[Postfixbuch-users] sasl problem
Patrick Ben Koetter
p at state-of-mind.de
Mo Feb 4 09:53:20 CET 2008
* Carsten Henkel <postfixbuch-users at listi.jpberlin.de>:
> saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Mo 4. Feb 09:17:38 CET 2008
> version: 1.0.2
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.4.5
> System:
> Welcome to openSUSE 10.3 (i586) - Kernel \r (\l).
>
> -- smtpd is linked to --
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7eb9000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous, noplaintext
> smtpd_use_tls = no
>
>
> -- listing of /usr/lib/sasl2 --
> insgesamt 464
> drwxr-xr-x 2 root root 4096 3. Feb 21:48 .
> drwxr-xr-x 63 root root 24576 3. Feb 21:48 ..
> -rwxr-xr-x 1 root root 14088 22. Sep 02:03 libanonymous.so
> -rwxr-xr-x 1 root root 14088 22. Sep 02:03 libanonymous.so.2
> -rwxr-xr-x 1 root root 14088 22. Sep 02:03 libanonymous.so.2.0.22
> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libcrammd5.so
> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libcrammd5.so.2
> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libcrammd5.so.2.0.22
> -rwxr-xr-x 1 root root 47200 22. Sep 02:03 libdigestmd5.so
> -rwxr-xr-x 1 root root 47200 22. Sep 02:03 libdigestmd5.so.2
> -rwxr-xr-x 1 root root 47200 22. Sep 02:03 libdigestmd5.so.2.0.22
> -rwxr-xr-x 1 root root 14084 22. Sep 02:03 liblogin.so
> -rwxr-xr-x 1 root root 14084 22. Sep 02:03 liblogin.so.2
> -rwxr-xr-x 1 root root 14084 22. Sep 02:03 liblogin.so.2.0.22
> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libplain.so
> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libplain.so.2
> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libplain.so.2.0.22
> -rwxr-xr-x 1 root root 22228 22. Sep 02:03 libsasldb.so
> -rwxr-xr-x 1 root root 22228 22. Sep 02:03 libsasldb.so.2
> -rwxr-xr-x 1 root root 22228 22. Sep 02:03 libsasldb.so.2.0.22
> -rw-r--r-- 1 root root 129 3. Feb 21:36 smtpd.conf
>
> -- listing of /etc/sasl2 --
> insgesamt 20
> drwxr-xr-x 2 root root 4096 3. Feb 22:19 .
> drwxr-xr-x 69 root root 4096 3. Feb 22:02 ..
> -rw------- 1 root root 128 3. Feb 22:19 smtpd.conf
> -rw------- 1 root root 49 3. Feb 00:49 smtpd.conf.old
> -rw------- 1 root root 104 3. Feb 17:33 smtpd.conf.rpmsave
>
>
>
>
> -- content of /usr/lib/sasl2/smtpd.conf --
> log_level: 7
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
In main.cf hast Du $smtpd_sasl_security_options mit noplaintext festgelegt.
Dann kannst/solltest Du hier auch nicht "mech_list: PLAIN LOGIN" anbieten.
> auxprop_plugin: sasldb
> #sasldb_path: /etc/sasldb2
> -- content of /etc/sasl2/smtpd.conf --
> log_level: 7
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
dito
> auxprop_plugin: sasldb
> sasldb_path: /etc/sasldb2
>
> -- active services in /etc/postfix/master.cf --
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> smtp inet n - n - - smtpd -v
gut so.
> -- mechanisms on localhost --
> 250-AUTH DIGEST-MD5 CRAM-MD5
> 250-AUTH=DIGEST-MD5 CRAM-MD5
Funktioniert.
> -- end of saslfinger output --
>
> Mich wundert, das hier nur IGEST-MD5 CRAM-MD5 auftauchen, Plain ist auch
> installiert.
Weil Du plaintext mit $smtpd_sasl_security_options in main.cf verboten hast.
Wie sehen Deine Einträge in der sasldb2 aus? Mach mal sasldblistusers2 und
schicke das. Lad Dir auch noch gen-auth von jetmore.org
<http://www.jetmore.org/john/code/#gen-auth> runter, mach es ausführbar. Als
nächstes testen wir authentifzierung.
p at rick
>
> Gruß
>
> Patrick Ben Koetter schrieb:
> > Schick bitte mal "saslfinger -s" anstatt "-c".
> >
> > p at rick
> >
> >
> >
> > * Carsten Henkel <postfixbuch-users at listi.jpberlin.de>:
> >
> >> Hallo ich habe ein Problem mit suse 10.3 und sasl. Der Client fagt nach
> >> den Passwort und kommt dann nicht weiter.
> >> Anbei die Logs und Ausgaben der tools Postconf und Saslfinger.
> >>
> >> maillog:
> >> Feb 3 22:20:23 server postfix/smtpd[20023]: <
> >> p5492E808.dip.t-dialin.net[84.146.232.8]: AUTH CRAM-MD5
> >> Feb 3 22:20:23 server postfix/smtpd[20023]: xsasl_cyrus_server_first:
> >> sasl_method CRAM-MD5
> >> Feb 3 22:20:23 server postfix/smtpd[20023]:
> >> xsasl_cyrus_server_auth_response: uncoded server challenge:
> >> <3586957780.10891358 at server.wunschradio.de>
> >> Feb 3 22:20:23 server postfix/smtpd[20023]: >
> >> p5492E808.dip.t-dialin.net[84.146.232.8]: 334
> >> PDM1ODY5NTc3ODAuMTA4OTEzNThAc2VydmVyLnd1bnNjaHJhZGlvLmRlPg==
> >> Feb 3 22:20:24 server postfix/smtpd[20023]: <
> >> p5492E808.dip.t-dialin.net[84.146.232.8]:
> >> Y2FzaUBiaW9iaWVuY2hlbi5kZSAyM2FhNTA2YTc4MjRhNDFkOGI0YzczZDNjNjEyOTkwMQ==
> >> Feb 3 22:20:24 server postfix/smtpd[20023]: xsasl_cyrus_server_next:
> >> decoded response: casi at biobienchen.de 23aa506a7824a41d8b4c73d3c6129901
> >> Feb 3 22:20:24 server postfix/smtpd[20023]: warning: SASL
> >> authentication failure: incorrect digest response
> >> Feb 3 22:20:24 server postfix/smtpd[20023]: warning:
> >> p5492E808.dip.t-dialin.net[84.146.232.8]: SASL CRAM-MD5 authentication
> >> failed: authentication failure
> >> Feb 3 22:20:24 server postfix/smtpd[20023]: >
> >> p5492E808.dip.t-dialin.net[84.146.232.8]: 535 5.7.0 Error:
> >> authentication failed: authentication failure
> >>
> >>
> >> saslfinger -c:
> >> saslfinger - postfix Cyrus sasl configuration So 3. Feb 22:21:44 CET 2008
> >> version: 1.0.2
> >> mode: client-side SMTP AUTH
> >>
> >> -- basics --
> >> Postfix: 2.4.5
> >> System:
> >> Welcome to openSUSE 10.3 (i586) - Kernel \r (\l).
> >>
> >> -- smtp is linked to --
> >> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7ee1000)
> >>
> >> -- active SMTP AUTH and TLS parameters for smtp --
> >> relayhost =
> >> smtp_sasl_auth_enable = no
> >> smtp_use_tls = no
> >>
> >>
> >> -- listing of /usr/lib/sasl2 --
> >> insgesamt 464
> >> drwxr-xr-x 2 root root 4096 3. Feb 21:48 .
> >> drwxr-xr-x 63 root root 24576 3. Feb 21:48 ..
> >> -rwxr-xr-x 1 root root 14088 22. Sep 02:03 libanonymous.so
> >> -rwxr-xr-x 1 root root 14088 22. Sep 02:03 libanonymous.so.2
> >> -rwxr-xr-x 1 root root 14088 22. Sep 02:03 libanonymous.so.2.0.22
> >> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libcrammd5.so
> >> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libcrammd5.so.2
> >> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libcrammd5.so.2.0.22
> >> -rwxr-xr-x 1 root root 47200 22. Sep 02:03 libdigestmd5.so
> >> -rwxr-xr-x 1 root root 47200 22. Sep 02:03 libdigestmd5.so.2
> >> -rwxr-xr-x 1 root root 47200 22. Sep 02:03 libdigestmd5.so.2.0.22
> >> -rwxr-xr-x 1 root root 14084 22. Sep 02:03 liblogin.so
> >> -rwxr-xr-x 1 root root 14084 22. Sep 02:03 liblogin.so.2
> >> -rwxr-xr-x 1 root root 14084 22. Sep 02:03 liblogin.so.2.0.22
> >> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libplain.so
> >> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libplain.so.2
> >> -rwxr-xr-x 1 root root 18180 22. Sep 02:03 libplain.so.2.0.22
> >> -rwxr-xr-x 1 root root 22228 22. Sep 02:03 libsasldb.so
> >> -rwxr-xr-x 1 root root 22228 22. Sep 02:03 libsasldb.so.2
> >> -rwxr-xr-x 1 root root 22228 22. Sep 02:03 libsasldb.so.2.0.22
> >> -rw-r--r-- 1 root root 129 3. Feb 21:36 smtpd.conf
> >>
> >> -- listing of /etc/sasl2 --
> >> insgesamt 20
> >> drwxr-xr-x 2 root root 4096 3. Feb 22:19 .
> >> drwxr-xr-x 69 root root 4096 3. Feb 22:02 ..
> >> -rw------- 1 root root 128 3. Feb 22:19 smtpd.conf
> >> -rw------- 1 root root 49 3. Feb 00:49 smtpd.conf.old
> >> -rw------- 1 root root 104 3. Feb 17:33 smtpd.conf.rpmsave
> >>
> >>
> >> Cannot find the smtp_sasl_password_maps parameter in main.cf.
> >> Client-side SMTP AUTH cannot work without this parameter!
> >>
> >> /etc/sals2/smtpd.conf:
> >> log_level: 7
> >> pwcheck_method: auxprop
> >> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> >> auxprop_plugin: sasldb
> >> sasldb_path: /etc/sasldb2
> >>
> >> postconf -n:
> >> alias_database = hash:/etc/aliases
> >> alias_maps = hash:/etc/aliases
> >> biff = no
> >> broken_sasl_auth_clients = yes
> >> canonical_maps = hash:/etc/postfix/canonical
> >> command_directory = /usr/sbin
> >> config_directory = /etc/postfix
> >> content_filter = amavisd-new:[127.0.0.1]:10024
> >> daemon_directory = /usr/lib/postfix
> >> debug_peer_level = 7
> >> defer_transports =
> >> disable_dns_lookups = no
> >> disable_mime_output_conversion = no
> >> header_checks = regexp:/etc/postfix/header_checks
> >> html_directory = /usr/share/doc/packages/postfix/html
> >> inet_interfaces = localhost
> >> inet_protocols = all
> >> mail_owner = postfix
> >> mail_spool_directory = /var/mail
> >> mailbox_command =
> >> mailbox_size_limit = 0
> >> mailbox_transport =
> >> mailq_path = /usr/bin/mailq
> >> manpage_directory = /usr/share/man
> >> masquerade_classes = envelope_sender, header_sender, header_recipient
> >> masquerade_domains =
> >> masquerade_exceptions = root
> >> message_size_limit = 10240000
> >> mydestination = $myhostname, localhost.$mydomain
> >> mydomain = server.wunschradio.de
> >> myhostname = server.wunschradio.de
> >> mynetworks = 85.214.63.178, 127.0.0.0/8
> >> mynetworks_style = subnet
> >> newaliases_path = /usr/bin/newaliases
> >> queue_directory = /var/spool/postfix
> >> readme_directory = /usr/share/doc/packages/postfix/README_FILES
> >> relayhost =
> >> relocated_maps = hash:/etc/postfix/relocated
> >> sample_directory = /usr/share/doc/packages/postfix/samples
> >> sender_canonical_maps = hash:/etc/postfix/sender_canonical
> >> sendmail_path = /usr/sbin/sendmail
> >> setgid_group = maildrop
> >> smtp_sasl_auth_enable = no
> >> smtp_use_tls = no
> >> smtpd_banner = $myhostname ESMTP $mail_name
> >> smtpd_client_restrictions =
> >> smtpd_helo_required = no
> >> smtpd_helo_restrictions =
> >> smtpd_recipient_restrictions = reject_non_fqdn_recipient
> >> reject_non_fqdn_sender permit_sasl_authenticated permit_mynetworks
> >> reject_unauth_destination check_client_access
> >> hash:/etc/postfix/client_access reject_non_fqdn_hostname
> >> reject_invalid_hostname reject_rbl_client sbl-xbl.spamhaus.org,
> >> reject_rbl_client dul.dnsbl.sorbs.net, reject_rhsbl_client
> >> blackhole.securitysage.com, reject_rhsbl_sender
> >> blackhole.securitysage.com, reject_rhsbl_sender rhsbl.sorbs.n permit
> >> smtpd_sasl_auth_enable = yes
> >> smtpd_sasl_local_domain = $myhostname
> >> smtpd_sasl_security_options = noanonymous, noplaintext
> >> smtpd_sender_restrictions = hash:/etc/postfix/access
> >> smtpd_use_tls = no
> >> strict_8bitmime = no
> >> strict_rfc821_envelopes = no
> >> transport_maps = hash:/etc/postfix/transport
> >> unknown_local_recipient_reject_code = 550
> >> virtual_alias_domains = hash:/etc/postfix/virtual
> >> virtual_alias_maps = hash:/etc/postfix/virtual_users
> >>
> >> Kann mir bitte jemand auf die Sprünge helfen ?
> >>
> >> Gruß und Danke
> >> --
> >> _______________________________________________
> >> Postfixbuch-users -- http://www.postfixbuch.de
> >> Heinlein Professional Linux Support GmbH
> >>
> >> Postfixbuch-users at listi.jpberlin.de
> >> https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users
> >>
> >
> >
> --
> _______________________________________________
> Postfixbuch-users -- http://www.postfixbuch.de
> Heinlein Professional Linux Support GmbH
>
> Postfixbuch-users at listi.jpberlin.de
> https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users
--
Postfix - Einrichtung, Betrieb und Wartung
<http://www.postfix-buch.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Mehr Informationen über die Mailingliste Postfixbuch-users