[Postfixbuch-users] SASL @

Andreas Winkelmann ml at awinkelmann.de
Mi Sep 28 15:02:46 CEST 2005


Am Wednesday 28 September 2005 14:39 schrieb netmm2001:

> Bei PAM benutze ich das pam_mysql plugin. Die Konfigdatei sieht so aus:
>
> auth sufficient /lib/security/pam_mysql.so user=dbuser passwd=pass
> host=localhost \
>                              db=maildb table=users usercolumn=email \
>                              passwdcolumn=password crypt=0
> auth sufficient pam_unix_auth.so
> account required /lib/security/pam_mysql.so user=dbuser passwd=pass
> host=localhost \
>                              db=maildb table=users usercolumn=email \
>                              passwdcolumn=password crypt=0
> account sufficient pam_unix_acct.so

Ok.

> > Falls PAM dabei ist, fehlt bei testsaslauthd noch ein "-s
> > smtp" um es wenigstens etwas realistischer zu machen.
>
> testsaslauthd -s smtp -u user at ichbins.de -p pass
> kommt ein: 0: OK "Success."
>
> Verändere ich das Passwort
> testsaslauthd -s smtp -u user at ichbins.de -p 2pass
> kommt ein: 0: NO "authentication failed"

Ok.

> > Wie ist saslauthd gestartet?
>
> Über /etc/init.d/saslauthd start
>
> /etc/init.d/saslauthd:
>
> ----------------cut----------------
> start() {
>         echo -n $"Starting $prog: "
>         daemon $path -m $SOCKETDIR -a $MECH $FLAGS
>         RETVAL=$?
>         echo
>         [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
>         return $RETVAL
> }
> ----------------cut------------------

Das zeigt nicht wie er gestartet wurde. Zeig am besten mal den Aufruf der 
laufenden Instanz (ps(1)).

Welche Cyrus-SASL Version setzt Du überhaupt ein?

> > > Per Telnet klappts aber trotzdem nicht.
> > >
> > > In der main.cf habe ich die Parameter
> > >
> > > smtpd_sasl_auth_enable = yes
> > > ##smtpd_sasl_local_domain = hierists
> >
> > Wenn Du Deine Konfig zeigst, dann "postconf -n".
>
> Die Postconf:
>
> alias_maps = mysql:/etc/postfix/mysql-aliases.cf
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/libexec/postfix
> debug_peer_level = 2
> inet_interfaces = all
> local_recipient_maps = $alias_maps, $virtual_mailbox_maps
> mail_owner = postfix
> mailbox_size_limit = 2048000000
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/local/man
> message_size_limit = 1024000000
> mydestination = $myhostname, localhost.$mydomain, $transport_maps,
> $mydomain mydomain = gpnet.lan
> myhostname = fc3base
> mynetworks = 127.0.0.0/8, 217.9.24.161
> mynetworks_style = host
> myorigin = $mydomain
> newaliases_path = /usr/bin/newaliases
> queue_directory = /var/spool/postfix
> readme_directory = no
> relay_domains = $mydestination
> relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> smtpd_banner = Welcome
> smtpd_client_restrictions = reject_rbl_client zombie.dnsbl.sorbs.net,
> reject_rbl_client relays.ordb.org,                      reject_rbl_client
> opm.blitzed.org,                         reject_rbl_client
> sbl.spamhaus.org, reject_rbl_client blackholes.easynet.nl,         
> reject_rbl_client dsn.rfc-ignorant.org,                         
> permit_sasl_authenticated smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sender_restrictions = permit_sasl_authenticated,  permit_mynetworks,
> reject_unauth_destination
> transport_maps = mysql:/etc/postfix/mysql-transport.cf
> unknown_local_recipient_reject_code = 550
> virtual_gid_maps = static:90
> virtual_mailbox_base = /home2/maildirs
> virtual_mailbox_limit = 2048000000
> virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
> virtual_minimum_uid = 88
> virtual_uid_maps = static:89

Ok.

> > > Hier die Telnet:
> > >
> > > [root at fc3base ~]# telnet 127.0.0.1 25
> > > Trying 127.0.0.1...
> > > Connected to fc3base (127.0.0.1).
> > > Escape character is '^]'.
> > > 220 Welcome
> > > ehlo ich.bins.de
> > > 250-fc3base
> > > 250-PIPELINING
> > > 250-SIZE 1024000000
> > > 250-VRFY
> > > 250-ETRN
> > > 250-AUTH LOGIN PLAIN
> > > 250-AUTH=LOGIN PLAIN
> > > 250 8BITMIME
> > > AUTH PLAIN
> > > cm9iZXJ0QHdlcnRjaGVjay5kZQByb2JlcnRAd2VydGNoZWNrLmRlAHBhc3M=
> > > 535 Error: authentication failed
> > >
> > > User ist mit  printf 'user at ichbins.de\0user at ichbins.de\0pass' |
> > > /usr/lib/xemacs-21.4.15/i386-redhat-linux/mmencode generiert.
> >
> > Der base64-String hinter PLAIN stimmt nicht mit der
> > printf-Zeile überein.
> >
> > Was kommt im Log?
>
> Im Maillog:
>
> Sep 28 15:50:29 fc3base postfix/smtpd[4156]: connect from
> fc3base[127.0.0.1] Sep 28 15:51:14 fc3base postfix/smtpd[4156]: warning:
> SASL authentication failure: Password verification failed
> Sep 28 15:51:14 fc3base postfix/smtpd[4156]: warning: fc3base[127.0.0.1]:
> SASL PLAIN authentication failed
>
> Im messages:
>
> Sep 28 15:51:11 fc3base saslauthd[4037]: pam_sm_authenticate called.
> Sep 28 15:51:11 fc3base saslauthd[4037]: dbuser changed.
> Sep 28 15:51:11 fc3base saslauthd[4037]: dbpasswd changed.
> Sep 28 15:51:11 fc3base saslauthd[4037]: host changed.
> Sep 28 15:51:11 fc3base saslauthd[4037]: database changed.
> Sep 28 15:51:11 fc3base saslauthd[4037]: table changed.
> Sep 28 15:51:11 fc3base saslauthd[4037]: usercolumn changed.
> Sep 28 15:51:11 fc3base saslauthd[4037]: passwdcolumn changed.
> Sep 28 15:51:11 fc3base saslauthd[4037]: crypt changed.
> Sep 28 15:51:11 fc3base saslauthd[4037]: db_connect  called.
> Sep 28 15:51:12 fc3base saslauthd[4037]: returning 0 .
> Sep 28 15:51:12 fc3base saslauthd[4037]: db_checkpasswd called.
> Sep 28 15:51:12 fc3base saslauthd[4037]: pam_mysql: where clause =
> Sep 28 15:51:12 fc3base saslauthd[4037]: SELECT password FROM users WHERE
> email='user'

> Sep 28 15:51:12 fc3base saslauthd[4037]: pam_mysql: select returned more
> than one result

Das ist doch eindeutig, oder?

> Sep 28 15:51:12 fc3base saslauthd[4037]: returning 7 after db_checkpasswd.
> Sep 28 15:51:12 fc3base smtp(pam_unix)[4037]: check pass; user unknown
> Sep 28 15:51:12 fc3base smtp(pam_unix)[4037]: authentication failure;
> logname= uid=0 euid=0 tty= ruser= rhost=
> Sep 28 15:51:14 fc3base saslauthd[4037]: do_auth         : auth failure:
> [user=user] [service=smtp] [realm=ichbins.de] [mech=pam] [reason=PAM auth
> error]

-- 
	Andreas



Mehr Informationen über die Mailingliste Postfixbuch-users