Postfix + dovecot and sasl. Works so far with 1 domain.
Added a virtual domain. Incoming mail for this works. Outgoing however has SASL authentication failing.
Why does it fail I don't know.
/etc/sasl2/smtpd.conf looks like:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN
postconf -n output:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 40960000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain
mydomain = primary.net
myhostname = mail.primary.net
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination, primary.net, seconddomain.org
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_invalid_hostname,
reject_unauth_pipelining,
reject_unauth_destination,
reject_rbl_client sbl-xbl.spamhaus.org,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
soft_bounce = no
unknown_local_recipient_reject_code = 550
virtual_alias_domains = mail.seconddomain.org
virtual_alias_maps = hash:/etc/postfix/virtual
The virtual alias domain works. But when I'm trying to authenticate with a virtual domain maillog throws the error:
SASL PLAIN authentication failed
Any ideas what I should look at?
Update #1:
Following the instructions below I wasn't able to authenticate still, so I installed saslfinger and here is the output:
saslfinger - postfix Cyrus sasl configuration Tue Mar 24 07:23:10 GMT 2015
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.6.6
System: CentOS release 6.5 (Final)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007ff8b9655000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
-- listing of /usr/lib64/sasl2 --
total 504
drwxr-xr-x. 2 root root 4096 Sep 15 2013 .
dr-xr-xr-x. 43 root root 20480 Jun 20 2014 ..
-rwxr-xr-x. 1 root root 18776 Nov 27 2012 libanonymous.so
-rwxr-xr-x. 1 root root 18776 Nov 27 2012 libanonymous.so.2
-rwxr-xr-x. 1 root root 18776 Nov 27 2012 libanonymous.so.2.0.23
-rwxr-xr-x 1 root root 22936 Nov 27 2012 libcrammd5.so
-rwxr-xr-x 1 root root 22936 Nov 27 2012 libcrammd5.so.2
-rwxr-xr-x 1 root root 22936 Nov 27 2012 libcrammd5.so.2.0.23
-rwxr-xr-x 1 root root 52088 Nov 27 2012 libdigestmd5.so
-rwxr-xr-x 1 root root 52088 Nov 27 2012 libdigestmd5.so.2
-rwxr-xr-x 1 root root 52088 Nov 27 2012 libdigestmd5.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 2012 liblogin.so
-rwxr-xr-x. 1 root root 18808 Nov 27 2012 liblogin.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 2012 liblogin.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 2012 libplain.so
-rwxr-xr-x. 1 root root 18808 Nov 27 2012 libplain.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 2012 libplain.so.2.0.23
-rwxr-xr-x. 1 root root 22784 Nov 27 2012 libsasldb.so
-rwxr-xr-x. 1 root root 22784 Nov 27 2012 libsasldb.so.2
-rwxr-xr-x. 1 root root 22784 Nov 27 2012 libsasldb.so.2.0.23
-- listing of /etc/sasl2 --
total 12
drwxr-xr-x. 2 root root 4096 Sep 20 2013 .
drwxr-xr-x. 93 root root 4096 Mar 22 03:43 ..
-rw-r--r--. 1 root root 70 Mar 24 07:22 smtpd.conf
-- content of /etc/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
submission inet n - - - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
smtps inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
-- mechanisms on localhost --
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
-- end of saslfinger output --
Update #2:
I enabled verbose mode and here is the output after attempting to send an email: Note: I removed timestamp and srv postfix/smtpd[29481]:
from every line to make it a bit smaller to look at:
dict_eval: const mail
dict_eval: const all
dict_eval: const
dict_eval: const
dict_eval: const
name_mask: all
dict_eval: const mail.mydomain.net
dict_eval: const mydomain.net
dict_eval: const Postfix
dict_eval: expand ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name} -> postfix
dict_eval: const postfix
dict_eval: const postdrop
dict_eval: expand $myhostname, localhost.$mydomain, localhost, $mydomain,?mail.$mydomain -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net
dict_eval: expand $myhostname -> mail.mydomain.net
dict_eval: const
dict_eval: const /usr/libexec/postfix
dict_eval: const /var/lib/postfix
dict_eval: const /usr/sbin
dict_eval: const /var/spool/postfix
dict_eval: const pid
dict_eval: const all
dict_eval: const
dict_eval: const double-bounce
dict_eval: const nobody
dict_eval: const hash:/etc/aliases
dict_eval: const 20100319
dict_eval: const 2.6.6
dict_eval: const hash
dict_eval: const deferred, defer
dict_eval: const
dict_eval: expand $mydestination, mydomain.net, anotherdomain.org -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org
dict_eval: expand $relay_domains -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org
dict_eval: const TZ MAIL_CONFIG LANG
dict_eval: const MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
dict_eval: const subnet
dict_eval: const 127.0.0.1
dict_eval: const +=
dict_eval: const -=+
dict_eval: const debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
dict_eval: const
dict_eval: const bounce
dict_eval: const cleanup
dict_eval: const defer
dict_eval: const pickup
dict_eval: const qmgr
dict_eval: const rewrite
dict_eval: const showq
dict_eval: const error
dict_eval: const flush
dict_eval: const verify
dict_eval: const trace
dict_eval: const proxymap
dict_eval: const proxywrite
dict_eval: const
dict_eval: const
dict_eval: const 40960000
dict_eval: const 2
dict_eval: const no
dict_eval: const 100s
dict_eval: const 100s
dict_eval: const 100s
dict_eval: const 100s
dict_eval: const 3600s
dict_eval: const 3600s
dict_eval: const 5s
dict_eval: const 5s
dict_eval: const 1000s
dict_eval: const 1000s
dict_eval: const 10s
dict_eval: const 10s
dict_eval: const 1s
dict_eval: const 1s
dict_eval: const 1s
dict_eval: const 1s
dict_eval: const 500s
dict_eval: const 500s
dict_eval: const 18000s
dict_eval: const 18000s
dict_eval: const 1s
dict_eval: const 1s
name_mask: subnet
inet_addr_local: configured 2 IPv4 addresses
inet_addr_local: configured 2 IPv6 addresses
been_here: 127.0.0.0/8: 0
been_here: 77.0.0.0/8: 0
been_here: [::1]/128: 0
been_here: [fe80::%eth0]/64: 0
mynetworks: 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64
dict_eval: const 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64
dict_eval: const 10
dict_eval: expand ${stress?1}${stress:20} -> 20
dict_eval: expand ${stress?1}${stress:100} -> 100
dict_eval: expand ${stress?1}${stress:3} -> 3
dict_eval: const 550
dict_eval: expand $myhostname ESMTP $mail_name -> mail.mydomain.net ESMTP Postfix
dict_eval: const resource, software
dict_eval: const permit_sasl_authenticated
dict_eval: const reject_non_fqdn_hostname
dict_eval: const reject_unknown_sender_domain
dict_eval: const permit_sasl_authenticated,?permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining,?reject_unauth_destination,?reject_rbl_client sbl-xbl.spamhaus.org, ?permit
dict_eval: const
dict_eval: const reject_unauth_pipelining
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: const postmaster
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: const hash:/etc/postfix/virtual
dict_eval: const
dict_eval: const hash:/etc/aliases
dict_eval: expand proxy:unix:passwd.byname $alias_maps -> proxy:unix:passwd.byname hash:/etc/aliases
dict_eval: const noanonymous
dict_eval: const private/auth
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: const CONNECT GET POST
dict_eval: const <>
dict_eval: const
dict_eval: expand $double_bounce_sender -> double-bounce
dict_eval: expand $authorized_verp_clients ->
dict_eval: const
dict_eval: expand $myhostname -> mail.mydomain.net
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: expand ${smtpd_client_connection_limit_exceptions:$mynetworks} -> 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64
dict_eval: const permit_inet_interfaces
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: expand $smtpd_sasl_security_options -> noanonymous
dict_eval: const
dict_eval: expand $smtpd_tls_cert_file ->
dict_eval: const
dict_eval: expand $smtpd_tls_dcert_file ->
dict_eval: const
dict_eval: expand $smtpd_tls_eccert_file ->
dict_eval: const
dict_eval: const
dict_eval: const export
dict_eval: const medium
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: const SSLv3, TLSv1
dict_eval: const
dict_eval: const
dict_eval: const none
dict_eval: const md5
dict_eval: const
dict_eval: const dovecot
dict_eval: const
dict_eval: const j {daemon_name} v
dict_eval: const {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
dict_eval: const i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
dict_eval: const i {rcpt_addr} {rcpt_host} {rcpt_mailer}
dict_eval: const i
dict_eval: const i
dict_eval: const i
dict_eval: const
dict_eval: const 6
dict_eval: const tempfail
dict_eval: expand $myhostname -> mail.mydomain.net
dict_eval: expand $mail_name $mail_version -> Postfix 2.6.6
dict_eval: const
dict_eval: const
dict_eval: const
dict_eval: const defer_if_permit
dict_eval: expand $reject_tempfail_action -> defer_if_permit
dict_eval: expand $reject_tempfail_action -> defer_if_permit
dict_eval: expand $reject_tempfail_action -> defer_if_permit
dict_eval: expand $reject_tempfail_action -> defer_if_permit
dict_eval: const yes
dict_eval: const yes
dict_eval: const no
dict_eval: const yes
dict_eval: expand ${stress?10}${stress:300}s -> 300s
dict_eval: expand ${stress?10}${stress:300}s -> 300s
dict_eval: const 1s
dict_eval: const 1s
dict_eval: const 100s
dict_eval: const 100s
dict_eval: const 3s
dict_eval: const 3s
dict_eval: const 100s
dict_eval: const 100s
dict_eval: const 300s
dict_eval: const 300s
dict_eval: const 1000s
dict_eval: const 1000s
dict_eval: const 300s
dict_eval: const 300s
dict_eval: const 3600s
Best Answer
Sorry for misleading comment above. When you use sasldb, then you doesn't need
saslauthd
running. So you can safely remove it from startup script. You should run saslauthd when you do password checking via system user, LDAP or remote IMAP.The first step is creating a database for sasldb using
saslpasswd2
binaryPlease verify it by run sasldblistusers2
This will save the database in sasldb2 file, in my system the file is
/etc/sasldb2
. Because we need postfix (via SASL library) to read it, then add the change the group of this file so postfix can read it.Your
/etc/sasl2/smtpd.conf
file above was fine.Then test it
Generate Base64 string of PLAIN credential format
Test the credential
Tested in CentOS 6.5 with postfix 2.3.3 and cyrus sasl version 2.1
References:
PS: If you still encounter the problem, please post the output of
saslfinger
binaryYou can download it at website of Postfix book author
If your postfix under chroot configuration, then postfix can't access
/etc/sasldb2
to authenticated username. To overcome this problem, we have two alternatives:submission
/smtpd
/smtps
service or any other service that usesmtpd
binaryMove sasldb2 to
/var/spool/postfix/etc/
like this post. You can also symlink/var/spool/postfix/etc/sasldb2/
to/etc/sasldb2
.