| View previous topic :: View next topic |
| Author |
Message |
Souperman
Guru
Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa
|
 Posted: Sat Feb 14, 2004 10:57 am Post subject: Postfix+cyrus-sasl authentication failures [SOLVED] |
 |
|
The machine which hosts my virtual server suffered a complete data loss a few days ago. I keep daily backups of the important stuff, so I restored my /etc/make.conf and /var/cache/edb/world file and did an "emerge `cat /var/cache/edb/world` before restoring the rest of my backup data.
Everything seems to be working perfectly, except for SMTP authentication. The following syslog messages are relevant:
| Code: | Feb 14 12:17:15 wizard postfix/smtpd[17983]: connect from myhost[myip]
Feb 14 12:17:18 wizard postfix/smtpd[17983]: warning: myhost[myip]: SASL LOGIN authentication failed
Feb 14 12:17:31 wizard postfix/smtpd[17983]: lost connection after AUTH from myhost[myip]
Feb 14 12:17:31 wizard postfix/smtpd[17983]: disconnect from myhost[myip] |
My configuration is the same as that used in the Virtual/Mailhosting Guide, except that I've tweaked it to authenticate against /etc/(passwd|shadow) in addition to the mysql database. This worked perfectly before the data loss.
Relevant /etc/postfix/main.cf bits:
| Code: |
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
|
/etc/sasl2/smtpd.conf:
| Code: |
# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtpd-2.0.conf,v 1.1 2003/07/18 20:34:39 lanius Exp $
pwcheck_method:saslauthd
mech_list: LOGIN PLAIN
|
/etc/pam.d/smtp:
| Code: |
# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtp.pam,v 1.2 2002/05/04 03:55:29 woodchip Exp $
auth sufficient /lib/security/pam_pwdb.so nullok shadow
account sufficient /lib/security/pam_pwdb.so
auth sufficient pam_mysql.so server=localhost db=mailsql user=mailsql passwd=password table=users usercolumn=email passwdcolumn=crypt crypt=1
account sufficient pam_mysql.so server=localhost db=mailsql user=mailsql passwd=password table=users usercolumn=email passwdcolumn=crypt crypt=1
|
Anyone know where the problem could be?
_________________
moo
Last edited by Souperman on Fri Feb 20, 2004 12:29 pm; edited 1 time in total |
|
| Back to top |
|
 |
Souperman
Guru
Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa
|
| Posted: Wed Feb 18, 2004 10:38 am Post subject: |
|
|
*bump*
still haven't figured this one out. 
_________________
moo |
|
| Back to top |
|
|
voidx
n00b
Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic
|
| Posted: Wed Feb 18, 2004 11:27 am Post subject: |
|
|
| Quote: |
passwdcolumn=crypt crypt=1
|
Just for sure - so you are using crypted passwords in mysql database ?
And what about reemerging cyrus-sasl ? This is total blindshot  but I remember I have similar problem after one disaster and this solved it for me...
_________________
[brkerez] |
|
| Back to top |
|
|
Souperman
Guru
Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa
|
| Posted: Wed Feb 18, 2004 11:40 am Post subject: |
|
|
Yes, I'm using crypted passwords in the database, but that's not the problem in this case anyway, as the 2 people who are having a problem are real users, i.e. they have an account on the box. Re-emerging cyrus-sasl as I type but will only be able to test that when I get home in a few hours.
_________________
moo |
|
| Back to top |
|
|
voidx
n00b
Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic
|
| Posted: Wed Feb 18, 2004 12:50 pm Post subject: |
|
|
local users - oh I overlooked that 
Im using same virtual mysql mail system also with local users and it is working - I looked at your and my configs and /etc/pam.d/smtp and /etc/sasl2/smtpd.conf and part from /etc/postfix/main.cf are exactly same.
We'll see after reemerging cyrus-sasl...
_________________
[brkerez] |
|
| Back to top |
|
|
Souperman
Guru
Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa
|
| Posted: Wed Feb 18, 2004 6:08 pm Post subject: |
|
|
OK, a different error message now:
| Code: |
Feb 18 19:58:06 wizard postfix/smtpd[1531]: connect from myhost[myip]
Feb 18 19:58:29 wizard postfix/smtpd[1531]: warning: SASL authentication failure: client didn't issue valid NTLM response
Feb 18 19:58:29 wizard postfix/smtpd[1531]: warning: myhost[myip]: SASL NTLM authentication failed
Feb 18 19:58:43 wizard postfix/smtpd[1531]: warning: myhost[myip]: SASL NTLM authentication failed
Feb 18 19:58:44 wizard postfix/smtpd[1531]: lost connection after AUTH from myhost[myip]
Feb 18 19:58:44 wizard postfix/smtpd[1531]: disconnect from myhost[myip]
|
I have no idea where NTLM comes into the equation. According to /etc/conf.d/saslauthd, I am only using pam and "ps x | grep sasl" only shows up "/usr/sbin/saslauthd -a pam".
_________________
moo |
|
| Back to top |
|
|
Souperman
Guru
Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa
|
| Posted: Thu Feb 19, 2004 9:53 am Post subject: |
|
|
I also just noticed this, in response to EHLO:
| Code: |
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
|
I'm not 100% sure, but as far as I can recall, that only said "LOGIN PLAIN" before the crash/re-install.
(EDIT: Checked some backups and it definitely only had "LOGIN PLAIN" previously)
Not sure how to get rid of NTLM there ... any ideas?
_________________
moo |
|
| Back to top |
|
|
voidx
n00b
Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic
|
| Posted: Thu Feb 19, 2004 4:25 pm Post subject: |
|
|
AFAIK 250-AUTH list is generated from setting in /etc/sasl2/smtpd.conf
If I remember well, in earlier versions of cyrus-sasl there was other place where smtpd.conf was stored (somewhere under /var I guess)... So only idea I have is to check if somewhere in the system isn't another smtpd.conf where cyrus gets it's configuration instead of getting it from /etc/sasl2/. It is logical - if it is true, maybee it is also source of your authentication problems
| Code: |
find / -iname smtpd.conf
|
_________________
[brkerez] |
|
| Back to top |
|
|
Jaxom
Tux's lil' helper
Joined: 31 Jan 2003
Posts: 137
|
| Posted: Thu Feb 19, 2004 5:13 pm Post subject: |
|
|
This line needs to be commented out for sasl to work. I ran into the same thing where my clients couldn't auth via sasl....after much searching knowing that it HAD been working at one time, I found this to be the culprit.
| Code: | | #smtpd_tls_auth_only = yes |
After commenting it out, sasl worked perfectly again.
[edit] oops, I lied, I didn't have the exact same problem. I re-read everything....sorry about that, but I'll leave my post just incase it does help 
_________________
Undisputed Heavyweight Champion. If it's undisputed, WHAT'S ALL THE FIGHTING ABOUT?!?! -- George Carlin |
|
| Back to top |
|
|
Souperman
Guru
Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa
|
| Posted: Thu Feb 19, 2004 5:29 pm Post subject: |
|
|
| voidx wrote: | AFAIK 250-AUTH list is generated from setting in /etc/sasl2/smtpd.conf
If I remember well, in earlier versions of cyrus-sasl there was other place where smtpd.conf was stored (somewhere under /var I guess)... So only idea I have is to check if somewhere in the system isn't another smtpd.conf where cyrus gets it's configuration instead of getting it from /etc/sasl2/. It is logical - if it is true, maybee it is also source of your authentication problems
| Code: |
find / -iname smtpd.conf
|
|
The only thing close is /var/lib/sasl2. There's no smtpd.conf there, but I tried symlinking it to /etc/sasl2/smtpd.conf and restarting postfix & saslauthd but it's still showing me NTLM and still failing when I try to send a message. 
| Jaxom wrote: | This line needs to be commented out for sasl to work. I ran into the same thing where my clients couldn't auth via sasl....after much searching knowing that it HAD been working at one time, I found this to be the culprit.
Code:
#smtpd_tls_auth_only = yes
After commenting it out, sasl worked perfectly again. |
I have no such line in my postfix config.
_________________
moo |
|
| Back to top |
|
|
voidx
n00b
Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic
|
| Posted: Thu Feb 19, 2004 7:32 pm Post subject: |
|
|
it's strange...
I played with my /etc/sasl2/smtpd.conf and emediatelly after changing login methods in this file and after restarting saslauthd & postfix is my postfix reflecting this changes and I get diferent 250-AUTH response when I connect with telnet...
I have no idea for now 
_________________
[brkerez] |
|
| Back to top |
|
|
ikaro
Advocate
Joined: 14 Jul 2003
Posts: 2526
Location: Denmark
|
| Posted: Fri Feb 20, 2004 11:56 am Post subject: |
|
|
from what i can see in the postfix docs is:
| Code: |
Limiting SASL mechanisms
As of Cyrus-SASL-2.x SASL is able to limit the mechanisms it will offer when an application e.g. Postfix uses it. This is done by setting the parameter mech_list in /usr/lib/sasl2/smtpd.conf.
pwcheck_method: saslauthd
mech_list: plain login
|
The mech_list restricts the usage of more than ´Plain ´ and `Login`
If you comment the mech_list you get:
| Code: |
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
|
The file where the changes take effect is /etc/sasl2/smtpd.conf
the NTLM its just another login method.
You might want to check this answer in here:
http://www.irbs.net/internet/cyrus-sasl/0402/0021.html
:?
_________________
linux: #232767 |
|
| Back to top |
|
|
Souperman
Guru
Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa
|
| Posted: Fri Feb 20, 2004 12:29 pm Post subject: |
|
|
Thanks ikaro!!
| Code: |
# ln -s /etc/sasl2/smtpd.conf /usr/lib/sasl2/smtpd.conf
# postfix reload
|
Solved! 
_________________
moo |
|
| Back to top |
|
|
ikaro
Advocate
Joined: 14 Jul 2003
Posts: 2526
Location: Denmark
|
| Posted: Fri Feb 20, 2004 12:38 pm Post subject: |
|
|
alright :) nice that you got it working :)
_________________
linux: #232767 |
|
| Back to top |
|
|
Souperman
Guru
Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa
|
| Posted: Fri Feb 20, 2004 12:59 pm Post subject: |
|
|
Do you think this qualifies as a bug? I mean, emerging cyrus-sasl *should* put the config file where it belongs or create a symlink or something.
_________________
moo |
|
| Back to top |
|
|
ikaro
Advocate
Joined: 14 Jul 2003
Posts: 2526
Location: Denmark
|
| Posted: Fri Feb 20, 2004 1:05 pm Post subject: |
|
|
i had the file both places, but sure it should only be one in the right location to avoid confusion.
you can try and submit a bug :)
_________________
linux: #232767 |
|
| Back to top |
|
|
Souperman
Guru
Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa
|
| Posted: Fri Feb 20, 2004 1:39 pm Post subject: |
|
|
Hmm ok, guess I was just unlucky 
_________________
moo |
|
| Back to top |
|
|
voidx
n00b
Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic
|
| Posted: Fri Feb 20, 2004 2:52 pm Post subject: |
|
|
This is what I was talking about: in earlier versions of saslauthd there was no /etc/sasl2/smtpd.conf - there was only smtpd.conf under /usr/lib/...
I think this is noted also in gentoo virt mailhosting howto...
Unfortunately my poor in-head-cpu has very bad memory and thought that it was somewhere under /var/.... and I didn't notice that now /etc/sasl/... is symlinked to /usr/...
I think that you really experienced some strange problem with ebuild, not really a bug because as you can see - my symlink was automatically created during upgrade from older version and I even didn't notice that something changed 
_________________
[brkerez] |
|
| Back to top |
|
|
|
Networking & Security
