OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: No SMTP AUTH when TLS enabled

From: froinds J (froindsgmail.com)
Date: Sat Jan 02 2010 - 02:02:00 CST


On Sat, Jan 2, 2010 at 2:26 AM, Patrick Ben Koetter <pstate-of-mind.de>wrote:

> * froinds J <froindsgmail.com>:
> > Hello,
> > I'm having a problem with postfix in F12.
> > I used to have my email server setup with F10. My setup had TLS
> > enabled (self signed certs) with SASL using pwcheck_method=auxprop and
> > CRAM-MD5 DIGEST-MD5. I had virtual accounts.
> > Everything worked great until I installed F12. It was a clean install.
> > My issue now is the following:
> > If I disable TLS, postfix works as expected. If I enable it, I cannot
> > authenticate. Without TLS I can telnet to my server and I get 250-AUTH
> > CRAM-MD5 DIGEST-MD5
> > 250-AUTH=CRAM-MD5 DIGEST-MD5. However, once I enable TLS this doesn't
> show.
> > My mail client says the server does not support CRAM-MD5 or any other
> method
> > of authentication I try when TLS is on.
> >
> > I've tested the certs with openssl and I don't get any errors.
> >
> > I've been running my mail server on Fedora since FC3 and I've never
> > encountered this issue.
> > Has anyone had this problem?
>
> Blind guess: You have set $smtpd_tls_auth_only to yes and AUTH only shows
> up
> in a TLS session.
>
> If that is not the case follow the instructions at
> <http://de.postfix.org/httpmirror/DEBUG_README.html#mail> to provide debug
> output.
>
> prick

My problem is: if I allow TLS I cannot authenticate. Without TLS everything
works. Here is the output from saslfinger.
Thanks for your help.

saslfinger - postfix Cyrus sasl configuration Sat Jan 2 02:12:49 EST 2010

version: 1.0.2

mode: server-side SMTP AUTH

-- basics --

Postfix: 2.6.5

System: Fedora release 12 (Constantine)

-- smtpd is linked to --

libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00110000)

-- active SMTP AUTH and TLS parameters for smtpd --

broken_sasl_auth_clients = yes

smtpd_sasl_auth_enable = yes

smtpd_sasl_authenticated_header = yes

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_security_options = noanonymous, noplaintext

smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt

smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_security_level = encrypt

smtpd_tls_session_cache_timeout = 3600s

-- listing of /usr/lib/sasl --

total 80

drwxr-xr-x. 2 root root 4096 2009-12-29 12:31 .

dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..

-rw-r--r--. 1 root root 70 2009-09-16 09:38 smtpd.conf

-- listing of /usr/lib/sasl2 --

total 504

drwxr-xr-x. 2 root root 4096 2009-12-29 12:31 .

dr-xr-xr-x. 150 root root 69632 2010-01-01 16:52 ..

-rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so

-rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so.2

-rwxr-xr-x. 1 root root 14912 2009-09-24 06:20 libanonymous.so.2.0.23

-rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so

-rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so.2

-rwxr-xr-x. 1 root root 17596 2009-09-24 06:20 libcrammd5.so.2.0.23

-rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so

-rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2

-rwxr-xr-x. 1 root root 48032 2009-09-24 06:20 libdigestmd5.so.2.0.23

-rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so

-rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so.2

-rwxr-xr-x. 1 root root 15356 2009-09-24 06:20 liblogin.so.2.0.23

-rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so

-rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so.2

-rwxr-xr-x. 1 root root 15452 2009-09-24 06:20 libplain.so.2.0.23

-rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so

-rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so.2

-rwxr-xr-x. 1 root root 20872 2009-09-24 06:20 libsasldb.so.2.0.23

-rw-r--r--. 1 root root 25 2009-09-16 14:55 Sendmail.conf

-rw-r--r--. 1 root root 138 2010-01-02 01:22 smtpd.conf

-- listing of /etc/sasl2 --

total 16

drwxr-xr-x. 2 root root 4096 2009-09-24 06:20 .

drwxr-xr-x. 122 root root 12288 2010-01-01 16:31 ..

-- content of /usr/lib/sasl/smtpd.conf --

pwcheck_method: saslauthd

mech_list: plain login

saslauthd_version: 2

-- content of /usr/lib/sasl2/smtpd.conf --

pwcheck_method: auxprop

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

log_level: 4

-- active services in /etc/postfix/master.cf --

# service type private unpriv chroot wakeup maxproc command + args

# (yes) (yes) (yes) (never) (100)

52525 inet n - n - - smtpd -v

pickup fifo n - n 60 1 pickup

cleanup unix n - n - 0 cleanup

qmgr fifo n - n 300 1 qmgr

tlsmgr unix - - n 1000? 1 tlsmgr

rewrite unix - - n - - trivial-rewrite

bounce unix - - n - 0 bounce

defer unix - - n - 0 bounce

trace unix - - n - 0 bounce

verify unix - - n - 1 verify

flush unix n - n 1000? 0 flush

proxymap unix - - n - - proxymap

proxywrite unix - - n - 1 proxymap

smtp unix - - n - - smtp

relay unix - - n - - smtp

-o smtp_fallback_relay=

showq unix n - n - - showq

error unix - - n - - error

retry unix - - n - - error

discard unix - - n - - discard

local unix - n n - - local

virtual unix - n n - - virtual

lmtp unix - - n - - lmtp

anvil unix - - n - 1 anvil

scache unix - - n - 1 scache

-- mechanisms on localhost --

-- end of saslfinger output --