -au [email protected] -ap PASSWD -t [email protected] -f [email protected]
=== Trying myserver.mydomain.tld:25... === Connected to myserver.mydomain.tld. <- 220 *********************** -> EHLO myclient.mydomain.tld <- 250-myserver.mydomain.tld <- 250-PIPELINING <- 250-SIZE 15360000 <- 250-VRFY <- 250-ETRN <- 250-XXXXXXXA <- 250-AUTH PLAIN LOGIN <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> AUTH LOGIN <- 334 VXNlcmgfhgWU6 -> bWFyY2hgh28ubmw= <- 334 UGFzfghdfmQ6 -> bWFyUzYdfghgfhg== <** 535 5.7.8 Error: authentication failed: no mechanism available -> AUTH PLAIN AG1hcmdfhgdfgd1hclM2NW9ndCo= <** 535 5.7.8 Error: authentication failed: no mechanism available *** No authentication type succeeded -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host.
And in the logs:
postfix/smtpd[5646]:auxpropfunc error invalid parameter supplied postfix/smtpd[5646]:_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb postfix/smtpd[5646]:anonuserfunc error -7 postfix/smtpd[5646]:_sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb postfix/smtpd[5646]:warning: unknown[192.168.114.69 : SASL LOGIN authentication failed: no mechanism available postfix/smtpd[5646]:warning: unknown[192.168.114.69 : SASL PLAIN authentication failed: no mechanism available
(IP is of the client machine)
The postfix user is a member of the sasl group.
I know Debian changed the library directory structure by inserting a triplet, to make it multi-arch capable.
What used to be:
/usr/lib/sasl2
is now:/usr/lib/x86_64-linux-gnu/sasl2
(for x86 64bits systems)I did copy the sasl2 directory to various places to make the libraries available, but it didn't change a thing.
Anyone?
Marcel
-
chuni over 10 yearsThanks man, it helped after several hours of debugging and reading. Please accept your answer.