[Postfixbuch-users] sasl problem

Patrick Ben Koetter p at state-of-mind.de
Mo Feb 4 09:53:20 CET 2008


* Carsten Henkel <postfixbuch-users at listi.jpberlin.de>:
> saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Mo 4. Feb 09:17:38 CET 2008
> version: 1.0.2
> mode: server-side SMTP AUTH
> 
> -- basics --
> Postfix: 2.4.5
> System:
> Welcome to openSUSE 10.3 (i586) - Kernel \r (\l).
> 
> -- smtpd is linked to --
>         libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7eb9000)
> 
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_security_options = noanonymous, noplaintext
> smtpd_use_tls = no
> 
> 
> -- listing of /usr/lib/sasl2 --
> insgesamt 464
> drwxr-xr-x  2 root root  4096  3. Feb 21:48 .
> drwxr-xr-x 63 root root 24576  3. Feb 21:48 ..
> -rwxr-xr-x  1 root root 14088 22. Sep 02:03 libanonymous.so
> -rwxr-xr-x  1 root root 14088 22. Sep 02:03 libanonymous.so.2
> -rwxr-xr-x  1 root root 14088 22. Sep 02:03 libanonymous.so.2.0.22
> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libcrammd5.so
> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libcrammd5.so.2
> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libcrammd5.so.2.0.22
> -rwxr-xr-x  1 root root 47200 22. Sep 02:03 libdigestmd5.so
> -rwxr-xr-x  1 root root 47200 22. Sep 02:03 libdigestmd5.so.2
> -rwxr-xr-x  1 root root 47200 22. Sep 02:03 libdigestmd5.so.2.0.22
> -rwxr-xr-x  1 root root 14084 22. Sep 02:03 liblogin.so
> -rwxr-xr-x  1 root root 14084 22. Sep 02:03 liblogin.so.2
> -rwxr-xr-x  1 root root 14084 22. Sep 02:03 liblogin.so.2.0.22
> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libplain.so
> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libplain.so.2
> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libplain.so.2.0.22
> -rwxr-xr-x  1 root root 22228 22. Sep 02:03 libsasldb.so
> -rwxr-xr-x  1 root root 22228 22. Sep 02:03 libsasldb.so.2
> -rwxr-xr-x  1 root root 22228 22. Sep 02:03 libsasldb.so.2.0.22
> -rw-r--r--  1 root root   129  3. Feb 21:36 smtpd.conf
> 
> -- listing of /etc/sasl2 --
> insgesamt 20
> drwxr-xr-x  2 root root 4096  3. Feb 22:19 .
> drwxr-xr-x 69 root root 4096  3. Feb 22:02 ..
> -rw-------  1 root root  128  3. Feb 22:19 smtpd.conf
> -rw-------  1 root root   49  3. Feb 00:49 smtpd.conf.old
> -rw-------  1 root root  104  3. Feb 17:33 smtpd.conf.rpmsave
> 
> 
> 
> 
> -- content of /usr/lib/sasl2/smtpd.conf --
> log_level: 7
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

In main.cf hast Du $smtpd_sasl_security_options mit noplaintext festgelegt.
Dann kannst/solltest Du hier auch nicht "mech_list: PLAIN LOGIN" anbieten.


> auxprop_plugin: sasldb
> #sasldb_path: /etc/sasldb2
> -- content of /etc/sasl2/smtpd.conf --
> log_level: 7
> pwcheck_method: auxprop
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

dito

> auxprop_plugin: sasldb
> sasldb_path: /etc/sasldb2
> 
> -- active services in /etc/postfix/master.cf --
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> smtp      inet  n       -       n       -       -       smtpd -v

gut so.

> -- mechanisms on localhost --
> 250-AUTH DIGEST-MD5 CRAM-MD5
> 250-AUTH=DIGEST-MD5 CRAM-MD5

Funktioniert.

> -- end of saslfinger output --
> 
> Mich wundert, das hier nur IGEST-MD5 CRAM-MD5 auftauchen, Plain ist auch 
> installiert.

Weil Du plaintext mit $smtpd_sasl_security_options in main.cf verboten hast.

Wie sehen Deine Einträge in der sasldb2 aus? Mach mal sasldblistusers2 und
schicke das. Lad Dir auch noch gen-auth von jetmore.org
<http://www.jetmore.org/john/code/#gen-auth> runter, mach es ausführbar. Als
nächstes testen wir authentifzierung.

p at rick


> 
> Gruß
> 
> Patrick Ben Koetter schrieb:
> > Schick bitte mal "saslfinger -s" anstatt "-c".
> >
> > p at rick
> >
> >
> >
> > * Carsten Henkel <postfixbuch-users at listi.jpberlin.de>:
> >   
> >> Hallo ich habe ein Problem mit suse 10.3 und sasl. Der Client fagt nach 
> >> den Passwort und kommt dann nicht weiter.
> >> Anbei die Logs und Ausgaben der tools Postconf und Saslfinger.
> >>
> >> maillog:
> >> Feb  3 22:20:23 server postfix/smtpd[20023]: < 
> >> p5492E808.dip.t-dialin.net[84.146.232.8]: AUTH CRAM-MD5
> >> Feb  3 22:20:23 server postfix/smtpd[20023]: xsasl_cyrus_server_first: 
> >> sasl_method CRAM-MD5
> >> Feb  3 22:20:23 server postfix/smtpd[20023]: 
> >> xsasl_cyrus_server_auth_response: uncoded server challenge: 
> >> <3586957780.10891358 at server.wunschradio.de>
> >> Feb  3 22:20:23 server postfix/smtpd[20023]: > 
> >> p5492E808.dip.t-dialin.net[84.146.232.8]: 334 
> >> PDM1ODY5NTc3ODAuMTA4OTEzNThAc2VydmVyLnd1bnNjaHJhZGlvLmRlPg==
> >> Feb  3 22:20:24 server postfix/smtpd[20023]: < 
> >> p5492E808.dip.t-dialin.net[84.146.232.8]: 
> >> Y2FzaUBiaW9iaWVuY2hlbi5kZSAyM2FhNTA2YTc4MjRhNDFkOGI0YzczZDNjNjEyOTkwMQ==
> >> Feb  3 22:20:24 server postfix/smtpd[20023]: xsasl_cyrus_server_next: 
> >> decoded response: casi at biobienchen.de 23aa506a7824a41d8b4c73d3c6129901
> >> Feb  3 22:20:24 server postfix/smtpd[20023]: warning: SASL 
> >> authentication failure: incorrect digest response
> >> Feb  3 22:20:24 server postfix/smtpd[20023]: warning: 
> >> p5492E808.dip.t-dialin.net[84.146.232.8]: SASL CRAM-MD5 authentication 
> >> failed: authentication failure
> >> Feb  3 22:20:24 server postfix/smtpd[20023]: > 
> >> p5492E808.dip.t-dialin.net[84.146.232.8]: 535 5.7.0 Error: 
> >> authentication failed: authentication failure
> >>
> >>
> >> saslfinger -c:
> >> saslfinger - postfix Cyrus sasl configuration So 3. Feb 22:21:44 CET 2008
> >> version: 1.0.2
> >> mode: client-side SMTP AUTH
> >>
> >> -- basics --
> >> Postfix: 2.4.5
> >> System:
> >> Welcome to openSUSE 10.3 (i586) - Kernel \r (\l).
> >>
> >> -- smtp is linked to --
> >>          libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7ee1000)
> >>
> >> -- active SMTP AUTH and TLS parameters for smtp --
> >> relayhost =
> >> smtp_sasl_auth_enable = no
> >> smtp_use_tls = no
> >>
> >>
> >> -- listing of /usr/lib/sasl2 --
> >> insgesamt 464
> >> drwxr-xr-x  2 root root  4096  3. Feb 21:48 .
> >> drwxr-xr-x 63 root root 24576  3. Feb 21:48 ..
> >> -rwxr-xr-x  1 root root 14088 22. Sep 02:03 libanonymous.so
> >> -rwxr-xr-x  1 root root 14088 22. Sep 02:03 libanonymous.so.2
> >> -rwxr-xr-x  1 root root 14088 22. Sep 02:03 libanonymous.so.2.0.22
> >> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libcrammd5.so
> >> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libcrammd5.so.2
> >> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libcrammd5.so.2.0.22
> >> -rwxr-xr-x  1 root root 47200 22. Sep 02:03 libdigestmd5.so
> >> -rwxr-xr-x  1 root root 47200 22. Sep 02:03 libdigestmd5.so.2
> >> -rwxr-xr-x  1 root root 47200 22. Sep 02:03 libdigestmd5.so.2.0.22
> >> -rwxr-xr-x  1 root root 14084 22. Sep 02:03 liblogin.so
> >> -rwxr-xr-x  1 root root 14084 22. Sep 02:03 liblogin.so.2
> >> -rwxr-xr-x  1 root root 14084 22. Sep 02:03 liblogin.so.2.0.22
> >> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libplain.so
> >> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libplain.so.2
> >> -rwxr-xr-x  1 root root 18180 22. Sep 02:03 libplain.so.2.0.22
> >> -rwxr-xr-x  1 root root 22228 22. Sep 02:03 libsasldb.so
> >> -rwxr-xr-x  1 root root 22228 22. Sep 02:03 libsasldb.so.2
> >> -rwxr-xr-x  1 root root 22228 22. Sep 02:03 libsasldb.so.2.0.22
> >> -rw-r--r--  1 root root   129  3. Feb 21:36 smtpd.conf
> >>
> >> -- listing of /etc/sasl2 --
> >> insgesamt 20
> >> drwxr-xr-x  2 root root 4096  3. Feb 22:19 .
> >> drwxr-xr-x 69 root root 4096  3. Feb 22:02 ..
> >> -rw-------  1 root root  128  3. Feb 22:19 smtpd.conf
> >> -rw-------  1 root root   49  3. Feb 00:49 smtpd.conf.old
> >> -rw-------  1 root root  104  3. Feb 17:33 smtpd.conf.rpmsave
> >>
> >>
> >> Cannot find the smtp_sasl_password_maps parameter in main.cf.
> >> Client-side SMTP AUTH cannot work without this parameter!
> >>
> >> /etc/sals2/smtpd.conf:
> >> log_level: 7
> >> pwcheck_method: auxprop
> >> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
> >> auxprop_plugin: sasldb
> >> sasldb_path: /etc/sasldb2
> >>
> >> postconf -n:
> >> alias_database = hash:/etc/aliases
> >> alias_maps = hash:/etc/aliases
> >> biff = no
> >> broken_sasl_auth_clients = yes
> >> canonical_maps = hash:/etc/postfix/canonical
> >> command_directory = /usr/sbin
> >> config_directory = /etc/postfix
> >> content_filter = amavisd-new:[127.0.0.1]:10024
> >> daemon_directory = /usr/lib/postfix
> >> debug_peer_level = 7
> >> defer_transports =
> >> disable_dns_lookups = no
> >> disable_mime_output_conversion = no
> >> header_checks = regexp:/etc/postfix/header_checks
> >> html_directory = /usr/share/doc/packages/postfix/html
> >> inet_interfaces = localhost
> >> inet_protocols = all
> >> mail_owner = postfix
> >> mail_spool_directory = /var/mail
> >> mailbox_command =
> >> mailbox_size_limit = 0
> >> mailbox_transport =
> >> mailq_path = /usr/bin/mailq
> >> manpage_directory = /usr/share/man
> >> masquerade_classes = envelope_sender, header_sender, header_recipient
> >> masquerade_domains =
> >> masquerade_exceptions = root
> >> message_size_limit = 10240000
> >> mydestination = $myhostname, localhost.$mydomain
> >> mydomain = server.wunschradio.de
> >> myhostname = server.wunschradio.de
> >> mynetworks = 85.214.63.178, 127.0.0.0/8
> >> mynetworks_style = subnet
> >> newaliases_path = /usr/bin/newaliases
> >> queue_directory = /var/spool/postfix
> >> readme_directory = /usr/share/doc/packages/postfix/README_FILES
> >> relayhost =
> >> relocated_maps = hash:/etc/postfix/relocated
> >> sample_directory = /usr/share/doc/packages/postfix/samples
> >> sender_canonical_maps = hash:/etc/postfix/sender_canonical
> >> sendmail_path = /usr/sbin/sendmail
> >> setgid_group = maildrop
> >> smtp_sasl_auth_enable = no
> >> smtp_use_tls = no
> >> smtpd_banner = $myhostname ESMTP $mail_name
> >> smtpd_client_restrictions =
> >> smtpd_helo_required = no
> >> smtpd_helo_restrictions =
> >> smtpd_recipient_restrictions = reject_non_fqdn_recipient 
> >> reject_non_fqdn_sender    permit_sasl_authenticated    permit_mynetworks 
> >>     reject_unauth_destination    check_client_access 
> >> hash:/etc/postfix/client_access    reject_non_fqdn_hostname 
> >> reject_invalid_hostname    reject_rbl_client sbl-xbl.spamhaus.org, 
> >> reject_rbl_client dul.dnsbl.sorbs.net,    reject_rhsbl_client 
> >> blackhole.securitysage.com,    reject_rhsbl_sender 
> >> blackhole.securitysage.com,    reject_rhsbl_sender rhsbl.sorbs.n    permit
> >> smtpd_sasl_auth_enable = yes
> >> smtpd_sasl_local_domain = $myhostname
> >> smtpd_sasl_security_options = noanonymous, noplaintext
> >> smtpd_sender_restrictions = hash:/etc/postfix/access
> >> smtpd_use_tls = no
> >> strict_8bitmime = no
> >> strict_rfc821_envelopes = no
> >> transport_maps = hash:/etc/postfix/transport
> >> unknown_local_recipient_reject_code = 550
> >> virtual_alias_domains = hash:/etc/postfix/virtual
> >> virtual_alias_maps = hash:/etc/postfix/virtual_users
> >>
> >> Kann mir bitte jemand auf die Sprünge helfen ?
> >>
> >> Gruß und Danke
> >> -- 
> >> _______________________________________________
> >> Postfixbuch-users -- http://www.postfixbuch.de
> >> Heinlein Professional Linux Support GmbH
> >>
> >> Postfixbuch-users at listi.jpberlin.de
> >> https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users
> >>     
> >
> >   
> -- 
> _______________________________________________
> Postfixbuch-users -- http://www.postfixbuch.de
> Heinlein Professional Linux Support GmbH
> 
> Postfixbuch-users at listi.jpberlin.de
> https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users

-- 
Postfix - Einrichtung, Betrieb und Wartung
<http://www.postfix-buch.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>



Mehr Informationen über die Mailingliste Postfixbuch-users