Linode Forum
https://forum.linode.com/

[solved] SMTP/SASL/MySQL authentication woes
https://forum.linode.com/viewtopic.php?f=11&t=1814		 Page 1 of 1
Author:  trepanne [ Mon Aug 08, 2005 11:40 am ]
Post subject:  [solved] SMTP/SASL/MySQL authentication woes
folks,

i am setting up a mail server for the first time. as i'm running gentoo, i thought i'd follow their postfix howto verbatim:
http://www.gentoo.org/doc/en/virt-mail-howto.xml

in this setup, i can get postfix working - mail is delivered both ways.
after some debugging, i have got TLS working both ways as well.
courier is working & allows remote POP3 access.

however, when i try to relay email from my laptop, SMPTD fails authentication.

here's what /var/log/mail.log spits out when the connection is attempted:
Code:
postfix/smtpd[2466]: TLS connection established from $MYHOST: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
postfix/smtpd[2466]: name_mask: noanonymous
postfix/smtpd[2466]: watchdog_pat: 0x2ab191e0
postfix/smtpd[2466]: < $MYHOST: EHLO thinkpad
postfix/smtpd[2466]: > $MYHOST: 250-domain.com
postfix/smtpd[2466]: > $MYHOST: 250-PIPELINING
postfix/smtpd[2466]: > $MYHOST: 250-SIZE 10240000
postfix/smtpd[2466]: > $MYHOST: 250-VRFY
postfix/smtpd[2466]: > $MYHOST: 250-ETRN
postfix/smtpd[2466]: > $MYHOST: 250-AUTH LOGIN PLAIN
postfix/smtpd[2466]: > $MYHOST: 250-AUTH=LOGIN PLAIN
postfix/smtpd[2466]: match_list_match: $MYHOST: no match
postfix/smtpd[2466]: match_list_match: $MYHOST: no match
postfix/smtpd[2466]: > $MYHOST: 250 8BITMIME
postfix/smtpd[2466]: watchdog_pat: 0x2ab191e0
postfix/smtpd[2466]: < $MYHOST: AUTH PLAIN
postfix/smtpd[2466]: smtpd_sasl_authenticate: sasl_method PLAIN
postfix/smtpd[2466]: smtpd_sasl_authenticate: uncoded challenge: 
postfix/smtpd[2466]: > $MYHOST: 334 
postfix/smtpd[2466]: < $MYHOST: XXXXXXXXXXXX
postfix/smtpd[2466]: smtpd_sasl_authenticate: decoded response: 
postfix/smtpd[2466]: warning: SASL authentication failure: Password verification failed
postfix/smtpd[2466]: warning: $MYHOST: SASL PLAIN authentication failed
postfix/smtpd[2466]: > $MYHOST: 535 Error: authentication failed
postfix/smtpd[2466]: watchdog_pat: 0x2ab191e0
postfix/smtpd[2466]: < $MYHOST: QUIT
postfix/smtpd[2466]: > $MYHOST: 221 Bye
postfix/smtpd[2466]: disconnect from $MYHOST
postfix/smtpd[2466]: master_notify: status 1
postfix/smtpd[2466]: connection closed


i have carefully checked all passwords (the P/W passed by the remote host to postfix and the P/W in the mysql database, not to mention the normal pam P/W in /etc/passwd) and they're identical.

here's my /etc/sasl2/smtpd.conf:
Code:
mech_list: PLAIN LOGIN
pwcheck_method: saslauthd


it's a little unclear to me what points saslauthd to all the mysql connection files i place in /etc/postfix/ , but still they seem to get read, according to the mail.log:
Code:
postfix/smtpd[2466]: match_string: mynetworks ~? mynetworks
postfix/smtpd[2466]: match_string: relay_domains ~? debug_peer_list
postfix/smtpd[2466]: match_string: relay_domains ~? fast_flush_domains
postfix/smtpd[2466]: match_string: relay_domains ~? mynetworks
postfix/smtpd[2466]: match_string: relay_domains ~? permit_mx_backup_networks
postfix/smtpd[2466]: match_string: relay_domains ~? qmqpd_authorized_clients
postfix/smtpd[2466]: match_string: relay_domains ~? relay_domains
postfix/smtpd[2466]: match_string: permit_mx_backup_networks ~? debug_peer_list
postfix/smtpd[2466]: match_string: permit_mx_backup_networks ~? fast_flush_domains
postfix/smtpd[2466]: match_string: permit_mx_backup_networks ~? mynetworks
postfix/smtpd[2466]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks
postfix/smtpd[2466]: dict_open: hash:/etc/mail/aliases
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual-maps.cf: user = user
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual-maps.cf: password = passwd
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual-maps.cf: dbname = mailsql
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual-maps.cf: table = users
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual-maps.cf: select_field = maildir
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual-maps.cf: where_field = email
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual-maps.cf: additional_conditions = and postfix = 'y'
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual-maps.cf: hosts = unix:/var/run/mysqld/mysqld.sock
postfix/smtpd[2466]: mysqlname_parse: /etc/postfix/mysql-virtual-maps.cf: adding host 'unix:/var/run/mysqld/mysqld.sock' to list of mysql server hosts
postfix/smtpd[2466]: dict_open: mysql:/etc/postfix/mysql-virtual-maps.cf
postfix/smtpd[2466]: dict_open: unix:passwd.byname
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual.cf: user = user
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual.cf: password = passwd
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual.cf: dbname = mailsql
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual.cf: table = virtual
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual.cf: select_field = destination
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual.cf: where_field = email
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual.cf: additional_conditions = 
postfix/smtpd[2466]: cfg_get_str: /etc/postfix/mysql-virtual.cf: hosts = unix:/var/run/mysqld/mysqld.sock
postfix/smtpd[2466]: mysqlname_parse: /etc/postfix/mysql-virtual.cf: adding host 'unix:/var/run/mysqld/mysqld.sock' to list of mysql server hosts
postfix/smtpd[2466]: dict_open: mysql:/etc/postfix/mysql-virtual.cf
postfix/smtpd[2466]: match_string: smtpd_access_maps ~? debug_peer_list
postfix/smtpd[2466]: match_string: smtpd_access_maps ~? fast_flush_domains
postfix/smtpd[2466]: match_string: smtpd_access_maps ~? mynetworks
postfix/smtpd[2466]: match_string: smtpd_access_maps ~? permit_mx_backup_networks
postfix/smtpd[2466]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients
postfix/smtpd[2466]: match_string: smtpd_access_maps ~? relay_domains
postfix/smtpd[2466]: match_string: smtpd_access_maps ~? smtpd_access_maps
postfix/smtpd[2466]: smtpd_sasl_initialize: SASL config file is smtpd.conf


and here is /etc/postfix/main.cf:
Code:
myhostname = host.domain.com
mydomain = domain.com
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain
mynetworks = ip.add.dr.ess/32, 127.0.0.0/8
home_mailbox = .maildir/
local_destination_concurrency_limit = 2
default_destination_concurrency_limit = 10
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
virtual_minimum_uid = 1000
virtual_gid_maps = static:1003
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf
virtual_uid_maps = static:1003
virtual_mailbox_base = /
local_transport = local
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname
virtual_transport = virtual
virtual_mailbox_domains = virt-bar.com
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
unknown_local_recipient_reject_code = 550
debug_peer_level = 2
debugger_command =
    PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
    xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-2.1.5-r2/readme
alias_database = hash:/etc/mail/aliases


can anybody tell me what i've misconfigured?

TIA
Author:  trepanne [ Mon Aug 08, 2005 1:53 pm ]
Post subject: 
a bit more detail - upon failed connections, the following appears in /var/log/auth.log:
Code:
postfix/smtpd[3063]: sql_select option missing
postfix/smtpd[3063]: auxpropfunc error no mechanism available 
postfix/smtpd[3063]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql 
saslauthd[2952]: auth_rimap: connect localhost[127.0.0.1]/143: Connection refused
saslauthd[2952]: auth_rimap: couldn't connect to localhost/143
saslauthd[2952]: do_auth         : auth failure: [user=test@domain.com] [service=smtp] [realm=host.domain.com] [mech=rimap] [reason=[ALERT] Couldn't contact remote authentication server]
saslauthd[2954]: auth_rimap: connect localhost[127.0.0.1]/143: Connection refused
saslauthd[2954]: auth_rimap: couldn't connect to localhost/143
saslauthd[2954]: do_auth         : auth failure: [user=test@domain.com] [service=smtp] [realm=host.domain.com] [mech=rimap] [reason=[ALERT] Couldn't contact remote authentication server]


so i think what's going on here is that postfix is trying to call sasl, and make it talk to mysql by using connection parameters defined by those files in /etc/postfix/mysql-*.cf that are pointed at by my /etc/postfix main.cf. it seems that this connection is failing.

i suspect either
a) i've got these stanzas in /etc/postfix/main.cf misconfigured, or
b) i've got the /etc/postfix/mysql-*.cf files misconfigured, or
c) i've got the database misconfigured.

to rule out (b); i've directly cut&pasted the /etcpostfix/mysql-*.cf files from the HOWTO, simply replacing the username & P/W. unless i'm supposed to be quoting these strings, or something like that, i feel that's not likely my problem.

as for (c), i've examined these closely for typos. also, the database seems to work for courier when it's authenticating a POP3 connection, so i also feel that this is less likely.

so i suspect that it's a problem with my /etc/postfix/main.cf, as indicated by auth.log, but i'm fairly lost as to how to proceed with troubleshooting. online documentation for SASL auth through mysql is a bit scant.

can anyone help?

TIA
Author:  trepanne [ Mon Aug 08, 2005 2:35 pm ]
Post subject: 
OK - clued in by messages appearing in /var/log/auth.log, i was able to make remote relay auth work by changing the configs in /etc/sasl2/smtpd.conf as follows:

Code:
mech_list: PLAIN LOGIN
pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: localhost
sql_database: mailsql
sql_user: user
sql_passwd: passwd
sql_select: SELECT clear FROM users WHERE email='%u@%r' and postfix='y'


essentially, the saslauthd method was not finding a way to connect to the mysql database. so instead i changed to the auxprop method, and hard-coded the mysql lookup in the config.

less elegant, but it works.
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/