|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Benjamin Zwittnig (benjamin.zwittnig
arnes.si)
Date: Tue Sep 04 2007 - 08:33:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Patrick Ben Koetter wrote:
> * Benjamin Zwittnig <benjamin.zwittnigarnes.si>:
>
>> # uname -a
>> Linux mail 2.6.9-55.0.2.ELsmp #1 SMP Tue Jun 26 14:30:58 EDT 2007 i686
>> athlon i386 GNU/Linux
>>
>> # ~/saslfinger-1.0.2/saslfinger -s
>> saslfinger - postfix Cyrus sasl configuration Tue Sep 4 14:42:42 CEST 2007
>> version: 1.0.2
>> mode: server-side SMTP AUTH
>>
>> -- basics --
>> Postfix: 2.4.5
>> System: CentOS release 4.5 (Final)
>>
>> -- smtpd is linked to --
>> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x004f6000)
>>
>> -- active SMTP AUTH and TLS parameters for smtpd --
>> broken_sasl_auth_clients = yes
>> smtpd_sasl_auth_enable = no
>>
>
> enable it
>
It is enabled in master.cf for the submission channel.
>> smtpd_sasl_authenticated_header = yes
>> smtpd_sasl_local_domain = $myhostname
>> smtpd_sasl_path = smtpd
>> smtpd_sasl_security_options = noanonymous
>>
>>
>> -- listing of /usr/lib/sasl2 --
>> total 3128
>> drwxr-xr-x 2 root root 4096 Sep 4 13:25 .
>> drwxr-xr-x 158 root root 131072 Aug 23 04:48 ..
>> -rwxr-xr-x 1 root root 875 Feb 21 2005 libanonymous.la
>> -rwxr-xr-x 1 root root 12820 Feb 21 2005 libanonymous.so
>> -rwxr-xr-x 1 root root 12820 Feb 21 2005 libanonymous.so.2
>> -rwxr-xr-x 1 root root 12820 Feb 21 2005 libanonymous.so.2.0.19
>> -rwxr-xr-x 1 root root 863 Feb 21 2005 libcrammd5.la
>> -rwxr-xr-x 1 root root 15216 Feb 21 2005 libcrammd5.so
>> -rwxr-xr-x 1 root root 15216 Feb 21 2005 libcrammd5.so.2
>> -rwxr-xr-x 1 root root 15216 Feb 21 2005 libcrammd5.so.2.0.19
>> -rwxr-xr-x 1 root root 884 Feb 21 2005 libdigestmd5.la
>> -rwxr-xr-x 1 root root 42964 Feb 21 2005 libdigestmd5.so
>> -rwxr-xr-x 1 root root 42964 Feb 21 2005 libdigestmd5.so.2
>> -rwxr-xr-x 1 root root 42964 Feb 21 2005 libdigestmd5.so.2.0.19
>> -rwxr-xr-x 1 root root 911 Feb 21 2005 libgssapiv2.la
>> -rwxr-xr-x 1 root root 22292 Feb 21 2005 libgssapiv2.so
>> -rwxr-xr-x 1 root root 22292 Feb 21 2005 libgssapiv2.so.2
>> -rwxr-xr-x 1 root root 22292 Feb 21 2005 libgssapiv2.so.2.0.19
>> -rwxr-xr-x 1 root root 851 Feb 21 2005 liblogin.la
>> -rwxr-xr-x 1 root root 13296 Feb 21 2005 liblogin.so
>> -rwxr-xr-x 1 root root 13296 Feb 21 2005 liblogin.so.2
>> -rwxr-xr-x 1 root root 13296 Feb 21 2005 liblogin.so.2.0.19
>> -rwxr-xr-x 1 root root 854 Feb 21 2005 libntlm.la
>> -rwxr-xr-x 1 root root 29104 Feb 21 2005 libntlm.so
>> -rwxr-xr-x 1 root root 29104 Feb 21 2005 libntlm.so.2
>> -rwxr-xr-x 1 root root 29104 Feb 21 2005 libntlm.so.2.0.19
>> -rwxr-xr-x 1 root root 851 Feb 21 2005 libplain.la
>> -rwxr-xr-x 1 root root 13360 Feb 21 2005 libplain.so
>> -rwxr-xr-x 1 root root 13360 Feb 21 2005 libplain.so.2
>> -rwxr-xr-x 1 root root 13360 Feb 21 2005 libplain.so.2.0.19
>> -rwxr-xr-x 1 root root 931 Feb 21 2005 libsasldb.la
>> -rwxr-xr-x 1 root root 783456 Feb 21 2005 libsasldb.so
>> -rwxr-xr-x 1 root root 783456 Feb 21 2005 libsasldb.so.2
>> -rwxr-xr-x 1 root root 783456 Feb 21 2005 libsasldb.so.2.0.19
>> -rw-r--r-- 1 root root 25 May 3 02:35 Sendmail.conf
>> -rw-r--r-- 1 root root 51 Sep 4 13:25 smtpd.conf
>>
>> -- content of /usr/lib/sasl2/smtpd.conf --
>> pwcheck_method:saslauthd
>> mech_list: plain cram-md5
>>
>
> saslauthd cannot handle cram-md5. The maximun you get is this:
>
> pwcheck_method: saslauthd
> mech_list: plain login
>
I have changed this.
>> -- active services in /etc/postfix/master.cf --
>> # service type private unpriv chroot wakeup maxproc command + args
>> # (yes) (yes) (yes) (never) (50)
>> smtp inet n - y - - smtpd
>>
>
> You run smtpd chrooted. It cannot access the saslauhtd socket. Either get
> smtpd out of the chroot or the saslauthd socket into the chroot using the
> '-m' commandline option for saslauthd.
>
>> submission inet n - n - - smtpd
>> -o smtpd_sasl_auth_enable=yes
>>
>
> submission is running chrooted too. "-" means apply the default. The default
> is noted below the column name - here: yes.
>
I don't think so. The fifth column is chroot column and it is set to
'n'. I have tried also
with non chrooted smtp servis. The behavior was the same.
>> pickup fifo n - y 60 1 pickup
>> cleanup unix n - y - 0 cleanup
>> qmgr fifo n - n 300 1 qmgr
>> rewrite unix - - y - - trivial-rewrite
>> bounce unix - - y - 0 bounce
>> defer unix - - y - 0 bounce
>> flush unix n - y 1000? 0 flush
>> smtp unix - - y - - smtp
>> showq unix n - y - - showq
>> error unix - - y - - error
>> local unix - n n - - local
>> virtual unix - n y - - virtual
>> lmtp unix - - y - - lmtp
>> anvil unix - - n - 1 anvil
>>
>> cyrus unix - n n - - pipe
>> flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
>> uucp unix - n n - - pipe
>> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender -
>> $nexthop!rmail.postfix ($recipient)
>> ifmail unix - n n - - pipe
>> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
>> bsmtp unix - n n - - pipe
>> flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
>> $recipient
>> relay unix - - n - - smtp
>> proxymap unix - - n - - proxymap
>> smtp-amavis unix - - y - 55 smtp
>> -o smtp_data_done_timeout=1200
>> -o disable_dns_lookups=yes
>>
>> x.x.x.x:10025 inet n - y - - smtpd
>> -o content_filter=
>> -o local_recipient_maps=
>> -o relay_recipient_maps=
>> -o smtpd_restriction_classes=
>> -o smtpd_client_restrictions=
>> -o smtpd_helo_restrictions=
>> -o smtpd_sender_restrictions=
>> -o smtpd_recipient_restrictions=permit_mynetworks,reject
>> -o mynetworks=x.x.x.0/24
>> -o strict_rfc821_envelopes=yes
>>
>> policy unix - n n - - spawn
>> user=nobody argv=/usr/bin/perl /etc/postfix/reject-unknown-local-sender.pl
>> trace unix - - n - 0 bounce
>> verify unix - - n - 1 verify
>> scache unix - - n - 1 scache
>> discard unix - - n - - discard
>> tlsmgr unix - - n 1000? 1 tlsmgr
>> retry unix - - n - - error
>>
>> -- mechanisms on localhost --
>>
>> -- end of saslfinger output --
>> # saslauthd -v
>> saslauthd 2.1.19
>> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
>>
>> saslauthd is running but it doesn't receive any request from postfix.
>> When I connect to port 587 on the machine I get:
>>
>> # telnet localhost 587
>> Trying 127.0.0.1...
>> Connected to localhost.localdomain (127.0.0.1).
>> Escape character is '^]'.
>> Connection closed by foreign host.
>>
>> In the postfix log there are only two lines indicating
>> the problem:
>>
>> Sep 4 13:55:01 mail postfix/smtpd[6149]: warning: SASL per-connection
>> security setup; invalid parameter supplied
>> Sep 4 13:55:01 mail postfix/smtpd[6149]: fatal: SASL per-connection
>> initialization failed
>>
>
> No idea where this comes from. Simplify the setup. Make it work with smtpd
> first, the go for submission.
>
I use similar configuration (sasl authentication only for the submission
channel) on a machine running FreeBSD. It works there. I suspect
something might be 'wrong' with sasl setup on the linux machine.
It is strange since testsaslauthd works well:
# testsaslauthd -u testuser -p xxxxx
0: OK "Success."
Regards,
Benjamin
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]