Discussion:
Issue integrating with Cyrus-SASL
(too old to reply)
Crazedfred
2011-09-05 02:30:49 UTC
Permalink
Hello,
I'm having trouble with authentication on Debian 6.


I've set up Postfix to use Cryus-SASL to authenticate against LDAP.
The SASL configuration is a success:
sudo testsaslauthd -u "***@example.com" -p "notRightPassword"
0: NO "authentication failed"
sudo testsaslauthd -u "***@example.com" -p "testtest123"
0: OK "Success."

However, a telnet attempt does not work:
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 ComputerName ESMTP Postfix (Debian/GNU)
auth plain PDAwPnRlc3RAZXhhbXBsZS5jb208MDA+dGVzdHRlc3QxMjM=
535 5.7.8 Error: authentication failed: authentication failure


When I try the above telnet authentication, I get the following errors in my syslog:
postfix/smtpd[31075]: connect from localhost.localdomain[127.0.0.1]
postfix/smtpd[31075]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
postfix/smtpd[31075]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
postfix/smtpd[31075]: warning: SASL authentication failure: Password verification failed
postfix/smtpd[31075]: warning: localhost.localdomain[127.0.0.1]: SASL plain authentication failed: authentication failure

My understanding is that the Berkeley warning is not relevant, since I'm using LDAP.
Please correct me if that is not the case.
I also get this error in my auth log:
postfix/smtpd[31208]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb


I've checked that cryus is supported:

sudo postconf -a
cyrus
dovecot
sudo postconf -A
cyrus


Without further log errors, I'm a bit confused.
What can I do to get more information about this error? Where should I look?
I can provide full configuration files if desired.

Thanks for your time!
Patrick Ben Koetter
2011-09-05 05:11:26 UTC
Permalink
Post by Crazedfred
Hello,
I'm having trouble with authentication on Debian 6.
I've set up Postfix to use Cryus-SASL to authenticate against LDAP.
0: NO "authentication failed"
0: OK "Success."
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 ComputerName ESMTP Postfix (Debian/GNU)
auth plain PDAwPnRlc3RAZXhhbXBsZS5jb208MDA+dGVzdHRlc3QxMjM=
$ gen-auth decode PDAwPnRlc3RAZXhhbXBsZS5jb208MDA+dGVzdHRlc3QxMjM=
<00>***@example.com<00>testtest123


If you use the pass above, change it now that you have sent it to public.
Post by Crazedfred
535 5.7.8 Error: authentication failed: authentication failure
postfix/smtpd[31075]: connect from localhost.localdomain[127.0.0.1]
postfix/smtpd[31075]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
postfix/smtpd[31075]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Where did you put smtpd.conf? On Debian it should be in
/etc/postfix/sasl/smtpd.conf.

Do you run Postfix smtpd chrooted? If yes, is the saslauthd socket in the jail
where Postfix can connect to it?

***@rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Crazedfred
2011-09-05 16:28:06 UTC
Permalink
Post by Patrick Ben Koetter
If you use the pass above, change it now that you have sent it to public.
I am substituting in fake accounts and passwords to show what's going on, these do not match what I am actually using :)
Post by Patrick Ben Koetter
Where did you put smtpd.conf? On Debian it should be in
/etc/postfix/sasl/smtpd.conf.
On my system that file did not exist (the sasl directory is emtpy), it was located at /usr/lib/sasl2/smtpd.conf
The only lines are the ones I put there:

pwcheck_method: saslauthd
mech_list: login plain
Post by Patrick Ben Koetter
Do you run Postfix smtpd chrooted?
Not to my knowledge; I am running a pretty default install.
How could I confirm that?
Post by Patrick Ben Koetter
You seem to be generating your base64 hash incorrectly, putting literal
"<00>" in the hash instead of the null character.  See the following for
http://www.postfix.org/SASL_README.html#server_test
The \000 is apparently just a different escape character.
From http://qmail.jms1.net/test-auth.shtml:

"... if you use \0 as the separator, and the userid or password happens to start with a digit, perl will try to find and use a three-digit octal character code instead of a one-digit null byte with two normal digits behind it. Using \000 instead of just \0 prevents this from happening."

At any rate, the result is the same regardless:

perl -MMIME::Base64 -e 'print encode_base64("\0test\@example.com\0testtest123")'
AHRlc3RAZXhhbXBsZS5jb20AdGVzdHRlc3QxMjM=
perl -MMIME::Base64 -e 'print encode_base64("\000test\@example.com\000testtest123")'
AHRlc3RAZXhhbXBsZS5jb20AdGVzdHRlc3QxMjM=
Patrick Ben Koetter
2011-09-05 17:15:32 UTC
Permalink
Post by Crazedfred
Post by Patrick Ben Koetter
If you use the pass above, change it now that you have sent it to public.
I am substituting in fake accounts and passwords to show what's going on, these do not match what I am actually using :)
Post by Patrick Ben Koetter
Where did you put smtpd.conf? On Debian it should be in
/etc/postfix/sasl/smtpd.conf.
On my system that file did not exist (the sasl directory is emtpy), it was located at /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: login plain
If you run Postfix from Debian packages, you need to locate smtpd.conf at
/usr/lib/sasl2/smtpd.conf.

You also need to add the postfix user to the sasl group:

% adduser postfix sasl
Post by Crazedfred
Post by Patrick Ben Koetter
Do you run Postfix smtpd chrooted?
Not to my knowledge; I am running a pretty default install.
Then it very likely is chrooted.
Post by Crazedfred
How could I confirm that?
1. Check the chroot column for the smtp service in master.cf
2. Run saslfinger. It will generate a report useful for debugging Cyrus SASL
on this list.

If it runs chrooted and if you want to stick with that you need to change the
location where saslauthd puts the socket. On Debian you edit OPTIONS at the
bottom of /etc/default/saslauthd:

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Then restart saslauthd using the init-script. It will create all necessary
paths and set all permissions to establish the socket in
/var/spool/postfix/var/run/saslauthd.

***@rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Charles Marcus
2011-09-07 18:02:16 UTC
Permalink
I ran "saslfinger -c" and "saslfinger -s" and it does appear that many
of the relevant services are chrooted.
Either they are or they aren't...

As your master.cf shows, most are...

Anything without an 'n' in the chroot column IS chrooted (it does NOT
have to have a 'y')...
--
Best regards,

Charles
Crazedfred
2011-09-08 17:33:18 UTC
Permalink
Quite right. However, my question is, what do I do with it now?
I followed patrick's suggestions and got the same results.

Any help appreciated :)




________________________________
From: Charles Marcus <***@Media-Brokers.com>
To: postfix-***@postfix.org
Sent: Wednesday, September 7, 2011 1:02 PM
Subject: Re: Issue integrating with Cyrus-SASL
I ran "saslfinger -c" and "saslfinger -s" and it does appear that many
of the relevant services are chrooted.
Either they are or they aren't...

As your master.cf shows, most are...

Anything without an 'n' in the chroot column IS chrooted (it does NOT
have to have a 'y')...
--
Best regards,

Charles
Charles Marcus
2011-09-08 17:51:37 UTC
Permalink
Please don't top post...
Post by Crazedfred
Post by Charles Marcus
I ran "saslfinger -c" and "saslfinger -s" and it does appear that many
of the relevant services are chrooted.
Either they are or they aren't...
As your master.cf shows, most are...
Anything without an 'n' in the chroot column IS chrooted (it does NOT
have to have a 'y')...
Quite right. However, my question is, what do I do with it now?
I followed patrick's suggestions and got the same results.
Any help appreciated :)
Eliminate the chroot until you get it working, *then* work on chrooting
everything - *if* you really feel you need it (most people don't).
--
Best regards,

Charles
Crazedfred
2011-09-08 18:05:41 UTC
Permalink
 > Please don't top post...


Whoops, sorry, web-client defaults :)
It doesn't even quote correctly.
Eliminate the chroot until you get it working, *then* work on chrooting everything - *if* you really feel you need it (most people don't).
I would agree that I most likely don't need chroot (and it is strange that the default config has issues with chroot?). How can I disable the feature for all of postfix's components?
Charles Marcus
2011-09-08 18:20:38 UTC
Permalink
Post by Crazedfred
I would agree that I most likely don't need chroot (and it is strange
that the default config has issues with chroot?). How can I disable the
feature for all of postfix's components?
As I said... place an 'n' in the chroot column for each service...

Rtfm might be a good idea...
--
Best regards,

Charles
Wietse Venema
2011-09-13 23:30:12 UTC
Permalink
Post by Charles Marcus
place an 'n' in the chroot column for each service
Sounds good.
On your advice, I went and turned off chroot, then ran "saslfinger -s" again (output attached).
I restarted the saslauthd and postfix services before doing so.
You can see that chroot is off for all components.
Further, based on the Postfix Debugging documentation, I turned on debugging for localhost.
535 5.7.8 Error: authentication failed: authentication failure
postfix/smtpd[30480]: auxpropfunc error invalid parameter supplied
postfix/smtpd[30480]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
According to saslfinger output, Cyrus SASL is trying to use mechanisms
that differ from the ones that you want to use.

Cyrus SASL uses these:

-- mechanisms on localhost --
250-AUTH CRAM-MD5 DIGEST-MD5 PLAIN NTLM LOGIN

You want to use PLAIN and LOGIN instead:

-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: login plain

Perhaps Cyrus SASL picks up settings from a different smtpd.conf file.

What is the result of:

find / -name smtpd.conf

and what is the content of the files?

Wietse
Patrick Ben Koetter
2011-09-14 03:23:50 UTC
Permalink
Sorry for the delay.
I ran "saslfinger -c" and "saslfinger -s" and it does appear that many of
the relevant services are chrooted. I wasn't quite sure, however, so I
attached the full output of both commands.
You want server-side debug output, which is 'saslfinger -s'.
Cannot find the smtp_sasl_password_maps parameter in main.cf.
Client-side SMTP AUTH cannot work without this parameter!
That can be ignored with server-side SASL.
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Correct.
Sep  7 11:25:02 gpasswd[8432]: user postfix added by root to group sasl
Sep  7 11:26:18 postfix/smtpd[8489]: auxpropfunc error invalid parameter supplied
Sep  7 11:26:18 postfix/smtpd[8489]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
The Cyrus SASL libsasl library wants to initialize the ldapdb auxprop plugin.
It fails because it isn't configured. You don't want ldapdb. Ignore it.
Sep  7 11:53:20 postfix/smtpd[8821]: connect from localhost.localdomain[127.0.0.1]
Sep  7 11:53:37 postfix/smtpd[8821]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep  7 11:53:37 postfix/smtpd[8821]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Sep  7 11:53:37 postfix/smtpd[8821]: warning: SASL authentication failure: Password verification failed
Sep  7 11:53:37 postfix/smtpd[8821]: warning: localhost.localdomain[127.0.0.1]: SASL plain authentication failed: authentication failure
The smtpd.conf isn't where it should be on Debian systems. Move it from
/usr/lib/sasl2/smtpd.conf to /etc/postfix/sasl/smtpd.conf.

***@rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Crazedfred
2011-09-15 04:24:53 UTC
Permalink
What is the result of:find / -name smtpd.conf
sudo find / -name smtpd.conf
/usr/lib/sasl2/smtpd.conf


That is the only result, I'm afraid.
And the contents of the file do match:

cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: login plain
Patrick Ben Koetter
2011-09-15 08:43:28 UTC
Permalink
Post by Crazedfred
What is the result of:find / -name smtpd.conf
sudo find / -name smtpd.conf
/usr/lib/sasl2/smtpd.conf
read the debian documentation!

***@rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Crazedfred
2011-09-16 15:51:50 UTC
Permalink
Post by Patrick Ben Koetter
Post by Crazedfred
What is the result of:find / -name smtpd.conf
sudo find / -name smtpd.conf
/usr/lib/sasl2/smtpd.conf
read the debian documentation!
Could you elaborate?
Am I looking for the wrong file?
That search above was ran at the behest of another user on this list.

The Debian Wiki (http://wiki.debian.org/Postfix) mentions
/etc/postfix/main.cf and /etc/postfix/master.cf, both of which I've been editing.
Wietse Venema
2011-09-16 18:17:13 UTC
Permalink
Post by Patrick Ben Koetter
Post by Crazedfred
What is the result of:find / -name smtpd.conf
sudo find / -name smtpd.conf
/usr/lib/sasl2/smtpd.conf
read the debian documentation!
Could you elaborate?
Am I looking for the wrong file?

I have seen several hints on this mailing list that Debian Postfix
wants to read /etc/postfix/sasl/smtpd.conf.

Wietse
John Peach
2011-09-16 18:26:05 UTC
Permalink
On Fri, 16 Sep 2011 14:17:13 -0400 (EDT)
Post by Crazedfred
Post by Patrick Ben Koetter
Post by Crazedfred
What is the result of:find / -name smtpd.conf
sudo find / -name smtpd.conf
/usr/lib/sasl2/smtpd.conf
read the debian documentation!
Could you elaborate?
Am I looking for the wrong file?
I have seen several hints on this mailing list that Debian Postfix
wants to read /etc/postfix/sasl/smtpd.conf.
That's exactly where it is on mine.
Patrick Ben Koetter
2011-09-16 20:06:00 UTC
Permalink
Post by Crazedfred
Post by Patrick Ben Koetter
Post by Crazedfred
What is the result of:find / -name smtpd.conf
sudo find / -name smtpd.conf
/usr/lib/sasl2/smtpd.conf
read the debian documentation!
Could you elaborate?
Am I looking for the wrong file?
That search above was ran at the behest of another user on this list.
The Debian Wiki (http://wiki.debian.org/Postfix) mentions
/etc/postfix/main.cf and /etc/postfix/master.cf, both of which I've been editing.
Download and unpack http://www.state-of-mind.de/download/saslauthd_script.tar.gz.
Then run:

$ scriptreplay saslauthd.timing saslauthd.session

It will replay a session where I install and configure Cyrus SASL for Postfix
using saslauthd on squeeze.

***@rick
--
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Crazedfred
2011-09-21 10:20:36 UTC
Permalink
Post by Crazedfred
Post by Patrick Ben Koetter
Post by Crazedfred
What is the result of:find / -name smtpd.conf
sudo find / -name smtpd.conf
/usr/lib/sasl2/smtpd.conf
read the debian documentation!
Could you elaborate?
Am I looking for the wrong file?
I have seen several hints on this mailing list that Debian Postfix
wants to read /etc/postfix/sasl/smtpd.conf.
That's exactly where it is on mine.

---

Strange. I'm on Debian 6, with all the packages that Patrick mentions in his script recording, and that file did not exist:
$ cat /etc/postfix/sasl/smtpd.conf
cat: /etc/postfix/sasl/smtpd.conf: No such file or director

So, I just copied the file over:
$ sudo cp /usr/lib/sasl2/smtpd.conf /etc/postfix/sasl/smtpd.conf
$ cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: login plain

Restarted both services:
$ sudo service saslauthd restart
Stopping SASL Authentication Daemon: saslauthd.
Starting SASL Authentication Daemon: saslauthd.
$ sudo service postfix restart
Stopping Postfix Mail Transport Agent: postfix.
Starting Postfix Mail Transport Agent: postfix.

However, Postfix still won't accept my login:
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
220 MyComputer ESMTP Postfix (Debian/GNU)
auth plain MY-HASH
535 5.7.8 Error: authentication failed: authentication failure

The good news, is that "saslfinger -s" is now reporting the right methods (strangely one file is listed twice):
-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: login plain
-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: login plain
-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: login plain
-- mechanisms on localhost --
250-AUTH PLAIN LOGIN

Looks like the same failure as before:
postfix/smtpd[30926]: connect from localhost.localdomain[127.0.0.1]
postfix/smtpd[30926]: match_hostname: localhost.localdomain ~? 127.0.0.0/8
postfix/smtpd[30926]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8
postfix/smtpd[30926]: > localhost.localdomain[127.0.0.1]: 220 MyComputer ESMTP Postfix (Debian/GNU)
postfix/smtpd[30926]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
postfix/smtpd[30926]: name_mask: noanonymous
postfix/smtpd[30926]: watchdog_pat: 0xb922b518
postfix/smtpd[30926]: < localhost.localdomain[127.0.0.1]: auth plain MY-HASH
postfix/smtpd[30926]: xsasl_cyrus_server_first: sasl_method plain, init_response MY-HASH
postfix/smtpd[30926]: xsasl_cyrus_server_first: decoded initial response
postfix/smtpd[30926]: warning: SASL authentication failure: Password verification failed
postfix/smtpd[30926]: warning: localhost.localdomain[127.0.0.1]: SASL plain authentication failed: authentication failure
postfix/smtpd[30926]: > localhost.localdomain[127.0.0.1]: 535 5.7.8 Error: authentication failed: authentication failure
postfix/smtpd[30926]: watchdog_pat: 0xb922b518
postfix/smtpd[30926]: smtp_get: EOF

This is frustrating, because it says the SASL authentication fails, when it clearly works:
$ sudo testsaslauthd -u "***@example.com" -p "testtest123"
0: OK "Success."

Patrick, I watched your script demonstration but I'm afraid that besides the difference between our authentication choices (you set it up to authenticate local users, mine hits an LDAP tree) our setup appears to be very similar. And since SASL itself is succeeding, I'm assuming the error can't be there...
Loading...