|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Making progress: SASL + TLS
From: Anthony Messina (amessina
messinet.com)
Date: Sat Jul 08 2006 - 13:22:04 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Bruce Lane wrote:
> First, I would like to extend apologies to Wietse and others. Again, I was not deliberately trying to be deceptive or 'change the evidence,' as it were. I did not fully understand how postconf -n worked, and therefore thought that I had to 'clean up' its output.
>
> Now that I do understand what it's trying to do, thanks to earlier responses, I'm starting to realize what a handy troubleshooting tool it is.
>
> With that said: I have made definite progress.
>
> WHAT I'VE DONE...
>
> Cleaned up my main.cf. Yes, the whitespaces were causing problems. They have been relocated to where they belong, and the lines where they did not belong have been fixed.
>
> THE (NEW) PROBLEM:
>
> saslauthd does not seem to think it has any authentication mechanisms available, as evidenced by this output from /var/log/maillog in response to a localhost test session.
>
> Jul 8 09:10:20 featherweb postfix/smtpd[24211]: warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms
> Jul 8 09:10:20 featherweb postfix/smtpd[24211]: fatal: no SASL authentication mechanisms
> Jul 8 09:10:21 featherweb postfix/master[18443]: warning: process /usr/libexec/postfix/smtpd pid 24211 exit status 1
> Jul 8 09:10:21 featherweb postfix/master[18443]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
>
> I believe I correctly followed the directions at http://www.postfix.org/SASL_README.html
>
> This is the contents of my /usr/local/lib/sasl2/smtpd.conf file.
>
> featherweb: {46} cat /usr/local/lib/sasl2/smtpd.conf
> # smtpd.conf for sasl auth. 8-Jul-06.
> #
> pwcheck_method: pwcheck
> mech_list: plain login
> featherweb: {47}
>
> When I start the saslauthd daemon for testing, this is the exact command I'm using.
>
> /usr/local/sbin/saslauthd -a getpwent
>
> This results in the following processes appearing in ps.
>
> featherweb: {47} ps -aux|grep saslauthd
> root 8383 0.0 0.0 88 432 ? IW 8:56AM 0:00.02 /usr/local/sbin/saslauthd -a getpwent
> root 12915 0.0 0.0 88 432 ? IW 8:56AM 0:00.01 /usr/local/sbin/saslauthd -a getpwent
> root 13309 0.0 0.0 88 756 ? IWs 8:56AM 0:00.04 /usr/local/sbin/saslauthd -a getpwent
> root 15962 0.0 0.0 88 432 ? IW 8:56AM 0:00.02 /usr/local/sbin/saslauthd -a getpwent
> root 17889 0.0 0.0 88 432 ? IW 8:56AM 0:00.03 /usr/local/sbin/saslauthd -a getpwent
> root 13031 0.0 1.5 232 944 ttyp0 RV 9:40AM 0:00.00 grep saslauthd (csh)
> featherweb: {48}
>
> The output of postconf -n follows. I promise that it is unaltered, not "cleaned up" in any way. ;-) However, note that I do not have TLS turned on at the moment. I'll worry about it after I get SASL working.
>
> featherweb: {45} postconf -n
> address_verify_sender = <>
> alias_database = hash:/etc/mail/postfix.aliases
> alias_maps = hash:/etc/mail/postfix.aliases
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> default_destination_concurrency_limit = 8
> default_privs = nobody
> disable_dns_lookups = no
> home_mailbox = Maildir/
> html_directory = no
> inet_interfaces = 192.168.42.130, localhost
> local_destination_concurrency_limit = 2
> local_recipient_maps = $alias_maps unix:passwd.byname
> mail_owner = postfix
> mailbox_size_limit = 100000000
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> mydestination = $myhostname, localhost.$mydomain, $mydomain
> mydomain = bluefeathertech.com
> myhostname = featherweb.bluefeathertech.com
> mynetworks = 192.168.42.0/24, 127.0.0.0/8
> mynetworks_style = subnet
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = /usr/share/examples/postfix
> relay_domains = $mydestination
> sample_directory = /usr/share/examples/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = maildrop
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = no
> smtpd_banner = $myhostname ESMTP $mail_name - Unsolicited Commercial E-mail prohibited!
> smtpd_data_restrictions = reject_unauth_pipelining, permit
> smtpd_enforce_tls = no
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unauth_destination, check_sender_mx_access cidr:/etc/postfix/mx_access, reject_unknown_recipient_domain, check_recipient_mx_access cidr:/etc/postfix/mx_access, check_recipient_access regexp:/etc/postfix/recipient_checks.re, check_helo_access hash:/etc/postfix/helo_checks, check_sender_access regexp:/etc/postfix/verizon_sav_sender.re, check_sender_access hash:/etc/postfix/client_checks, check_client_access hash:/etc/postfix/client_checks, check_sender_access cidr:/etc/postfix/mx_access, check_client_access cidr:/etc/postfix/mx_access, reject_rbl_client relays.ordb.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dnsbl.ahbl.org, reject_rhsbl_client rhsbl.sorbs.net,
permit
> smtpd_restriction_classes = from_verizon_sav
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous
> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
> smtpd_tls_cert_file = /etc/postfix/ssl/newcert.pem
> smtpd_tls_key_file = /etc/postfix/ssl/newreq.pem
> smtpd_tls_loglevel = 2
> smtpd_tls_received_header = no
> smtpd_tls_session_cache_database = btree:/etc/postfix/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = no
> soft_bounce = no
> tls_random_source = dev:/dev/urandom
> unknown_address_reject_code = 553
> unknown_client_reject_code = 554
> unknown_hostname_reject_code = 554
> featherweb: {46}
>
> I will continue to research this while waiting for responses.
>
> Thanks in advance to all, and I apologize again if my ignorance and assumptions caused anyone heartburn over this.
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Bruce Lane, Owner & Head Hardware Heavy,
> Blue Feather Technologies -- http://www.bluefeathertech.com
> kyrrin (at) bluefeathertech do/t c=o=m
> "If Salvador Dali had owned a computer, would it have been equipped with surreal ports?"
>
>
if you're using saslauthd, don't you want your
/usr/local/lib/sasl2/smtpd.conf file to read: "pwcheck_method: saslauthd"?
i use:
# sasl2 smtpd.conf
saslauthd_version: 2
mech_list: PLAIN LOGIN
pwcheck_method: saslauthd
and it works fabulously, assuming, of course, that i have the saslauthd
daemon running.
--
Anthony
http://messinet.com
http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
- application/pgp-signature attachment: OpenPGP digital signature
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]