Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Postfix + SASL + MySQL - saslauthd not authenticating
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
charlesread
n00b
n00b


Joined: 03 Aug 2004
Posts: 17

PostPosted: Thu Feb 07, 2013 1:11 am    Post subject: Postfix + SASL + MySQL - saslauthd not authenticating Reply with quote

Hi everybody,

I'm trying to set up an SMTP server on my Gentoo box that uses SASL for authentication that sits on top of a MySQL database - right now I'm just working on the authentication part - and I just can't get it to work - I've read maybe 10 howtos and done quite a bit of research, but everything I try still has authentication failing. I select simple authentication in my mail client and it just won't go - interestingly I can send to system users with no password at all.

Would you mind taking a look and seeing if there is anything obvious that I am doing wrong? As usual, I would be very appreciative. I've been going crazy over here - any help?

Thanks!

:)

/etc/postfix/main.cf:
Code:

soft_bounce = yes
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
myhostname = gentoo.charlesread.com
mydomain = charlesread.com
myorigin = $myhostname
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost
unknown_local_recipient_reject_code = 550
mynetworks_style = host
#mynetworks =  127.0.0.0/8
#mynetworks = $config_directory/mynetworks
#mynetworks = hash:/etc/postfix/network_table
debug_peer_level = 2
sendmail_path = /usr/sbin/sendmail
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = no
inet_protocols = ipv4
home_mailbox = .maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_path = /etc/sasl2/smtpd
smtpd_sasl_type = cyrus
smtpd_sasl_authenticated_header = yes

#smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination


/etc/sasl2/smtpd.conf
Code:

log_level: 7
mech_list: PLAIN LOGIN
pwcheck_method: saslauthd


/etc/conf.d/saslauthd:
Code:

SASLAUTHD_OPTS=" -a pam -n 5"
MECH=pam


/etc/pam.d/smtp: [I happen to be using the same DB that I use for vsFTPd]
Code:

auth required pam_mysql.so user=vsftpd passwd=XXXXXXXXXX host=localhost db=web table=accounts usercolumn=username passwdcolumn=pass crypt=2 log=7
account required pam_mysql.so user=vsftpd passwd=XXXXXXXXXX host=localhost db=web table=accounts usercolumn=username passwdcolumn=pass crypt=2 log=7


Attempting to connect:
Code:

gentoo charles # perl -MMIME::Base64 -e 'print encode_base64("UUU")'
XXX
gentoo charles # perl -MMIME::Base64 -e 'print encode_base64("PPP")'
YYY
gentoo charles # telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 gentoo.charlesread.com ESMTP Postfix
ehlo charlesread.com
250-gentoo.charlesread.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH SCRAM-SHA-1 DIGEST-MD5 OTP NTLM CRAM-MD5 LOGIN PLAIN
250-AUTH=SCRAM-SHA-1 DIGEST-MD5 OTP NTLM CRAM-MD5 LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth login
334 VXNlcm5hbWU6
XXX
334 UGFzc3dvcmQ6
YYY
435 4.7.8 Error: authentication failed: authentication failure
quit
221 2.0.0 Bye
Connection closed by foreign host.
gentoo charles # testsaslauthd -u UUU -p PPP -s smtp
0: OK "Success."



/var/log/mail.log: (after restarting everything and attempting a connection)

Code:

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: connection established
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: master_notify: status 0
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: name_mask: resource
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: name_mask: software
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: connect from gentoo.charlesread.com[127.0.0.1]
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_list_match: gentoo.charlesread.com: no match
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_list_match: 127.0.0.1: no match
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_list_match: gentoo.charlesread.com: no match
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_list_match: 127.0.0.1: no match
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: smtp_stream_setup: maxtime=300 enable_deadline=0
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_hostname: gentoo.charlesread.com ~? 127.0.0.1/32
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_hostaddr: 127.0.0.1 ~? 127.0.0.1/32
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 220 gentoo.charlesread.com ESMTP Postfix
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
Feb  6 20:07:06 gentoo postfix/smtpd[9859]: name_mask: noanonymous
Feb  6 20:07:12 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: helo gentoo.charlesread.com
Feb  6 20:07:12 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 250 gentoo.charlesread.com
Feb  6 20:07:16 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: auth login
Feb  6 20:07:16 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_first: sasl_method login
Feb  6 20:07:16 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username:
Feb  6 20:07:16 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 334 VXNlcm5hbWU6
Feb  6 20:07:20 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: XXX
Feb  6 20:07:20 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_next: decoded response: UUU
Feb  6 20:07:20 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password:
Feb  6 20:07:20 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 334 UGFzc3dvcmQ6
Feb  6 20:07:23 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: YYY
Feb  6 20:07:23 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_next: decoded response: PPP
Feb  6 20:07:23 gentoo postfix/smtpd[9859]: warning: gentoo.charlesread.com[127.0.0.1]: SASL login authentication failed: authentication failure
Feb  6 20:07:23 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 435 4.7.8 Error: authentication failed: authentication failure
Feb  6 20:07:25 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: quit
Feb  6 20:07:25 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 221 2.0.0 Bye
Feb  6 20:07:25 gentoo postfix/smtpd[9859]: match_hostname: gentoo.charlesread.com ~? 127.0.0.1/32
Feb  6 20:07:25 gentoo postfix/smtpd[9859]: match_hostaddr: 127.0.0.1 ~? 127.0.0.1/32
Feb  6 20:07:25 gentoo postfix/smtpd[9859]: disconnect from gentoo.charlesread.com[127.0.0.1]
Feb  6 20:07:25 gentoo postfix/smtpd[9859]: master_notify: status 1
Feb  6 20:07:25 gentoo postfix/smtpd[9859]: connection closed



But, testsaslauthd works fine!
Code:

gentoo charles # testsaslauthd -u UUU -p PPP -s smtp
0: OK "Success."
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Sun Feb 10, 2013 11:10 am    Post subject: Reply with quote

any reason to have saslauthd using pam (which then uses mysql) instead of having it go to mysql directly?

better still, set up the mysql query directly in /etc/sasl2/smtpd.conf

Code:

pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: web
sql_passwd: yourmysqlpassword
sql_database: web
sql_select: SELECT pass FROM accounts WHERE username = '%u@%r'


(note that '%u@%r' is localpart @ domain.tld; if your sasl username is just stored as 'localpart', just use '%u')

That won't work with crypt'd passwords as of a somewhat recent version of cyrus-sasl, which doesnt yet support this patchset. If that applies to you, disregard the entirety of my post!

What you've done *seems* like it should work, and may well be your only option if your passwords are encrypted and you're on a later cyrus-sasl.
Only other thing that seems off is that the AUTH mechlist showing up includes far more than just PLAIN and LOGIN. I worry that, as per the postfix doc, your client may be trying one of these other mechs first. They shouldnt even be showing up if youve restarted/reloaded postfix since you made that smtpd.conf change.

Try doing your same tests over an encrypted channel?

Code:

openssl s_client -connect x.x.x.x:25 -starttls smtp


Maybe plain/login are disallowed over unencrypted connections.
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum