Upgrading to Debian 7: Postfix Auth fails

debian postfix ldap sasl cyrus
5,928

I Solved it!

It took a lot of debugging, but everything works again with the following settings:

In /etc/postfix/smtpd.conf:

pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux
mech_list: PLAIN LOGIN
# DO NOT SPECIFY THE AUX_PROP PLUGIN!!
#auxprop_plugin: ldapdb

In /etc/saslauthd.conf:

...
ldap_auth_method: bind
#ldap_filter: (mail=%u)
ldap_filter: (mail=%u@%r)
...

Originally I had this filter, but because I saw in the LDAP log loginattempts for [email protected]@, I had changed the filter (see my original post).

!! All I needed was to comment out the auxprop_plugin setting !!

Please note, however, that in my sasl setup I ONLY use the ldap backend.

Marcel

Share:
5,928

Related videos on Youtube

Marcel van Dorp
Author by

Marcel van Dorp

Updated on September 18, 2022

Comments

  • Marcel van Dorp
    Marcel van Dorp almost 2 years

    I'm upgrading various Debian 6 servers to Debian 7. There are a few minor issues, but this one is a show stopper.

    On Debian, Postfix runs in a chrooted environment. That environment is setup correctly (it was working perfectly on Debian6).

    I only use software from the stable releases from the debian repository

    The relevant (parts of the) configs (anonymised):

    in /etc/default/saslauthd:

    START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
PARAMS=" -m /var/spool/postfix/run/saslauthd -O /etc/saslauthd.conf"
OPTIONS=" -m /var/spool/postfix/run/saslauthd -O /etc/saslauthd.conf"
PIDFILE="/var/spool/postfix/run/saslauthd/saslauthd.pid"

    in /etc/saslauthd.conf:

    # With multiple servers, separate URIs with a space
ldap_servers: ldaps://my.ldap.server

# Don't use SASL to connect to LDAP!! (Use SSL)
#ldap_version: 3
ldap_use_sasl: no
ldap_bind_dn: uid=courier,ou=roles,dc=mydomain,dc=tld

#watch out for trailing whitespace after the pasword!
ldap_bind_pw: #######
ldap_timeout: 10
ldap_time_limit: 10

ldap_scope: sub 
ldap_search_base: ou=people,dc=mydomain,dc=tld
ldap_auth_method: bind
ldap_filter: (mail=%u)
#ldap_filter: (mail=%u@%r)

ldap_debug: 1
ldap_verbose: off 
ldap_referrals: yes 

# Settings below are needed for ldaps URIs
ldap_ssl: yes 
ldap_start_tls: no
ldap_tls_cacert_file: /etc/ssl/certs/allcacerts.pem
ldap_tls_cert: /etc/ssl/certs/myserver.mydomain.tld.crt
ldap_tls_key: /etc/ssl/private/myserver.mydomain.tld.key

    in /etc/postfix/sasl/smtpd.conf:

    #global parameters
log_level: 5
# WARNING !!! POSTFIX runs in a chrooted jail!!
# Need to adjust paths to get the socket available!
# adjust this in /etc/defaults/saslauthd
# eg: PARAMS=/var/spool/postfix/run/saslauthd/
# real saslauthd_path: /var/spool/postfix/run/saslauthd/mux
pwcheck_method: saslauthd 
saslauthd_path: /run/saslauthd/mux
mech_list: PLAIN LOGIN
auxprop_plugin: ldapdb
#allow_plaintext: true
#the database used is /var/spool/postfix/etc/sasldb2

    in /etc/postfix/main.cf

    #sasl configuration
smtpd_sasl_auth_enable = yes 
smtpd_sasl_path= smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = 
#broken_sasl_auth_clients = yes

# TLS configuration
smtpd_use_tls = yes 
smtpd_tls_loglevel = 1 
smtpd_tls_received_header = yes 
smtpd_tls_key_file = /etc/ssl/private/myserver.mydomain.tld.key
#smtpd_tls_cert_file = /etc/ssl/certs/myserver.mydomain.tld.crt
smtpd_tls_cert_file  = /etc/ssl/certs/myserver.mydomain.tld.pem
tls_random_source = dev:/dev/urandom
# CAfile is read BEFORE entering chroot jail
smtpd_tls_CAfile = /etc/ssl/certs/allcacerts.pem
# CApath is used withIN chroot jail
#smtpd_tls_CApath = /usr/share/ssl/certs/

    Cyrus SASL has it's socket in /var/spool/postfix/run/saslauthd/mux

    I test with:

    testsaslauthd -s smtpd -f /var/spool/postfix/run/saslauthd/mux -u [email protected] -p PASSWD

    Gives: 0: OK "Success."

    FYI: With incorrect credentials is does fail :)

    With these results my conclusion is that sasl is working correctly.

    When I use 'swaks' to test ESMTP Auth:

    swaks -s myserver.mydomain.tld -p 25 -ehlo myclient.mydomain.tld -au [email protected] -ap PASSWD -t [email protected] -f [email protected]

    === Trying myserver.mydomain.tld:25...
=== Connected to myserver.mydomain.tld.
<-  220 ***********************
 -> EHLO myclient.mydomain.tld
<-  250-myserver.mydomain.tld
<-  250-PIPELINING
<-  250-SIZE 15360000
<-  250-VRFY
<-  250-ETRN
<-  250-XXXXXXXA
<-  250-AUTH PLAIN LOGIN
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250 DSN
 -> AUTH LOGIN
<-  334 VXNlcmgfhgWU6
 -> bWFyY2hgh28ubmw=
<-  334 UGFzfghdfmQ6
 -> bWFyUzYdfghgfhg==
<** 535 5.7.8 Error: authentication failed: no mechanism available
 -> AUTH PLAIN AG1hcmdfhgdfgd1hclM2NW9ndCo=
<** 535 5.7.8 Error: authentication failed: no mechanism available
*** No authentication type succeeded
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

    And in the logs:

    postfix/smtpd[5646]:auxpropfunc error invalid parameter supplied
postfix/smtpd[5646]:_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
postfix/smtpd[5646]:anonuserfunc error -7
postfix/smtpd[5646]:_sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb 
postfix/smtpd[5646]:warning: unknown[192.168.114.69 : SASL LOGIN authentication failed: no mechanism available 
postfix/smtpd[5646]:warning: unknown[192.168.114.69 : SASL PLAIN authentication failed: no mechanism available

    (IP is of the client machine)

    The postfix user is a member of the sasl group.

    I know Debian changed the library directory structure by inserting a triplet, to make it multi-arch capable.

    What used to be: /usr/lib/sasl2 is now: /usr/lib/x86_64-linux-gnu/sasl2 (for x86 64bits systems)

    I did copy the sasl2 directory to various places to make the libraries available, but it didn't change a thing.

    Anyone?

    Marcel

  • chuni
    chuni over 10 years
    Thanks man, it helped after several hours of debugging and reading. Please accept your answer.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Postfix allows unauthenticated users to send emails
Cyrus on CentOS with sasl / pam / ldap
Postfix "SASL authentication failure: No worthy mechs found"
SVN + SASL + ActiveDirectory: How to
Postfix authentication failure, can't send email out
How do I install cyrus-sasl on 10.04 Server?
Cannot login into new install of OpenLDAP
Howto set access control lists ACLs in OpenLDAP
Connection refused from remote computers on port 25 with postfix
Email Sent via [email protected] despite modifying /etc/aliases