Loading ...
Sorry, an error occurred while loading the content.
 

SASL problem

Expand Messages
  • Sergio Ferreira
    Hi list, I am facing some problems with SASL authentication mechanism and any help is needed: I have It on log: postfix/smtpd[3180]: connect from
    Message 1 of 15 , Nov 29 10:57 AM
      Hi list,

      I am facing some problems with SASL authentication mechanism and any help is
      needed:

      I have It on log:

      postfix/smtpd[3180]: connect from unknown[10.2.1.167]
      postfix/smtpd[3180]: match_list_match: unknown: no match
      postfix/smtpd[3180]: match_list_match: 10.2.1.167: no match
      postfix/smtpd[3180]: match_list_match: unknown: no match
      postfix/smtpd[3180]: match_list_match: 10.2.1.167: no match
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 220 localhost ESMTP Postfix
      postfix/smtpd[3180]: watchdog_pat: 0x807dc08
      postfix/smtpd[3180]: < unknown[10.2.1.167]: EHLO CGINF167
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 250-localhost
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 250-PIPELINING
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 250-SIZE 10240000
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 250-VRFY
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 250-ETRN
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 250-AUTH LOGIN PLAIN
      postfix/smtpd[3180]: match_list_match: unknown: no match
      postfix/smtpd[3180]: match_list_match: 10.2.1.167: no match
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 250 8BITMIME
      postfix/smtpd[3180]: watchdog_pat: 0x807dc08
      postfix/smtpd[3180]: < unknown[10.2.1.167]: AUTH LOGIN
      postfix/smtpd[3180]: smtpd_sasl_authenticate: sasl_method LOGIN
      postfix/smtpd[3180]: smtpd_sasl_authenticate: uncoded challenge: Username:
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 334 VXNlcm5hbWU6
      postfix/smtpd[3180]: < unknown[10.2.1.167]: c2VyZ2lvLmZlcnJlaXJh
      postfix/smtpd[3180]: smtpd_sasl_authenticate: decoded response:
      sergio.ferreira
      postfix/smtpd[3180]: smtpd_sasl_authenticate: uncoded challenge: Password:
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 334 UGFzc3dvcmQ6
      postfix/smtpd[3180]: < unknown[10.2.1.167]: dGVzdGU=
      postfix/smtpd[3180]: smtpd_sasl_authenticate: decoded response: teste
      postfix/smtpd[3180]: warning: SASL authentication failure: cannot connect to
      saslauthd server: Permission denied
      postfix/smtpd[3180]: warning: unknown[10.2.1.167]: SASL LOGIN authentication
      failed
      postfix/smtpd[3180]: > unknown[10.2.1.167]: 535 Error: authentication failed
      postfix/smtpd[3180]: watchdog_pat: 0x807dc08
      postfix/smtpd[3180]: smtp_get: EOF
      postfix/smtpd[3180]: lost connection after AUTH from unknown[10.2.1.167]
      postfix/smtpd[3180]: disconnect from unknown[10.2.1.167]
      postfix/smtpd[3180]: master_notify: status 1
      postfix/smtpd[3180]: connection closed

      Any suggestion?


      Bye,

      Sergio
    • Werner Detter
      ... Hi, add the user postfix to group sasl regards, werner
      Message 2 of 15 , Nov 29 11:21 AM
        > postfix/smtpd[3180]: warning: SASL authentication failure: cannot connect to
        > saslauthd server: Permission denied
        > Any suggestion?

        Hi,

        add the user postfix to group sasl

        regards,
        werner
      • Sergio Ferreira
        Hi again Werner, Good shoot, It is working now, but Postfix are not enforcing SASL. I am able to connect by either authentication process or without auth...
        Message 3 of 15 , Nov 29 11:54 AM
          Hi again Werner,


          Good shoot, It is working now, but Postfix are not enforcing SASL. I am able
          to connect by either authentication process or without auth... How could
          that be?

          See my SASL options at main.cf:

          smtpd_sasl_auth_enable = yes
          smtpd_sasl_security_options = noanonymous

          #smtpd_sasl_local_domain = $myhostname (not enabled yet)

          #broken_sasl_auth_clients = yes (I thinking to rip It out)

          Best regards.

          Bye,

          Sergio

          >>>>>-----Original Message-----
          >>>>>From: owner-postfix-users@...
          >>>>>[mailto:owner-postfix-users@...] On Behalf Of Werner Detter
          >>>>>Sent: Tuesday, November 29, 2005 5:22 PM
          >>>>>To: postfix-users@...
          >>>>>Subject: Re: SASL problem
          >>>>>
          >>>>>
          >>>>>> postfix/smtpd[3180]: warning: SASL authentication
          >>>>>failure: cannot
          >>>>>> connect to saslauthd server: Permission denied Any suggestion?
          >>>>>
          >>>>>Hi,
          >>>>>
          >>>>>add the user postfix to group sasl
          >>>>>
          >>>>>regards,
          >>>>>werner
        • Werner Detter
          Hi Sergio, ... i think you are probably connecting to your mailserver from a machine within $mynetworks, so relaying is allowed ... regards, werner
          Message 4 of 15 , Nov 29 12:07 PM
            Hi Sergio,

            > Good shoot, It is working now, but Postfix are not enforcing SASL. I am able
            > to connect by either authentication process or without auth... How could
            > that be?

            i think you are probably connecting to your mailserver from a machine
            within $mynetworks, so relaying is allowed ...

            regards,
            werner
          • Patrick Ben Koetter
            ... Section 8 p@rick -- The Book of Postfix saslfinger (debugging SMTP AUTH):
            Message 5 of 15 , Nov 29 12:17 PM
              * Werner Detter <wd@...>:
              > Hi Sergio,
              >
              > > Good shoot, It is working now, but Postfix are not enforcing SASL. I am able
              > > to connect by either authentication process or without auth... How could
              > > that be?
              >
              > i think you are probably connecting to your mailserver from a machine
              > within $mynetworks, so relaying is allowed ...

              <http://www.postfix.org/DEBUG_README.html#mail>
              Section 8

              p@rick

              --
              The Book of Postfix
              <http://www.postfix-book.com>
              saslfinger (debugging SMTP AUTH):
              <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
            • Sandy Drobic
              ... mynetworks=127.0.0.0/8 smtpd_recipient_restrictions= permitmynetworks, permit_sasl_authenticated, reject_unauth_destination Sandy
              Message 6 of 15 , Nov 29 4:00 PM
                Sergio Ferreira wrote:
                > Hi again Werner,
                >
                >
                > Good shoot, It is working now, but Postfix are not enforcing SASL. I am able
                > to connect by either authentication process or without auth... How could
                > that be?

                mynetworks=127.0.0.0/8
                smtpd_recipient_restrictions=
                permitmynetworks,
                permit_sasl_authenticated,
                reject_unauth_destination


                Sandy
              • punit jain
                HI All, I have postfix server running and have configured sasl. I have configured SASL but i could see : - telnet 0.0.0.0 25 Trying 0.0.0.0... Connected to
                Message 7 of 15 , Aug 18, 2008
                  HI All,

                  I have postfix server running and have configured sasl. I have configured SASL but i could see : -

                  telnet 0.0.0.0 25
                  Trying 0.0.0.0...
                  Connected to 0.0.0.0.
                  Escape character is '^]'.
                  220 mail.example.com ESMTP Postfix
                  ehlo irfan
                  250-mail.andare.ch
                  250-PIPELINING
                  250-SIZE 20480000
                  250-VRFY
                  250-ETRN
                  250-STARTTLS
                  250-AUTH SMB-NTLMv2 SMB-NT SMB-LAN-MANAGER MS-CHAPv2 PLAIN OTP NTLM LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 WEBDAV-DIGEST DHX APOP
                  250-AUTH=SMB-NTLMv2 SMB-NT SMB-LAN-MANAGER MS-CHAPv2 PLAIN OTP NTLM LOGIN GSSAPI DIGEST-MD5 CRAM-MD5 WEBDAV-DIGEST DHX APOP
                  250-ENHANCEDSTATUSCODES
                  250-8BITMIME
                  250 DSN
                  ^]
                  telnet> q
                  Connection closed.


                  I dont have samba or Kerberos set up. Nor do i see nything suspicious in smtpd.conf

                  pwcheck_method: saslauthd
                  mech_list: PLAIN LOGIN

                  Can anyone point out what can be the issue ?



                • Patrick Ben Koetter
                  ... No. Please follow the instuctrions in the DEBUG_README for SASL related problems. p@rick -- The Book of Postfix saslfinger
                  Message 8 of 15 , Aug 18, 2008
                    * punit jain <contactpunitjain@...>:
                    > HI All,
                    >
                    > I have postfix server running and have configured sasl. I have configured
                    > SASL but i could see : -
                    >
                    > telnet 0.0.0.0 25
                    > Trying 0.0.0.0...
                    > Connected to 0.0.0.0.
                    > Escape character is '^]'.
                    > 220 mail.example.com ESMTP Postfix
                    > ehlo irfan
                    > 250-mail.andare.ch
                    > 250-PIPELINING
                    > 250-SIZE 20480000
                    > 250-VRFY
                    > 250-ETRN
                    > 250-STARTTLS
                    > 250-AUTH SMB-NTLMv2 SMB-NT SMB-LAN-MANAGER MS-CHAPv2 PLAIN OTP NTLM LOGIN
                    > GSSAPI DIGEST-MD5 CRAM-MD5 WEBDAV-DIGEST DHX APOP
                    > 250-AUTH=SMB-NTLMv2 SMB-NT SMB-LAN-MANAGER MS-CHAPv2 PLAIN OTP NTLM LOGIN
                    > GSSAPI DIGEST-MD5 CRAM-MD5 WEBDAV-DIGEST DHX APOP
                    > 250-ENHANCEDSTATUSCODES
                    > 250-8BITMIME
                    > 250 DSN
                    > ^]
                    > telnet> q
                    > Connection closed.
                    >
                    >
                    > I dont have samba or Kerberos set up. Nor do i see nything suspicious in
                    > smtpd.conf
                    >
                    > pwcheck_method: saslauthd
                    > mech_list: PLAIN LOGIN
                    >
                    > Can anyone point out what can be the issue ?

                    No. Please follow the instuctrions in the DEBUG_README for SASL related
                    problems.

                    p@rick




                    --
                    The Book of Postfix
                    <http://www.postfix-book.com>
                    saslfinger (debugging SMTP AUTH):
                    <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
                  • Tolga
                    Hi, Oct 2 12:35:18 vps postfix/smtpd[16201]: warning: SASL: Connect to private/auth failed: Permission denied Oct 2 12:35:18 vps postfix/smtpd[16201]: fatal:
                    Message 9 of 15 , Oct 2, 2011
                      Hi,

                      Oct  2 12:35:18 vps postfix/smtpd[16201]: warning: SASL: Connect to private/auth failed: Permission denied
                      Oct  2 12:35:18 vps postfix/smtpd[16201]: fatal: no SASL authentication mechanisms
                      Oct  2 12:35:19 vps postfix/master[9841]: warning: process /usr/lib/postfix/smtpd pid 16201 exit status 1
                      Oct  2 12:35:19 vps postfix/master[9841]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
                      Oct  2 12:36:52 vps postfix/smtpd[16208]: connect from unknown[46.196.57.29]
                      2011 Oct  2 12:36:52 vps fatal: no SASL authentication mechanisms
                      Oct  2 12:36:52 vps postfix/smtpd[16208]: warning: SASL: Connect to private/auth failed: Permission denied
                      Oct  2 12:36:52 vps postfix/smtpd[16208]: fatal: no SASL authentication mechanisms
                      Oct  2 12:36:53 vps postfix/master[9841]: warning: process /usr/lib/postfix/smtpd pid 16208 exit status 1
                      Oct  2 12:36:53 vps postfix/master[9841]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling

                      From these logs I understand that auth permissions return to the way it used to be, because last time I chown'd it to postfix:postfix and it worked perfectly. How can I prevent the socket from changing ownership? Should I look into OS, or postfix?
                      Regards,
                    • Patrick Ben Koetter
                      ... Please follow this advise to get help on the Postfix mailing list: p@rick -- All technical
                      Message 10 of 15 , Oct 2, 2011
                        * Tolga <tolga@...>:
                        > Oct 2 12:35:18 vps postfix/smtpd[16201]: warning: SASL: Connect to
                        > private/auth failed: Permission denied
                        > Oct 2 12:35:18 vps postfix/smtpd[16201]: fatal: no SASL authentication
                        > mechanisms
                        > Oct 2 12:35:19 vps postfix/master[9841]: warning: process
                        > /usr/lib/postfix/smtpd pid 16201 exit status 1
                        > Oct 2 12:35:19 vps postfix/master[9841]: warning: /usr/lib/postfix/smtpd:
                        > bad command startup -- throttling
                        > Oct 2 12:36:52 vps postfix/smtpd[16208]: connect from unknown[46.196.57.29]
                        > 2011 Oct 2 12:36:52 vps fatal: no SASL authentication mechanisms
                        > Oct 2 12:36:52 vps postfix/smtpd[16208]: warning: SASL: Connect to
                        > private/auth failed: Permission denied
                        > Oct 2 12:36:52 vps postfix/smtpd[16208]: fatal: no SASL authentication
                        > mechanisms
                        > Oct 2 12:36:53 vps postfix/master[9841]: warning: process
                        > /usr/lib/postfix/smtpd pid 16208 exit status 1
                        > Oct 2 12:36:53 vps postfix/master[9841]: warning: /usr/lib/postfix/smtpd:
                        > bad command startup -- throttling
                        >
                        > From these logs I understand that auth permissions return to the way it used
                        > to be, because last time I chown'd it to postfix:postfix and it worked
                        > perfectly. How can I prevent the socket from changing ownership? Should I
                        > look into OS, or postfix?

                        Please follow this advise to get help on the Postfix mailing list:
                        <http://de.postfix.org/httpmirror/DEBUG_README.html#mail>

                        p@rick

                        --
                        All technical questions asked privately will be automatically answered on the
                        list and archived for public access unless privacy is explicitely required and
                        justified.

                        saslfinger (debugging SMTP AUTH):
                        <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
                      • Reindl Harald
                        ... what about giving more informations? what about postconf -n ? why do you EVERYTIME let us guess? what permissions/owner was set before? what auth-backend?
                        Message 11 of 15 , Oct 2, 2011
                          Am 02.10.2011 10:50, schrieb Tolga:
                          > Hi,
                          >
                          > Oct 2 12:36:52 vps postfix/smtpd[16208]: warning: SASL: Connect to private/auth failed: Permission denied
                          >
                          > From these logs I understand that auth permissions return to the way it used to be, because last
                          > time I chown'd it to postfix:postfix and it worked perfectly. How can I prevent the socket from
                          > changing ownership? Should I look into OS, or postfix?

                          what about giving more informations?
                          what about "postconf -n"?
                          why do you EVERYTIME let us guess?

                          what permissions/owner was set before?
                          what auth-backend?

                          i guess (and i guess THE LAST TIME for you) dovecot?
                          if it is not dovbecot find out WHAT backend are you using
                          and read the manual of the software wo creates "private/auth"

                          postfix is not responsible in any way for sockets of other software

                          # configure backend for postfix sasl-auth
                          service auth {
                          unix_listener /var/spool/postfix/private/auth {
                          mode = 0660
                          user = postfix
                          group = postfix
                          }
                          }
                        • Patrick Ben Koetter
                          Harald, ... there s a difference between telling people they need to do something in order to get help and insulting them. If you want to help people just do
                          Message 12 of 15 , Oct 2, 2011
                            Harald,

                            * Reindl Harald <h.reindl@...>:
                            >
                            > Am 02.10.2011 10:50, schrieb Tolga:
                            > > Hi,
                            > >
                            > > Oct 2 12:36:52 vps postfix/smtpd[16208]: warning: SASL: Connect to private/auth failed: Permission denied
                            > >
                            > > From these logs I understand that auth permissions return to the way it used to be, because last
                            > > time I chown'd it to postfix:postfix and it worked perfectly. How can I prevent the socket from
                            > > changing ownership? Should I look into OS, or postfix?
                            >
                            > what about giving more informations?
                            > what about "postconf -n"?
                            > why do you EVERYTIME let us guess?
                            >
                            > what permissions/owner was set before?
                            > what auth-backend?
                            >
                            > i guess (and i guess THE LAST TIME for you) dovecot?

                            there's a difference between telling people they need to do something in order
                            to get help and insulting them. If you want to help people just do it, if you
                            don't want to help them then don't. In any case stop being so aggressive.

                            p@rick


                            --
                            All technical questions asked privately will be automatically answered on the
                            list and archived for public access unless privacy is explicitely required and
                            justified.

                            saslfinger (debugging SMTP AUTH):
                            <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
                          • Reindl Harald
                            ... sorry, but this is the second time a thread from the same person about the same problem and again without postfix -n or even config-snippets depending to
                            Message 13 of 15 , Oct 2, 2011
                              Am 02.10.2011 13:47, schrieb Patrick Ben Koetter:
                              > there's a difference between telling people they need to do something in order
                              > to get help and insulting them. If you want to help people just do it, if you
                              > don't want to help them then don't. In any case stop being so aggressive.

                              sorry, but this is the second time a thread from the same person about the
                              same problem and again without "postfix -n" or even config-snippets depending
                              to auth and normally it should be logical that configuration informations are
                              needed..............
                            • Tolga
                              ... Sorry for causing all this trouble guys, but as Reindl stated, it was because of me because I didn t set user for private/auth, so I did and the problem
                              Message 14 of 15 , Oct 2, 2011
                                On 02-10-2011 18:14, Reindl Harald wrote:
                                >
                                > Am 02.10.2011 13:47, schrieb Patrick Ben Koetter:
                                >> there's a difference between telling people they need to do something in order
                                >> to get help and insulting them. If you want to help people just do it, if you
                                >> don't want to help them then don't. In any case stop being so aggressive.
                                > sorry, but this is the second time a thread from the same person about the
                                > same problem and again without "postfix -n" or even config-snippets depending
                                > to auth and normally it should be logical that configuration informations are
                                > needed..............
                                >
                                Sorry for causing all this trouble guys, but as Reindl stated, it was
                                because of me because I didn't set user for private/auth, so I did and
                                the problem disappeared.

                                Thanks,
                              • Reindl Harald
                                ... no problem i only wanted point out that it is much easier for peopole who try to help if they have configuration infos instead hope there is someone who
                                Message 15 of 15 , Oct 2, 2011
                                  Am 02.10.2011 17:22, schrieb Tolga:
                                  > On 02-10-2011 18:14, Reindl Harald wrote:
                                  >>
                                  >> Am 02.10.2011 13:47, schrieb Patrick Ben Koetter:
                                  >>> there's a difference between telling people they need to do something in order
                                  >>> to get help and insulting them. If you want to help people just do it, if you
                                  >>> don't want to help them then don't. In any case stop being so aggressive.
                                  >> sorry, but this is the second time a thread from the same person about the
                                  >> same problem and again without "postfix -n" or even config-snippets depending
                                  >> to auth and normally it should be logical that configuration informations are
                                  >> needed..............
                                  >>
                                  > Sorry for causing all this trouble guys, but as Reindl stated, it was because of me because I
                                  > didn't set user for private/auth, so I did and the problem disappeared.

                                  no problem

                                  i only wanted point out that it is much easier for peopole who try to help
                                  if they have configuration infos instead hope there is someone who had the
                                  same problem or even configured his dovecot correct the first time but guesses
                                  what can be missing

                                  independent of the software/problem: try to offer as much infos as possible
                                  from the begin to help people out there to understand your environment

                                  maybe where ever i found that dovecot can be used for postfix-auth found a better
                                  documentation as yours because mine had the user/group in 2009 as far as i remember
                                Your message has been successfully submitted and would be delivered to recipients shortly.