[Postfixbuch-users] SASL CRAM-MD5 authentication failed

Andreas Winkelmann ml at awinkelmann.de
Fr Okt 21 21:46:31 CEST 2005


Am Friday 21 October 2005 21:10 schrieb Holm Kapschitzki:

> CRAM-MD5 funktioniert bei mir nicht. Ich habe Fedora Core 3 mit postfix und
> cyrus imap. Des Weiteren die ganze Palette wie fetchmail, procmail usw,
> aber darum geht es ja nicht.
>
> Also postfix läuft soweit (intern und extern). Das Versenden von einem
> externen Mail Client, also nicht lokal, in meinen Falle "The Bat"
> funktioniert aber nur über die "Plain" Methode. SMTP Auth ist also
> eingerichtet, aber halt nicht richtig. Ich benutze sasl2. Cyrus ist aktiv
> und stellt kein Problem dar.
>
> Als erstes mal meine logs:
>
> Oct 21 18:45:26 base master[9100]: process 15445 exited, status 0
> Oct 21 18:46:35 base postfix/smtpd[15450]: connect from
> brln-d9b81c50.pool.mediaWays.net[217.184.28.80] 
> Oct 21 18:46:35 base postfix/smtpd[15450]: warning: SASL authentication 
> failure: no secret in database  
> Oct 21 18:46:35 base postfix/smtpd[15450]: warning: 
> brln-d9b81c50.pool.mediaWays.net[217.184.28.80]: SASL CRAM-MD5
> authentication failed Oct 21 18:46:36 base postfix/smtpd[15450]:
> 4C0948C68D: client=brln-d9b81c50.pool.mediaWays.net[217.184.28.80],
> sasl_method=PLAIN, sasl_username=blub Oct 21 18:46:36 base
> postfix/cleanup[15451]: 4C0948C68D:
> message-id=<199797905.20051021184631 at hardtekk.org> Oct 21 18:46:36 base
> postfix/qmgr[15216]: 4C0948C68D: from=<blub at hardtekk.org>, size=676,
> nrcpt=1 (queue active) Oct 21 18:46:36 base postfix/smtpd[15450]:
> disconnect from brln-d9b81c50.pool.mediaWays.net[217.184.28.80] Oct 21
> 18:46:37 base postfix/smtp[15452]: 4C0948C68D: to=<blub1 at gmx.net>,
> relay=smtprelay.t-online.de[194.25.134.94], delay=1, status=sent (250
> Message accepted.) Oct 21 18:46:37 base postfix/qmgr[15216]: 4C0948C68D:
> removed
>
> Daraus ist ersichtlich, daß ich also nur "Plain" aushandeln kann. Die
> sasldb ist eingerichtet und ich habe die User so angelegt:
>
> saslpasswd2 -a smtpd -c blub
>
> ein sasldblistusers2 ergibt:
>
> blub at base.base.local: userPassword
>
> ein sasldblistusers:
>
> user: blub realm: base.base.local mech: PLAIN
> user: blub realm: base.base.local mech: CRAM-MD5
> user: blub realm: base.base.local mech: DIGEST-MD5

Das sieht nach Cyrus-SASL Version 1 aus.

> ,aber soweit ich dass verstanden habe wird diese ja nicht benutzt.
>
> meinen Mailserver habe ich auch getestet:
>
> telnet localhost smtp
> Trying 127.0.0.1...
> Connected to localhost.localdomain (127.0.0.1).
> Escape character is '^]'.
> 220 mail.hardtekk.org ESMTP Postfix
> ehlo d
> 250-mail.hardtekk.org
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH LOGIN DIGEST-MD5 CRAM-MD5 PLAIN
> 250-AUTH=LOGIN DIGEST-MD5 CRAM-MD5 PLAIN
> 250 8BITMIME
> quit
> 221 Bye
>
> sasauthd habe ich auch getestet:
>
> testsaslauthd -u blub -p geheim
> 0: OK "Success."
>
> saslauthd -v ergibt folgendes:
>
> saslauthd 2.1.19
> authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
>
> Nun mal zu meinen confs:
>
> imapd.conf -> (sasl_pwcheck_method: saslauthd ,sasl_mech_list: PLAIN )
> ----------
>
> configdirectory: /var/lib/imap
> partition-default: /var/spool/imap
> admins: cyrus
> sievedir: /var/lib/imap/sieve
> sendmail: /usr/sbin/sendmail
> hashimapspool: true
> sasl_pwcheck_method: saslauthd
> sasl_mech_list: PLAIN
> tls_cert_file: /usr/share/ssl/certs/cyrus-imapd.pem
> tls_key_file: /usr/share/ssl/certs/cyrus-imapd.pem
> tls_ca_file: /usr/share/ssl/certs/ca-bundle.crt
>
> ----------
>
> smtpd.conf ( /usr/lib/sasl2/smtpd.conf )
> ----------
> pwcheck_method: saslauthd

Hier fehlt noch:

mech_list: plain login

cram-md5 und auch digest-md5 funktionieren mit saslauthd nicht.

> saslauthd -> ( Hier ist mech=pam eingestellt )
> ---------
>
> # Directory in which to place saslauthd's listening socket, pid file, and
> so # on. This directory must already exist.
> SOCKETDIR=/var/run/saslauthd
>
> # Mechanism to use when checking passwords. Run "saslauthd -v" to get a
> list # of which mechanism your installation was compiled to use.
> MECH=pam
>
> # Additional flags to pass to saslauthd on the command line. See
> saslauthd(Cool # for the list of accepted flags.
> FLAGS=
>
> cyrus.conf:
> ----------.
>
> # standard standalone server implementation
>
> START {
> # do not delete this entry!
> recover cmd="ctl_cyrusdb -r"
>
> # this is only necessary if using idled for IMAP IDLE
> idled cmd="idled"
> }
>
> # UNIX sockets start with a slash and are put into /var/lib/imap/sockets
> SERVICES {
> # add or remove based on preferences
> imap cmd="imapd" listen="imap" prefork=5
> imaps cmd="imapd -s" listen="imaps" prefork=1
> pop3 cmd="pop3d" listen="pop3" prefork=3
> pop3s cmd="pop3d -s" listen="pop3s" prefork=1
> sieve cmd="timsieved" listen="sieve" prefork=0
>
> # these are only necessary if receiving/exporting usenet via NNTP
> # nntp cmd="nntpd" listen="nntp" prefork=3
> # nntps cmd="nntpd -s" listen="nntps" prefork=1
>
> # at least one LMTP is required for delivery
> # lmtp cmd="lmtpd" listen="lmtp" prefork=0
> lmtpunix cmd="lmtpd -a" listen="/var/lib/imap/socket/lmtp" prefork=0
>
> # this is only necessary if using notifications
> # notify cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp"
> prefork=1 }
>
> EVENTS {
> # this is required
> checkpoint cmd="ctl_cyrusdb -c" period=30
>
> # this is only necessary if using duplicate delivery suppression,
> # Sieve or NNTP
> delprune cmd="cyr_expire -E 3" at=0400
>
> # this is only necessary if caching TLS sessions
> tlsprune cmd="tls_prune" at=0400
> }
>
>
>
> main.cf:
> --------
>
> soft_bounce = no
> queue_directory = /var/spool/postfix
> command_directory = /usr/sbin
> daemon_directory = /usr/libexec/postfix
> mail_owner = postfix
> default_privs = nobody
> myhostname = mail.hardtekk.org
> mydomain = hardtekk.org
> myorigin = $mydomain
> inet_interfaces = all
> mydestination = $mydomain, $myhostname, localhost.$mydomain,
> hardtekk.dyndns.org, hardtekk.org unknown_local_recipient_reject_code = 550
> mynetworks_style = host
> mynetworks = 192.168.0.0/24, 127.0.0.0/8
> relay_domains = $mydestination
> relayhost = [smtprelay.t-online.de]
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> debug_peer_level = 2
> debugger_command =
> PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
> xxgdb $daemon_directory/$process_name $process_id & sleep 5
> sendmail_path = /usr/sbin/sendmail.postfix
> newaliases_path = /usr/bin/newaliases.postfix
> mailq_path = /usr/bin/mailq.postfix
> setgid_group = postdrop
> html_directory = no
> manpage_directory = /usr/share/man
> sample_directory = /usr/share/doc/postfix-2.1.5/samples
> readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
> mailbox_command = /usr/bin/procmail -t -a $EXTENSION
> #mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
> #mailbox_transport = cyrus
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain =
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, check_relay_domains smtpd_sasl_security_options
> = noanonymous
> broken_sasl_auth_clients = yes
>
> master.cf:
> ---------
>
> # ================================================== ====================
> ==== # service type private unpriv chroot wakeup maxproc command + args #
> (yes) (yes) (yes) (never) (100)
> # ================================================== ====================
> ==== smtp inet n - n - - smtpd
> #smtps inet n - n - - smtpd
> # -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
> #submission inet n - n - - smtpd
> # -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o
> smtpd_etrn_restrictions=reject #628 inet n - n - - qmqpd
> pickup fifo n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> #qmgr fifo n - n 300 1 oqmgr
> #tlsmgr fifo - - n 300 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> smtp unix - - n - - smtp
> relay unix - - n - - smtp
> # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq unix n - n - - showq
> error unix - - n - - error
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> #
> # Interfaces to non-Postfix software. Be sure to examine the manual
> # pages of the non-Postfix software to find out what options it wants.
> #
> # maildrop. See the Postfix MAILDROP_README file for details.
> #
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> #
> # The Cyrus deliver program has changed incompatibly, multiple times.
> #
> old-cyrus unix - n n - - pipe
> flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension}
> ${user} # Cyrus 2.1.5 (Amos Gouaux)
> # Also specify in main.cf: cyrus_destination_recipient_limit=1
> cyrus unix - n n - - pipe
> user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
> ${extension} ${user} uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient) ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
>
> -----------------
>
> So ich hoffe ich hab nix vergessen Wink
>
> Nach stundenlangem How-To lesen, finde ich den Fehler nicht, warum nur
> "Plain" ausgehandelt werden kann. Achso die Rechte sasldb habe ich mal auf
> 777 gesetzt, zum Test. Also das ist es auch nicht.
>
> cya
>
> PS1: Was mir auch noch einfällt ist, daß mein host base.base.local heißt
> ich aber in der main.cf myhostname = mail.hardtekk.org mydomain =
> hardtekk.org eingestellt habe. Mein host base.base.local ist aber über
> dyndns unter mail.hardtekk.org erreichbar.
>
> PS2: Was ich auch nicht verstehe ist, benenne ich die sasldb um, also mache
> sie nicht lesbar, wird trotzdem die "Plain" Methode ausgehandelt. Ich
> dachte eigentlich immer diese Datenbank wird immer gebraucht: Hier der log,
> als ich die sasldb2 unlesbar gemacht habe:
>
> ct 21 19:21:45 base master[9100]: process 15481 exited, status 0
> Oct 21 19:24:36 base postfix/smtpd[15515]: connect from
> brln-d9b8060d.pool.mediaWays.net[217.184.6.13] Oct 21 19:24:37 base
> postfix/smtpd[15515]: warning: SASL authentication problem: unable to open
> Berkeley db /etc/sasldb2: No such file or directory Oct 21 19:24:37 base
> postfix/smtpd[15515]: warning: SASL authentication problem: unable to open
> Berkeley db /etc/sasldb2: No such file or directory Oct 21 19:24:37 base
> postfix/smtpd[15515]: warning: SASL authentication failure: no secret in
> database Oct 21 19:24:37 base postfix/smtpd[15515]: warning:
> brln-d9b8060d.pool.mediaWays.net[217.184.6.13]: SASL CRAM-MD5
> authentication failed Oct 21 19:24:37 base postfix/smtpd[15515]: warning:
> SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No
> such file or directory Oct 21 19:24:37 base postfix/smtpd[15515]: warning:
> SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No
> such file or directory Oct 21 19:24:40 base postfix/smtpd[15515]:
> A67B08C610: client=brln-d9b8060d.pool.mediaWays.net[217.184.6.13],
> sasl_method=PLAIN, sasl_username=blub Oct 21 19:24:41 base
> postfix/cleanup[15519]: A67B08C610:
> message-id=<732424886.20051021192430 at hardtekk.org> Oct 21 19:24:41 base
> postfix/qmgr[15216]: A67B08C610: from=<blub at hardtekk.org>, size=698,
> nrcpt=1 (queue active) Oct 21 19:24:42 base postfix/smtp[15520]:
> A67B08C610: to=<huhu at blub.de>, relay=smtprelay.t-online.de[194.25.134.93],
> delay=2, status=sent (250 Message accepted.) Oct 21 19:24:42 base
> postfix/qmgr[15216]: A67B08C610: removed
>
>
>
> --
> Mit freundlichen Grüßen
> Holm Kapschitzki
> mailto:holm at oleco.net

-- 
	Andreas



Mehr Informationen über die Mailingliste Postfixbuch-users