Saslauthd multi instance for postfix smtp authentication

email-serverpostfixsaslauthdsmtp

I have mail server Postfix+Saslauth.
I configure multiple instance for Postfix:

postfix

postfix-out

and two instances for saslauth:

saslauthd

saslauthd-out

Setting saslauthd is for authenticating Postfix service and saslauthd-out for another instance of it.

For creating second instance of sasl I do it this way:

cp /etc/default/saslauthd /etc/default/saslauthd-out

With this configuration :
:~# vim /etc/default/saslauthd-out

 DESC="SASL Authentication Daemon postfix-out"
 NAME="saslauthd-out"
 MECHANISMS="pam"
 OPTIONS="-c -m /var/spool/postfix-out/var/run/saslauthd-out"

In configuration of postfix-out (/etc/postfix-out/sasl/smtp.conf):

  pwcheck_method: saslauthd-out

and for postfix (/etc/postfix/sasl/smtp.conf):

  pwcheck_method: saslauthd

and when I restart saslauth every thing is OK ,

when I try to connect smtp server (postfix) every thing is OK , and Authentication was successfull, but in smtp server (postfix-out) , connect to smtp is OK, but it can't authenticate and this error has occurred:

:~# telnet mail2.example.com 25 
Trying 111.222.333.444...
Connected to mail2.example.com.
Escape character is '^]'. 
220 mail2.example.com ESMTP Postfix (@@DISTRO@@) 
auth plain YWdoc2EAYWdoc2hhbGRvcmFu 
535 5.7.8 Error: authentication failed: no mechanism available

Logs :

Nov 30 09:17:47 mail4 postfix-out/smtpd[4361]: connect from unknown[111.222.333.444]
Nov 30 09:17:58 mail4 postfix-out/smtpd[4361]: warning: SASL authentication problem: unknown password verifier 
Nov 30 09:17:58 mail4 postfix-out/smtpd[4361]: warning: SASL authentication failure: Password verification failed
Nov 30 09:17:58 mail4 postfix-out/smtpd[4361]: warning: unknown[111.222.333.444]: SASL plain authentication failed: no mechanism available
Nov 30 09:18:04 mail4 postfix-out/smtpd[4361]: disconnect from unknown[111.222.333.444]

what is the problem?

Best Answer

pwcheck_method is a configuration option for the Cyrus SASL library. Possible values are auxprop, saslauthd, pwcheck and authdaemond. saslauthd-out is not supported here. You configuration needs to be like this

/etc/default/saslauthd-out:

DESC="SASL Authentication Daemon postfix-out"
NAME="saslauthd-out"
MECHANISMS="pam"
OPTIONS="-c -m /var/spool/postfix-out/var/run/saslauthd-out"

/etc/postfix-out/sasl/smtp.conf:

pwcheck_method: saslauthd
saslauthd_path: /var/spool/postfix-out/var/run/saslauthd-out/mux

somewhere in /etc/postfix-out/main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtp 
smtpd_sasl_type = cyrus
cyrus_sasl_config_path = /etc/postfix-out/sasl

I just setup a VM with that configuration and it works.

/var/spool/postfix-out/var/run/saslauthd-out has to exist, although personally i would prefer it to be more like /var/spool/postfix-out/saslauthd-out. But that is your decision.

Related Solutions

Postfix sasl “cannot connect to saslauthd server: No such file or directory”

Are you perhaps missing the symlink from /var/run/saslauthd to /var/spool/postfix/var/run/saslauthd?

From my working system:

root@mail:/etc/postfix/sasl# ls -la /var/run/saslauthd
lrwxrwxrwx 1 root root 36 Dec 31  2010 /var/run/saslauthd -> /var/spool/postfix/var/run/saslauthd

Mysql – Postfix, saslauthd, thesql, smtp authentication problems

Looking for someone to walk me through getting this working. Im new to the mail server, and have never got one fully working.

Welcome to E-mail hell, my friend. You're in good company. First, if you are really serious about running an email server, you'll want to study up. E-mail is like most utility services - taken for granted, but no-one wants to think about the effort involved to make it work. I'd recommend the excellent (and thankfully brief) O'Reilly book Postfix: The Definitive Guide, which is an excellent source of information on getting Postfix running.

I'd also take the time to read up on some basic "rules of the game", as a lot of the global E-mail system is basically a bunch of gentlemen's agreements to not stomp on each others deliveries. Sure, you could wade through thick mounds of documents like RFC 2142 and others, but I think we can condense this down to a few simple rules:

Be a responsible admin. That means having a functional abuse@yourveryowndomain.com address, and a postmaster@yourveryowndomain.com that actually goes to something other than a bit bucket. Sending these off to /dev/null is another great way to land on a blacklist. After all, who wants to deal with someone that won't listen to others about the issues they are making?
You are now part of a community. That means you will run into other admins that have done things, erm, differently and will have different opinions on how to get things done. As long as they are sensible or have reasons for it, just relax and listen.
In this community, you are responsible for your own server. If others catch you doing unbecoming things (like being a spam open relay - more on that in a moment) you will be blacklisted in short order. Do your best to do the right thing.
Running your own server means that you have devoted YOUR resources to it. Do NOT be swayed by spammers (posing as "email marketers") telling you they have a right to do whatever they want with your resources. I've often heard this in the form of "but-but-but it's not your decision, it's the recipient's decision and you should let my email through". Your response should always be, "it is my decision, it is my server, and you are now a faded memory on my blacklist."
Other servers are not your resources to use; you use them from the kindness and consideration of others. Be kind to other admins and keep in mind the "golden rule" with regard to sending large volumes of email to their servers. Would you like it if someone forwarded an email message to 2,000 different mailboxes on your server, tying up delivery for several minutes?
After you have everything set up and running for awhile, go back and check your logs periodically. Yes, those THOUSANDS OF ENTRIES PER HOUR are spammers trying to either (a) deliver their pork by-product to your INBOX or (b) use you as a springboard to deliver it to someone else. Which leads us to...
Spammers will shift tactics every few months. Usually a small adjustment in your anti-spam settings will suffice to make the nuisance go away.
Do not, for the love of ${DIETY}, run an open relay on the public side of the internet. The concept of an open relay, i.e. a machine that takes email from anyone and delivers it to anywhere, is a relic from ye olde days of yore, when the Internet was a kinder, gentler place. In today's times, spammers WILL find you, they WILL turn your machine into their very own personal E-mail machine gun, and they WILL end up slandering your good name in the process.
You'll run into admins that don't care about their servers, and like a defensive driver looks for other (stupid) drivers on the road, you'll need to look out for them.
Bad admins usually configure bad servers. There are commercial providers out there that just want to make a quick buck, and they don't care what happens to everyone else when they "dain-bramage" their servers. This means you will run into servers that do stupid things, and some admin will get on the phone with you and want to swap spit over why it's "your problem" and not theirs. Double-check your server and make sure it really isn't you, then politely inform them of their error with a clue-by-four...

There's much, much more, but those basic things should get you pointed in the right direction.

I can't get any mail client to work,

With regard to the "client can't send" portion of your question, the issue is related to the domains you accept email for. Specifically, your post mentions:

mydestination =
myhostname = my.domain.com

Both of those are incorrect. Look here to set the mydestination parameter, and here for the myhostname parameter. Those two parameters basically tell postfix what it will accept for delivery, based on what is on the right-half of the To: email address. Having them set to nothing and my.domain.com means it will only accept delivery for my.domain.com but it still won't deliver it because mydestination is blank. I could be wrong, but I don't think that is what you were wanting.

Best Answer

Related Solutions

Postfix sasl “cannot connect to saslauthd server: No such file or directory”

Mysql – Postfix, saslauthd, thesql, smtp authentication problems

Related Topic