|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: No worthy mechs found
From: Andreas Winkelmann (ml
awinkelmann.de)
Date: Sat Oct 15 2005 - 20:52:56 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Am Sunday 16 October 2005 03:42 schrieb greg wm:
> i'm trying to setup a satellite MTA to do plaintext auth via TLS.
>
> the problem as i understand it is neither postfix nor saslauthd provide
> a handy way to specify which auth mechanism to use.
>
> i had this working under
> postfix-2.0.16-14.RHEL3/cyrus-sasl-2.1.15-10.WB1 (whitebox 3) by
> removing /usr/lib/sasl*/*gss* from the satellite.
>
> here's the evidence of success from the destination server log:
> Oct 12 22:05:22 sergio postfix/smtpd[24997]: connect from
> 70-58-237-24.mpls.qwest.net[70.58.237.24]
> Oct 12 22:05:23 sergio postfix/smtpd[24997]: 5534E5146D:
> client=70-58-237-24.mpls.qwest.net[70.58.237.24], sasl_method=PLAIN,
> sasl_username=gmott
>
> but now under postfix-2.1.5-4.2.RHEL4/cyrus-sasl-2.1.19-5.EL4 (centos 4)
> i'm having trouble, and i need to learn how to get this working.
>
> before removing any mechanism libs, the satellite maillog said:
> Oct 11 04:33:15 eclaire postfix/qmgr[10341]: 37A649F351:
> from=<rooteclaire.eclair.greatlakedata.com>, size=622, nrcpt=1 (queue
> active)
> Oct 11 04:33:16 eclaire postfix/smtp[10473]: 37A649F351:
> to=<rootnvpf.us>, relay=nvpf.org[209.240.253.93], delay=1,
> status=deferred (Authentication failed: SASL authentication failed;
> server nvpf.org[209.240.253.93] said: 535 Error: authentication failed)
>
> while the destination server maillog said:
> Oct 11 04:33:14 sergio postfix/smtpd[30883]: connect from
> 70-58-237-24.mpls.qwest.net[70.58.237.24]
> Oct 11 04:33:15 sergio postfix/smtpd[30883]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Oct 11 04:33:15 sergio postfix/smtpd[30883]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Oct 11 04:33:15 sergio postfix/smtpd[30883]: warning: SASL
> authentication failure: no secret in database
> Oct 11 04:33:15 sergio postfix/smtpd[30883]: warning:
> 70-58-237-24.mpls.qwest.net[70.58.237.24]: SASL DIGEST-MD5
> authentication failed
> Oct 11 04:33:15 sergio postfix/smtpd[30883]: warning: Read failed in
> network_biopair_interop with errno=0: num_read=0, want_read=5
> Oct 11 04:33:15 sergio postfix/smtpd[30883]: lost connection after AUTH
> from 70-58-237-24.mpls.qwest.net[70.58.237.24]
Add a mech_list-Option to the /usr/lib/sasl2/smtpd.conf on the Server.
mech_list: plain login
If this does not work, google for "saslfinger" and show the Output from it on
the two Machines. Option "-s" on the Server, "-c" on the Client.
> after removing /usr/lib/sasl*/*{gss,db,md5}* from the satellite, that
> changed slightly:
> Oct 14 22:40:40 sergio postfix/smtpd[23812]: connect from
> 70-58-237-24.mpls.qwest.net[70.58.237.24]
> Oct 14 22:40:41 sergio postfix/smtpd[23812]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Oct 14 22:40:41 sergio postfix/smtpd[23812]: warning: SASL
> authentication failure: no secret in database
> Oct 14 22:40:41 sergio postfix/smtpd[23812]: warning:
> 70-58-237-24.mpls.qwest.net[70.58.237.24]: SASL NTLM authentication failed
> Oct 14 22:40:41 sergio postfix/smtpd[23812]: warning: Read failed in
> network_biopair_interop with errno=0: num_read=0, want_read=5
> Oct 14 22:40:41 sergio postfix/smtpd[23812]: lost connection after AUTH
> from 70-58-237-24.mpls.qwest.net[70.58.237.24]
>
> but then after removing /usr/lib/sasl*/*ntlm* from the satellite, the
> destination server maillog now says:
> Oct 14 22:42:32 sergio postfix/smtpd[23826]: connect from
> 70-58-237-24.mpls.qwest.net[70.58.237.24]
> Oct 14 22:42:33 sergio postfix/smtpd[23826]: warning: Read failed in
> network_biopair_interop with errno=0: num_read=0, want_read=5
> Oct 14 22:42:33 sergio postfix/smtpd[23826]: lost connection after EHLO
> from 70-58-237-24.mpls.qwest.net[70.58.237.24]
>
> and the satellite log now says:
> Oct 14 22:42:37 eclaire postfix/qmgr[17975]: F17809F39F:
> from=<rooteclaire.eclair.greatlakedata.com>, size=382, nrcpt=1 (queue
> active)
> Oct 14 22:42:38 eclaire postfix/smtp[17981]: warning: SASL
> authentication failure: No worthy mechs found
> Oct 14 22:42:38 eclaire postfix/smtp[17981]: F17809F39F: to=<gnvpf.us>,
> relay=nvpf.org[209.240.253.93], delay=2, status=deferred (Authentication
> failed: cannot SASL aut
>
> but i never took out the plaintext libs, the following sasl libs remain
> in place:
> eclaire# l. /usr/lib/sasl*/lib*
> -rw-r--r-- 1 root root 4634 2005/04/27 22:57:17
> /usr/lib/sasl/libanonymous.a
> -rwxr-xr-x 1 root root 871 2005/04/27 22:57:11
> /usr/lib/sasl/libanonymous.la*
> lrwxrwxrwx 1 root root 22 2005/10/03 08:02:01
> /usr/lib/sasl/libanonymous.so -> libanonymous.so.1.0.17*
> lrwxrwxrwx 1 root root 22 2005/10/03 08:02:01
> /usr/lib/sasl/libanonymous.so.1 -> libanonymous.so.1.0.17*
> -rwxr-xr-x 1 root root 5748 2005/04/27 22:57:17
> /usr/lib/sasl/libanonymous.so.1.0.17*
> -rw-r--r-- 1 root root 6598 2005/04/27 22:57:17 /usr/lib/sasl/liblogin.a
> -rwxr-xr-x 1 root root 847 2005/04/27 22:57:11
> /usr/lib/sasl/liblogin.la* lrwxrwxrwx 1 root root 17 2005/10/03
> 08:02:55
> /usr/lib/sasl/liblogin.so -> liblogin.so.0.0.7*
> lrwxrwxrwx 1 root root 17 2005/10/03 08:02:55
> /usr/lib/sasl/liblogin.so.0 -> liblogin.so.0.0.7*
> -rwxr-xr-x 1 root root 7248 2005/04/27 22:57:17
> /usr/lib/sasl/liblogin.so.0.0.7*
> -rw-r--r-- 1 root root 6150 2005/04/27 22:57:17 /usr/lib/sasl/libplain.a
> -rwxr-xr-x 1 root root 849 2005/04/27 22:57:11
> /usr/lib/sasl/libplain.la* lrwxrwxrwx 1 root root 18 2005/10/03
> 08:02:55
> /usr/lib/sasl/libplain.so -> libplain.so.1.0.16*
> lrwxrwxrwx 1 root root 18 2005/10/03 08:02:55
> /usr/lib/sasl/libplain.so.1 -> libplain.so.1.0.16*
> -rwxr-xr-x 1 root root 7000 2005/04/27 22:57:17
> /usr/lib/sasl/libplain.so.1.0.16*
> -rwxr-xr-x 1 root root 875 2005/04/27 22:57:13
> /usr/lib/sasl2/libanonymous.la*
> lrwxrwxrwx 1 root root 22 2005/10/03 08:02:01
> /usr/lib/sasl2/libanonymous.so -> libanonymous.so.2.0.19*
> lrwxrwxrwx 1 root root 22 2005/10/03 08:02:01
> /usr/lib/sasl2/libanonymous.so.2 -> libanonymous.so.2.0.19*
> -rwxr-xr-x 1 root root 12852 2005/04/27 22:57:17
> /usr/lib/sasl2/libanonymous.so.2.0.19*
> -rwxr-xr-x 1 root root 851 2005/04/27 22:57:13
> /usr/lib/sasl2/liblogin.la*
> lrwxrwxrwx 1 root root 18 2005/10/03 08:02:55
> /usr/lib/sasl2/liblogin.so -> liblogin.so.2.0.19*
> lrwxrwxrwx 1 root root 18 2005/10/03 08:02:55
> /usr/lib/sasl2/liblogin.so.2 -> liblogin.so.2.0.19*
> -rwxr-xr-x 1 root root 13264 2005/04/27 22:57:17
> /usr/lib/sasl2/liblogin.so.2.0.19*
> -rwxr-xr-x 1 root root 851 2005/04/27 22:57:13
> /usr/lib/sasl2/libplain.la*
> lrwxrwxrwx 1 root root 18 2005/10/03 08:02:55
> /usr/lib/sasl2/libplain.so -> libplain.so.2.0.19*
> lrwxrwxrwx 1 root root 18 2005/10/03 08:02:55
> /usr/lib/sasl2/libplain.so.2 -> libplain.so.2.0.19*
> -rwxr-xr-x 1 root root 13392 2005/04/27 22:57:17
> /usr/lib/sasl2/libplain.so.2.0.19*
> -rwxr-xr-x 1 root root 875 2005/04/27 22:57:13 /usr/lib/sasl2/libsql.la*
> lrwxrwxrwx 1 root root 16 2005/10/03 08:27:04
> /usr/lib/sasl2/libsql.so -> libsql.so.2.0.19*
> lrwxrwxrwx 1 root root 16 2005/10/03 08:27:04
> /usr/lib/sasl2/libsql.so.2 -> libsql.so.2.0.19*
> -rwxr-xr-x 1 root root 21348 2005/04/27 22:57:17
> /usr/lib/sasl2/libsql.so.2.0.19*
>
> it must be i'm going about this the wrong way. what's the right way to
> get postfix-2.1.5-4.2.RHEL4/cyrus-sasl-2.1.19-5.EL4 to authenticate like
> a client either the same way thunderbird does or the same way
> postfix-2.0.16-14.RHEL3/cyrus-sasl-2.1.15-10.WB1 did?
>
> fwiw, here's what the destination server log says when thunderbird sends
> a message (successfully):
> Oct 15 09:23:38 sergio postfix/smtpd[31255]: connect from
> 70-58-237-24.mpls.qwest.net[70.58.237.24]
> Oct 15 09:23:46 sergio postfix/smtpd[31255]: SSL_accept error from
> 70-58-237-24.mpls.qwest.net[70.58.237.24]: 0
> Oct 15 09:23:46 sergio postfix/smtpd[31255]: 31255:error:14094412:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1052:SSL
> alert number 42:
> Oct 15 09:23:46 sergio postfix/smtpd[31255]: disconnect from
> 70-58-237-24.mpls.qwest.net[70.58.237.24]
> Oct 15 09:24:05 sergio postfix/smtpd[31255]: connect from
> 70-58-237-24.mpls.qwest.net[70.58.237.24]
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning: SASL
> authentication failure: no secret in database
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning:
> 70-58-237-24.mpls.qwest.net[70.58.237.24]: SASL CRAM-MD5 authentication
> failed
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning: SASL
> authentication failure: no secret in database
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning:
> 70-58-237-24.mpls.qwest.net[70.58.237.24]: SASL NTLM authentication failed
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Oct 15 09:24:14 sergio postfix/smtpd[31255]: warning: SASL
> authentication problem: unable to open Berkeley db /etc/sasldb2: No such
> file or directory
> Oct 15 09:24:15 sergio postfix/smtpd[31255]: 201F751471:
> client=70-58-237-24.mpls.qwest.net[70.58.237.24], sasl_method=PLAIN,
> sasl_username=g
>
> here's the satellite main.cf:
> smtp_use_tls = yes
> smtp_enforce_tls = yes>
> smtp_tls_CAfile = /etc/postfix/CAcert.pem
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/passout
> relayhost = nvpf.org
> myhostname = eclaire.eclair.greatlakedata.com
> mydestination = eclaire.eclair.greatlakedata.com
> localhost.eclair.greatlakedata.com, localhost
> myorigin = eclaire.eclair.greatlakedata.com
> mydomain = eclair.greatlakedata.com
> virtual_alias_domains =
> virtual_alias_maps = hash:/etc/mail/virtusertable
> hash:/var/lib/mailman/data/virtual-mailman
> home_mailbox = Maildir/
> queue_minfree = 75000000
> hash_queue_depth = 1
> message_size_limit = 30480000
> alias_maps = hash:/etc/aliases hash:/var/lib/mailman/data/aliases
> alias_database = hash:/etc/aliases
> tls_random_source = dev:/dev/urandom
> tls_daemon_random_source = dev:/dev/urandom
> smtpd_recipient_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
> smtpd_helo_required = yes
> smtpd_use_tls = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_key_file = /etc/httpd/conf/ssl.key/server.key
> smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/server.crt
> smtpd_sasl_auth_enable = yes
> smtp_sasl_tls_verified_security_options = noanonymous
> broken_sasl_auth_clients = yes
> disable_vrfy_command = yes
> owner_request_special = no
> recipient_delimiter = +
> transport_maps = hash:/etc/postfix/transport
>
> and the destination server main.cf:
> myhostname = sergio.nvpf.org
> mydestination = sergio.nvpf.org localhost.nvpf.org, localhost
> myorigin = sergio.nvpf.org
> mydomain = nvpf.org
> virtual_alias_domains = nvpf.org nvpf.us>
> virtual_alias_maps = hash:/etc/mail/virtusertable
> hash:/var/lib/mailman/data/virtual-mailman
> home_mailbox = Maildir/
> queue_minfree = 75000000
> hash_queue_depth = 1
> message_size_limit = 30480000
> alias_maps = hash:/etc/aliases hash:/var/lib/mailman/data/aliases
> alias_database = hash:/etc/aliases
> tls_random_source = dev:/dev/urandom
> tls_daemon_random_source = dev:/dev/urandom
> smtpd_recipient_restrictions =
> permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
> smtpd_helo_required = yes
> smtpd_use_tls = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_key_file = /etc/httpd/conf/ssl.key/server.key
> smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/server.crt
> smtpd_sasl_auth_enable = yes
> smtp_sasl_tls_verified_security_options = noanonymous
> broken_sasl_auth_clients = yes
> disable_vrfy_command = yes
> owner_request_special = no
> recipient_delimiter = +
> transport_maps = hash:/etc/postfix/transport
> content_filter=smtp-amavis:[127.0.0.1]:10024
--
Andreas
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]