Debian – Postfix smtpd won’t talk to saslauthd

debianpampostfixsaslauthdsmtp-auth

I have an saslauthd setup to authenticate against PAM. It seems to do its stuff:

root@sasltest:~# testsaslauthd -u quest -p #### -s smtp
0: OK "Success."

I have libsasl 2.1.23, postfix 2.7.1.

I have a postfix configured thus:

smtpd_sasl_type = cyrus
smtpd_sasl_path = /var/spool/postfix/private/saslauthd/mux
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous

With a master.cf thus:

submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject

However, trying to authenticate in this postfix gives the following error message:

Jan 23 22:13:14 sasltest postfix/smtpd[1252]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Jan 23 22:13:14 sasltest postfix/smtpd[1252]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Jan 23 22:13:14 sasltest postfix/smtpd[1252]: warning: X[A.B.C.D]: SASL LOGIN

authentication failed: authentication failure

Meanwhile, there is no output from my debug-logging saslauthd.

I interpret this as meaning that libsasl2 tries to uses sasldb auth rather than try to talk to saslauthd. What I can't figure out how to tell libsasl that I want it to talk to saslauthd.

Various instructions inform you to create a file /etc/sasl2/smtpd.conf or /etc/postfix/sasl/smtpd.conf. I have tried creating these files containing:

pwcheck_method: saslauthd
mech_list: LOGIN PLAIN

But to no effect.

How do I instruct libsasl to use saslauthd authentication?

(I can of course create /var/spool/postfix/etc/sasldb2, but this will still not result in connections to saslauthd.)

Best Answer

This cyrus-sasl mailing list post eventually set me on the right path.

For posterity, an attempt to produce reasonably explicit config. /etc/postfix/main.cf:

smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
cyrus_sasl_config_path = /etc/postfix/sasl
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous

The trick in above conf is that postfix+libsasl2 does this: ${cyrus_sasl_config_path}/${smtpd_sasl_path}.conf

Once we have gotten that far, in /etc/postfix/sasl/smtpd.conf we can tell libsasl that we wanna talk to saslauthd:

pwcheck_method: saslauthd
mech_list: LOGIN PLAIN
saslauthd_path: private/saslauthd/mux

Since smtpd is chrooted, saslauthd_path is relative to /var/spool/postfix. I use bind mounting to get /var/run/saslauthd into private.

Related Solutions

Saslauthd authentication error

Postfix can run in a chroot (by default in /var/spool/postfix) or not. If it is, it will try to open /var/spool/postfix/var/run/saslauthd/mux for sasl authentication. If it's not, it will try to open /var/run/saslauthd/mux

It seems that, for some reason, your postfix instance was running in a chroot, and it's not anymore. It's odd, but that's what I guess from the details of your question. If it's what's happened, you may change saslauthd configuration to use /var/run/saslauthd or run postfix in a chroot again.

To know if your Postfix is running chroot, you can check /etc/postfix/master.cf:

If it has the line smtp inet n - y - - smtpd or smtp inet n - - - - smtpd, then your Postfix is running in a chroot;
If it has the line smtp inet n - n - - smtpd then your Postfix is NOT running in a chroot.

This check comes from /etc/default/saslauthd (Ubuntu sasl configuration file).

Saslauthd + PostFix producing password verification and authentication errors

cyrus-sasl can directly connect to mysql server, there is no need to use saslauthd.

# yum info cyrus-sasl-sql
Installed Packages
Name        : cyrus-sasl-sql
Arch        : x86_64
Version     : 2.1.23
Release     : 13.el6_3.1
Size        : 26 k
Repo        : installed
From repo   : base
Summary     : SQL auxprop support for Cyrus SASL
URL         : http://asg.web.cmu.edu/sasl/sasl-library.html
License     : BSD
Description : The cyrus-sasl-sql package contains the Cyrus SASL plugin which supports
            : using a RDBMS for storing shared secrets.

But as far as I know, mysql module of cyrus-sasl can't work with crypted password, moreover you can't use CRAM-MD5/DIGEST-MD5 with crypted password, the password should stored in plaintext.

So as I can see you could try 3 things

Find patch for cyrus-sasl that would work with crypted password and use cyrus-sasl-sql module. But in such case forget for CRAM-MD5/DIGEST-MD5
Store password in plaintext and use only strong authentication methods like CRAM-MD5/DIGEST-MD5 over encrypted connection imaps (993)/pop3s (995).
Use pam-mysql and crypt options

In such case your smtpd.conf should looks like

pwcheck_method: auxprop
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
auxprop_plugin: sql
sql_usessl: yes
sql_engine: mysql
sql_hostnames: localhost
sql_user: postfix
sql_passwd: postfix
sql_database: postfix
sql_select: select password from mailbox where username = '%u@%r'
log_level: 3

You can get more info about crypted password here. Also you could try to build cyrus-sasl with patch from my personal site

Note

CRAM-MD5 are DIGEST-MD5 are Challenge-Response authentication mechanisms (indeed CRAM is short for Challange-Response Authentication Mechanism), plain-text passwords have to be supplied to the instance that handles authentication communication with the user (that is, the SASL client library), rather than the authenticator (the server). Therefore, it is not possible to use PAM with these mechanisms and then you need to configure Cyrus-SASL to have "SQL" auxprop plugin with MySQL support and specify "auxprop" for the preferred password checking method.

Best Answer

Related Solutions

Saslauthd authentication error

Saslauthd + PostFix producing password verification and authentication errors

Related Topic