Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Postfix+cyrus-sasl authentication failures [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Sat Feb 14, 2004 10:57 am    Post subject: Postfix+cyrus-sasl authentication failures [SOLVED] Reply with quote

The machine which hosts my virtual server suffered a complete data loss a few days ago. I keep daily backups of the important stuff, so I restored my /etc/make.conf and /var/cache/edb/world file and did an "emerge `cat /var/cache/edb/world` before restoring the rest of my backup data.

Everything seems to be working perfectly, except for SMTP authentication. The following syslog messages are relevant:
Code:
Feb 14 12:17:15 wizard postfix/smtpd[17983]: connect from myhost[myip]
Feb 14 12:17:18 wizard postfix/smtpd[17983]: warning: myhost[myip]: SASL LOGIN authentication failed
Feb 14 12:17:31 wizard postfix/smtpd[17983]: lost connection after AUTH from myhost[myip]
Feb 14 12:17:31 wizard postfix/smtpd[17983]: disconnect from myhost[myip]


My configuration is the same as that used in the Virtual/Mailhosting Guide, except that I've tweaked it to authenticate against /etc/(passwd|shadow) in addition to the mysql database. This worked perfectly before the data loss.

Relevant /etc/postfix/main.cf bits:
Code:

smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes


/etc/sasl2/smtpd.conf:
Code:

# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtpd-2.0.conf,v 1.1 2003/07/18 20:34:39 lanius Exp $
pwcheck_method:saslauthd
mech_list: LOGIN PLAIN


/etc/pam.d/smtp:
Code:

# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtp.pam,v 1.2 2002/05/04 03:55:29 woodchip Exp $
auth     sufficient  /lib/security/pam_pwdb.so nullok shadow
account  sufficient  /lib/security/pam_pwdb.so

auth     sufficient  pam_mysql.so server=localhost db=mailsql user=mailsql passwd=password table=users usercolumn=email passwdcolumn=crypt crypt=1
account  sufficient  pam_mysql.so server=localhost db=mailsql user=mailsql passwd=password table=users usercolumn=email passwdcolumn=crypt crypt=1


Anyone know where the problem could be?
_________________
moo


Last edited by Souperman on Fri Feb 20, 2004 12:29 pm; edited 1 time in total
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Wed Feb 18, 2004 10:38 am    Post subject: Reply with quote

*bump*

still haven't figured this one out. :?
_________________
moo
Back to top
View user's profile Send private message
voidx
n00b
n00b


Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic

PostPosted: Wed Feb 18, 2004 11:27 am    Post subject: Reply with quote

Quote:

passwdcolumn=crypt crypt=1


Just for sure - so you are using crypted passwords in mysql database ?

And what about reemerging cyrus-sasl ? This is total blindshot :D but I remember I have similar problem after one disaster and this solved it for me...
_________________
[brkerez]
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Wed Feb 18, 2004 11:40 am    Post subject: Reply with quote

Yes, I'm using crypted passwords in the database, but that's not the problem in this case anyway, as the 2 people who are having a problem are real users, i.e. they have an account on the box. Re-emerging cyrus-sasl as I type but will only be able to test that when I get home in a few hours.
_________________
moo
Back to top
View user's profile Send private message
voidx
n00b
n00b


Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic

PostPosted: Wed Feb 18, 2004 12:50 pm    Post subject: Reply with quote

local users - oh I overlooked that 8O

Im using same virtual mysql mail system also with local users and it is working - I looked at your and my configs and /etc/pam.d/smtp and /etc/sasl2/smtpd.conf and part from /etc/postfix/main.cf are exactly same.

We'll see after reemerging cyrus-sasl...
_________________
[brkerez]
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Wed Feb 18, 2004 6:08 pm    Post subject: Reply with quote

OK, a different error message now:
Code:

Feb 18 19:58:06 wizard postfix/smtpd[1531]: connect from myhost[myip]
Feb 18 19:58:29 wizard postfix/smtpd[1531]: warning: SASL authentication failure: client didn't issue valid NTLM response
Feb 18 19:58:29 wizard postfix/smtpd[1531]: warning: myhost[myip]: SASL NTLM authentication failed
Feb 18 19:58:43 wizard postfix/smtpd[1531]: warning: myhost[myip]: SASL NTLM authentication failed
Feb 18 19:58:44 wizard postfix/smtpd[1531]: lost connection after AUTH from myhost[myip]
Feb 18 19:58:44 wizard postfix/smtpd[1531]: disconnect from myhost[myip]

I have no idea where NTLM comes into the equation. According to /etc/conf.d/saslauthd, I am only using pam and "ps x | grep sasl" only shows up "/usr/sbin/saslauthd -a pam".

:?
_________________
moo
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Thu Feb 19, 2004 9:53 am    Post subject: Reply with quote

I also just noticed this, in response to EHLO:
Code:

250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5


I'm not 100% sure, but as far as I can recall, that only said "LOGIN PLAIN" before the crash/re-install.

(EDIT: Checked some backups and it definitely only had "LOGIN PLAIN" previously)

Not sure how to get rid of NTLM there ... any ideas?
_________________
moo
Back to top
View user's profile Send private message
voidx
n00b
n00b


Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic

PostPosted: Thu Feb 19, 2004 4:25 pm    Post subject: Reply with quote

AFAIK 250-AUTH list is generated from setting in /etc/sasl2/smtpd.conf

If I remember well, in earlier versions of cyrus-sasl there was other place where smtpd.conf was stored (somewhere under /var I guess)... So only idea I have is to check if somewhere in the system isn't another smtpd.conf where cyrus gets it's configuration instead of getting it from /etc/sasl2/. It is logical - if it is true, maybee it is also source of your authentication problems

Code:

find / -iname smtpd.conf

_________________
[brkerez]
Back to top
View user's profile Send private message
Jaxom
Tux's lil' helper
Tux's lil' helper


Joined: 31 Jan 2003
Posts: 137

PostPosted: Thu Feb 19, 2004 5:13 pm    Post subject: Reply with quote

This line needs to be commented out for sasl to work. I ran into the same thing where my clients couldn't auth via sasl....after much searching knowing that it HAD been working at one time, I found this to be the culprit.

Code:
#smtpd_tls_auth_only = yes


After commenting it out, sasl worked perfectly again.

[edit] oops, I lied, I didn't have the exact same problem. I re-read everything....sorry about that, but I'll leave my post just incase it does help :)
_________________
Undisputed Heavyweight Champion. If it's undisputed, WHAT'S ALL THE FIGHTING ABOUT?!?! -- George Carlin
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Thu Feb 19, 2004 5:29 pm    Post subject: Reply with quote

voidx wrote:
AFAIK 250-AUTH list is generated from setting in /etc/sasl2/smtpd.conf

If I remember well, in earlier versions of cyrus-sasl there was other place where smtpd.conf was stored (somewhere under /var I guess)... So only idea I have is to check if somewhere in the system isn't another smtpd.conf where cyrus gets it's configuration instead of getting it from /etc/sasl2/. It is logical - if it is true, maybee it is also source of your authentication problems

Code:

find / -iname smtpd.conf

The only thing close is /var/lib/sasl2. There's no smtpd.conf there, but I tried symlinking it to /etc/sasl2/smtpd.conf and restarting postfix & saslauthd but it's still showing me NTLM and still failing when I try to send a message. :roll:

Jaxom wrote:
This line needs to be commented out for sasl to work. I ran into the same thing where my clients couldn't auth via sasl....after much searching knowing that it HAD been working at one time, I found this to be the culprit.

Code:
#smtpd_tls_auth_only = yes


After commenting it out, sasl worked perfectly again.

I have no such line in my postfix config.
_________________
moo
Back to top
View user's profile Send private message
voidx
n00b
n00b


Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic

PostPosted: Thu Feb 19, 2004 7:32 pm    Post subject: Reply with quote

it's strange...

I played with my /etc/sasl2/smtpd.conf and emediatelly after changing login methods in this file and after restarting saslauthd & postfix is my postfix reflecting this changes and I get diferent 250-AUTH response when I connect with telnet...

I have no idea for now :(
_________________
[brkerez]
Back to top
View user's profile Send private message
ikaro
Advocate
Advocate


Joined: 14 Jul 2003
Posts: 2526
Location: Denmark

PostPosted: Fri Feb 20, 2004 11:56 am    Post subject: Reply with quote

from what i can see in the postfix docs is:

Code:

Limiting SASL mechanisms

As of Cyrus-SASL-2.x SASL is able to limit the mechanisms it will offer when an application e.g. Postfix uses it. This is done by setting the parameter mech_list in /usr/lib/sasl2/smtpd.conf.

pwcheck_method: saslauthd
mech_list: plain login


The mech_list restricts the usage of more than ´Plain ´ and `Login`
If you comment the mech_list you get:

Code:

250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5


The file where the changes take effect is /etc/sasl2/smtpd.conf
the NTLM its just another login method.

You might want to check this answer in here:

http://www.irbs.net/internet/cyrus-sasl/0402/0021.html

:?
_________________
linux: #232767
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Fri Feb 20, 2004 12:29 pm    Post subject: Reply with quote

Thanks ikaro!!
Code:

# ln -s /etc/sasl2/smtpd.conf /usr/lib/sasl2/smtpd.conf
# postfix reload


Solved! :mrgreen:
_________________
moo
Back to top
View user's profile Send private message
ikaro
Advocate
Advocate


Joined: 14 Jul 2003
Posts: 2526
Location: Denmark

PostPosted: Fri Feb 20, 2004 12:38 pm    Post subject: Reply with quote

alright :) nice that you got it working :)
_________________
linux: #232767
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Fri Feb 20, 2004 12:59 pm    Post subject: Reply with quote

Do you think this qualifies as a bug? I mean, emerging cyrus-sasl *should* put the config file where it belongs or create a symlink or something.
_________________
moo
Back to top
View user's profile Send private message
ikaro
Advocate
Advocate


Joined: 14 Jul 2003
Posts: 2526
Location: Denmark

PostPosted: Fri Feb 20, 2004 1:05 pm    Post subject: Reply with quote

i had the file both places, but sure it should only be one in the right location to avoid confusion.

you can try and submit a bug :)
_________________
linux: #232767
Back to top
View user's profile Send private message
Souperman
Guru
Guru


Joined: 14 Jul 2003
Posts: 449
Location: Cape Town, South Africa

PostPosted: Fri Feb 20, 2004 1:39 pm    Post subject: Reply with quote

Hmm ok, guess I was just unlucky ;-)
_________________
moo
Back to top
View user's profile Send private message
voidx
n00b
n00b


Joined: 20 Mar 2003
Posts: 40
Location: Czech Republic

PostPosted: Fri Feb 20, 2004 2:52 pm    Post subject: Reply with quote

This is what I was talking about: in earlier versions of saslauthd there was no /etc/sasl2/smtpd.conf - there was only smtpd.conf under /usr/lib/...
I think this is noted also in gentoo virt mailhosting howto...

Unfortunately my poor in-head-cpu has very bad memory and thought that it was somewhere under /var/.... :) and I didn't notice that now /etc/sasl/... is symlinked to /usr/...

I think that you really experienced some strange problem with ebuild, not really a bug because as you can see - my symlink was automatically created during upgrade from older version and I even didn't notice that something changed 8)
_________________
[brkerez]
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum