View previous topic :: View next topic |
Author |
Message |
Souperman Guru


Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Sat Feb 14, 2004 10:57 am Post subject: Postfix+cyrus-sasl authentication failures [SOLVED] |
|
|
The machine which hosts my virtual server suffered a complete data loss a few days ago. I keep daily backups of the important stuff, so I restored my /etc/make.conf and /var/cache/edb/world file and did an "emerge `cat /var/cache/edb/world` before restoring the rest of my backup data.
Everything seems to be working perfectly, except for SMTP authentication. The following syslog messages are relevant:
Code: | Feb 14 12:17:15 wizard postfix/smtpd[17983]: connect from myhost[myip]
Feb 14 12:17:18 wizard postfix/smtpd[17983]: warning: myhost[myip]: SASL LOGIN authentication failed
Feb 14 12:17:31 wizard postfix/smtpd[17983]: lost connection after AUTH from myhost[myip]
Feb 14 12:17:31 wizard postfix/smtpd[17983]: disconnect from myhost[myip] |
My configuration is the same as that used in the Virtual/Mailhosting Guide, except that I've tweaked it to authenticate against /etc/(passwd|shadow) in addition to the mysql database. This worked perfectly before the data loss.
Relevant /etc/postfix/main.cf bits:
Code: |
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
|
/etc/sasl2/smtpd.conf:
Code: |
# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtpd-2.0.conf,v 1.1 2003/07/18 20:34:39 lanius Exp $
pwcheck_method:saslauthd
mech_list: LOGIN PLAIN
|
/etc/pam.d/smtp:
Code: |
# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtp.pam,v 1.2 2002/05/04 03:55:29 woodchip Exp $
auth sufficient /lib/security/pam_pwdb.so nullok shadow
account sufficient /lib/security/pam_pwdb.so
auth sufficient pam_mysql.so server=localhost db=mailsql user=mailsql passwd=password table=users usercolumn=email passwdcolumn=crypt crypt=1
account sufficient pam_mysql.so server=localhost db=mailsql user=mailsql passwd=password table=users usercolumn=email passwdcolumn=crypt crypt=1
|
Anyone know where the problem could be? _________________ moo
Last edited by Souperman on Fri Feb 20, 2004 12:29 pm; edited 1 time in total |
|
Back to top |
|
 |
Souperman Guru


Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Wed Feb 18, 2004 10:38 am Post subject: |
|
|
*bump*
still haven't figured this one out.  _________________ moo |
|
Back to top |
|
 |
voidx n00b


Joined: 20 Mar 2003 Posts: 40 Location: Czech Republic
|
Posted: Wed Feb 18, 2004 11:27 am Post subject: |
|
|
Quote: |
passwdcolumn=crypt crypt=1
|
Just for sure - so you are using crypted passwords in mysql database ?
And what about reemerging cyrus-sasl ? This is total blindshot but I remember I have similar problem after one disaster and this solved it for me... _________________ [brkerez] |
|
Back to top |
|
 |
Souperman Guru


Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Wed Feb 18, 2004 11:40 am Post subject: |
|
|
Yes, I'm using crypted passwords in the database, but that's not the problem in this case anyway, as the 2 people who are having a problem are real users, i.e. they have an account on the box. Re-emerging cyrus-sasl as I type but will only be able to test that when I get home in a few hours. _________________ moo |
|
Back to top |
|
 |
voidx n00b


Joined: 20 Mar 2003 Posts: 40 Location: Czech Republic
|
Posted: Wed Feb 18, 2004 12:50 pm Post subject: |
|
|
local users - oh I overlooked that
Im using same virtual mysql mail system also with local users and it is working - I looked at your and my configs and /etc/pam.d/smtp and /etc/sasl2/smtpd.conf and part from /etc/postfix/main.cf are exactly same.
We'll see after reemerging cyrus-sasl... _________________ [brkerez] |
|
Back to top |
|
 |
Souperman Guru


Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Wed Feb 18, 2004 6:08 pm Post subject: |
|
|
OK, a different error message now:
Code: |
Feb 18 19:58:06 wizard postfix/smtpd[1531]: connect from myhost[myip]
Feb 18 19:58:29 wizard postfix/smtpd[1531]: warning: SASL authentication failure: client didn't issue valid NTLM response
Feb 18 19:58:29 wizard postfix/smtpd[1531]: warning: myhost[myip]: SASL NTLM authentication failed
Feb 18 19:58:43 wizard postfix/smtpd[1531]: warning: myhost[myip]: SASL NTLM authentication failed
Feb 18 19:58:44 wizard postfix/smtpd[1531]: lost connection after AUTH from myhost[myip]
Feb 18 19:58:44 wizard postfix/smtpd[1531]: disconnect from myhost[myip]
|
I have no idea where NTLM comes into the equation. According to /etc/conf.d/saslauthd, I am only using pam and "ps x | grep sasl" only shows up "/usr/sbin/saslauthd -a pam".
 _________________ moo |
|
Back to top |
|
 |
Souperman Guru


Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Thu Feb 19, 2004 9:53 am Post subject: |
|
|
I also just noticed this, in response to EHLO:
Code: |
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
|
I'm not 100% sure, but as far as I can recall, that only said "LOGIN PLAIN" before the crash/re-install.
(EDIT: Checked some backups and it definitely only had "LOGIN PLAIN" previously)
Not sure how to get rid of NTLM there ... any ideas? _________________ moo |
|
Back to top |
|
 |
voidx n00b


Joined: 20 Mar 2003 Posts: 40 Location: Czech Republic
|
Posted: Thu Feb 19, 2004 4:25 pm Post subject: |
|
|
AFAIK 250-AUTH list is generated from setting in /etc/sasl2/smtpd.conf
If I remember well, in earlier versions of cyrus-sasl there was other place where smtpd.conf was stored (somewhere under /var I guess)... So only idea I have is to check if somewhere in the system isn't another smtpd.conf where cyrus gets it's configuration instead of getting it from /etc/sasl2/. It is logical - if it is true, maybee it is also source of your authentication problems
Code: |
find / -iname smtpd.conf
|
_________________ [brkerez] |
|
Back to top |
|
 |
Jaxom Tux's lil' helper

Joined: 31 Jan 2003 Posts: 137
|
Posted: Thu Feb 19, 2004 5:13 pm Post subject: |
|
|
This line needs to be commented out for sasl to work. I ran into the same thing where my clients couldn't auth via sasl....after much searching knowing that it HAD been working at one time, I found this to be the culprit.
Code: | #smtpd_tls_auth_only = yes |
After commenting it out, sasl worked perfectly again.
[edit] oops, I lied, I didn't have the exact same problem. I re-read everything....sorry about that, but I'll leave my post just incase it does help  _________________ Undisputed Heavyweight Champion. If it's undisputed, WHAT'S ALL THE FIGHTING ABOUT?!?! -- George Carlin |
|
Back to top |
|
 |
Souperman Guru


Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Thu Feb 19, 2004 5:29 pm Post subject: |
|
|
voidx wrote: | AFAIK 250-AUTH list is generated from setting in /etc/sasl2/smtpd.conf
If I remember well, in earlier versions of cyrus-sasl there was other place where smtpd.conf was stored (somewhere under /var I guess)... So only idea I have is to check if somewhere in the system isn't another smtpd.conf where cyrus gets it's configuration instead of getting it from /etc/sasl2/. It is logical - if it is true, maybee it is also source of your authentication problems
Code: |
find / -iname smtpd.conf
|
|
The only thing close is /var/lib/sasl2. There's no smtpd.conf there, but I tried symlinking it to /etc/sasl2/smtpd.conf and restarting postfix & saslauthd but it's still showing me NTLM and still failing when I try to send a message.
Jaxom wrote: | This line needs to be commented out for sasl to work. I ran into the same thing where my clients couldn't auth via sasl....after much searching knowing that it HAD been working at one time, I found this to be the culprit.
Code:
#smtpd_tls_auth_only = yes
After commenting it out, sasl worked perfectly again. |
I have no such line in my postfix config. _________________ moo |
|
Back to top |
|
 |
voidx n00b


Joined: 20 Mar 2003 Posts: 40 Location: Czech Republic
|
Posted: Thu Feb 19, 2004 7:32 pm Post subject: |
|
|
it's strange...
I played with my /etc/sasl2/smtpd.conf and emediatelly after changing login methods in this file and after restarting saslauthd & postfix is my postfix reflecting this changes and I get diferent 250-AUTH response when I connect with telnet...
I have no idea for now  _________________ [brkerez] |
|
Back to top |
|
 |
ikaro Advocate


Joined: 14 Jul 2003 Posts: 2526 Location: Denmark
|
Posted: Fri Feb 20, 2004 11:56 am Post subject: |
|
|
from what i can see in the postfix docs is:
Code: |
Limiting SASL mechanisms
As of Cyrus-SASL-2.x SASL is able to limit the mechanisms it will offer when an application e.g. Postfix uses it. This is done by setting the parameter mech_list in /usr/lib/sasl2/smtpd.conf.
pwcheck_method: saslauthd
mech_list: plain login
|
The mech_list restricts the usage of more than ´Plain ´ and `Login`
If you comment the mech_list you get:
Code: |
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
|
The file where the changes take effect is /etc/sasl2/smtpd.conf
the NTLM its just another login method.
You might want to check this answer in here:
http://www.irbs.net/internet/cyrus-sasl/0402/0021.html
:? _________________ linux: #232767 |
|
Back to top |
|
 |
Souperman Guru


Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Fri Feb 20, 2004 12:29 pm Post subject: |
|
|
Thanks ikaro!!
Code: |
# ln -s /etc/sasl2/smtpd.conf /usr/lib/sasl2/smtpd.conf
# postfix reload
|
Solved!  _________________ moo |
|
Back to top |
|
 |
ikaro Advocate


Joined: 14 Jul 2003 Posts: 2526 Location: Denmark
|
Posted: Fri Feb 20, 2004 12:38 pm Post subject: |
|
|
alright :) nice that you got it working :) _________________ linux: #232767 |
|
Back to top |
|
 |
Souperman Guru


Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Fri Feb 20, 2004 12:59 pm Post subject: |
|
|
Do you think this qualifies as a bug? I mean, emerging cyrus-sasl *should* put the config file where it belongs or create a symlink or something. _________________ moo |
|
Back to top |
|
 |
ikaro Advocate


Joined: 14 Jul 2003 Posts: 2526 Location: Denmark
|
Posted: Fri Feb 20, 2004 1:05 pm Post subject: |
|
|
i had the file both places, but sure it should only be one in the right location to avoid confusion.
you can try and submit a bug :) _________________ linux: #232767 |
|
Back to top |
|
 |
Souperman Guru


Joined: 14 Jul 2003 Posts: 449 Location: Cape Town, South Africa
|
Posted: Fri Feb 20, 2004 1:39 pm Post subject: |
|
|
Hmm ok, guess I was just unlucky  _________________ moo |
|
Back to top |
|
 |
voidx n00b


Joined: 20 Mar 2003 Posts: 40 Location: Czech Republic
|
Posted: Fri Feb 20, 2004 2:52 pm Post subject: |
|
|
This is what I was talking about: in earlier versions of saslauthd there was no /etc/sasl2/smtpd.conf - there was only smtpd.conf under /usr/lib/...
I think this is noted also in gentoo virt mailhosting howto...
Unfortunately my poor in-head-cpu has very bad memory and thought that it was somewhere under /var/.... and I didn't notice that now /etc/sasl/... is symlinked to /usr/...
I think that you really experienced some strange problem with ebuild, not really a bug because as you can see - my symlink was automatically created during upgrade from older version and I even didn't notice that something changed  _________________ [brkerez] |
|
Back to top |
|
 |
|