Problem mit Confixx / SASL in chroot

tarta
Posts: 13
Joined: 2004-05-16 16:26
Location: Köln

Problem mit Confixx / SASL in chroot

Post by tarta »

Hallo liebe Community,

wir sitzen jetzt hier zu zweit schon seit mehreren Stunden an einem Problem und auch Google konnte uns trotz längerer Recherche nicht weiterhelfen.

Wir wollen Postfix mit SASL-Authentifizierung über die normalen Unix-User aus /etc/passwd realisieren. Scheinbar bekommt Postfix aber keine Verbindung zum SASL-Socket. Vielleicht kann einer von Euch ja unseren Denkfehler entdecken!

Das ganze läuft mit Postfix 2.3.8 und SASL 2.1.22

postconf -n

Code: Select all

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mailbox_size_limit = 0
mydestination = server03.xxx.net, localhost, localhost.localdomain, localhost
myhostname = localhost
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated,reject_unauth_destination,permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd                   
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes


/etc/postfix/sasl/smtpd.conf

Code: Select all

log_level: 7
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
saslauthd_path: /var/spool/postfix/var/run/saslauthd


/etc/default/saslauthd

Code: Select all

START=yes
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c"
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"



mail.log

Code: Select all

Sep 13 19:21:12 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: > localhost[127.0.0.1]: 250-8BITMIME
Sep 13 19:21:12 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: > localhost[127.0.0.1]: 250 DSN
Sep 13 19:21:12 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: watchdog_pat: 0x65f0c0
Sep 13 19:21:25 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: < localhost[127.0.0.1]: auth plain amltbXkAamltbXkAem90dGVs
Sep 13 19:21:25 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: xsasl_cyrus_server_first: sasl_method plain, init_response
amltbXkAamltbXkAem90dGVs
Sep 13 19:21:25 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: xsasl_cyrus_server_first: decoded initial response jimmy
Sep 13 19:21:25 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: warning: SASL authentication failure: Password verification
 failed
Sep 13 19:21:25 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: warning: localhost[127.0.0.1]: SASL plain authentication fa
iled: authentication failure
Sep 13 19:21:25 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: > localhost[127.0.0.1]: 535 5.7.0 Error: authentication fai
led: authentication failure
Sep 13 19:21:25 Ubuntu-704-feisty-64-minimal postfix/smtpd[5423]: watchdog_pat: 0x65f0c0


SASL haben wir testweise auch im Debug-Modus gestartet. Socketfiles liegen dann in /var/spool/postfix/var/run/saslauthd/.
Allerdings ist hier zu sehen, dass Postfix keine Verbindung zu SASL bekommt -> in der SASL-Log tut sich gar nix.

Vielen Dank für die Hilfe, falls noch weitere Infos gebraucht werden, einfach bescheid sagen.

Tarta
Top

User avatar
Joe User
Project Manager
Project Manager
Posts: 11518
Joined: 2003-02-27 01:00
Location: Hamburg

Re: Problem mit Confixx / SASL in chroot

Post by Joe User »

Tarta wrote:

Code: Select all

mydestination = server03.xxx.net, localhost, localhost.localdomain, localhost
myhostname = localhost
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname


Wer/Was hat denn diese Optionen verbockt?
Tarta wrote:/etc/postfix/sasl/smtpd.conf

Code: Select all

log_level: 7
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
saslauthd_path: /var/spool/postfix/var/run/saslauthd


Code: Select all

saslauthd_path: /var/run/saslauthd

Tarta wrote:/etc/default/saslauthd

Code: Select all

START=yes
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c"
PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"


Code: Select all

MECHANISMS="shadow"
PWDIR="/var/run/saslauthd"

Nehmt Postfix aus dem Chroot, dann läuft es auch...
Top

tarta
Posts: 13
Joined: 2004-05-16 16:26
Location: Köln

Re: Problem mit Confixx / SASL in chroot

Post by tarta »

Danke schonmal für Deine Antwort. Die Konfiguration in der main.cf war in der Tat ein wenig eigentümlich. Habe mit SASL angefangen und die main.cf weitestgehend mit den Standardeinstellungen des Ubuntu-Paketes belassen.

So sieht es nun aus:

Code: Select all

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
mail_owner = postfix
mailbox_size_limit = 0
mydestination = $myhostname, $mydomain, localhost, localhost.$mydomain
mydomain = meinedomain.net
myhostname = server03.meinedomain.net
mynetworks = 127.0.0.0/8
myorigin = $myhostname
queue_directory = /var/spool/postfix
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd                   
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes


Postfix habe ich aus seinem Gefängnis befreit und die entsprechenden Dateien angepasst (siehe unten). Trotzdem besteht das Problem weiterhin.

/etc/postfix/master.cf

Code: Select all

smtp      inet  n       -       n       -       -       smtpd -vv
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}


/etc/postfix/sasl/smtpd.conf

Code: Select all

log_level: 7
pwcheck_method: saslauthd
mech_list: plain login


/etc/default/saslauthd

Code: Select all

START=yes
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd -r -d -V"


Folgende Fehlermeldung kommt bei einem "auth plain" über telnet localhost 25:

Code: Select all

Sep 14 11:24:47 Ubuntu-704-feisty-64-minimal postfix/smtpd[12187]: watchdog_pat: 0x65f000
Sep 14 11:25:01 Ubuntu-704-feisty-64-minimal postfix/smtpd[12187]: < localhost[127.0.0.1]: auth plain c3RlZmFuAHN0ZWZhbgB3bjZjPz8wMnI=
Sep 14 11:25:01 Ubuntu-704-feisty-64-minimal postfix/smtpd[12187]: xsasl_cyrus_server_first: sasl_method plain, init_response
 c3RlZmFuAHN0ZWZhbgB3bjZjPz8wMnI=
Sep 14 11:25:01 Ubuntu-704-feisty-64-minimal postfix/smtpd[12187]: xsasl_cyrus_server_first: decoded initial response stefan
Sep 14 11:25:01 Ubuntu-704-feisty-64-minimal postfix/smtpd[12187]: warning: SASL authentication failure: Password verificatio
n failed
Sep 14 11:25:01 Ubuntu-704-feisty-64-minimal postfix/smtpd[12187]: warning: localhost[127.0.0.1]: SASL plain authentication f
ailed: authentication failure
Sep 14 11:25:01 Ubuntu-704-feisty-64-minimal postfix/smtpd[12187]: > localhost[127.0.0.1]: 535 5.7.0 Error: authentication fa
iled: authentication failure
Sep 14 11:25:01 Ubuntu-704-feisty-64-minimal postfix/smtpd[12187]: watchdog_pat: 0x65f000


... und nach wie vor im SASL-Authd, der im Debug-Modus läuft, kein anzeichen eines Connects!
Top

tarta
Posts: 13
Joined: 2004-05-16 16:26
Location: Köln

Re: Problem mit Confixx / SASL in chroot

Post by tarta »

Hat sich erledigt.
Wir hatten hinter dem

Code: Select all

smtpd_sasl_path = smtpd

noch einen Kommetar aus dem Tutorial stehen

Code: Select all

smtpd_sasl_path = smtpd   # blah


... :(

Danke für die Hilfe trotzdem!
Top