Loading ...
Sorry, an error occurred while loading the content.
 

Re: SMTP AUTH with LDAP

Expand Messages
  • Andreas Winkelmann
    ... Do you use pam_ldap or the ldap-support in saslauthd? If pam, you should add -s smtp to testsaslauthd. This makes a difference. ... You are offering
    Message 1 of 12 , Dec 28, 2005
      Am Thursday 29 December 2005 04:12 schrieb Jay Kusler:

      > I'm trying to get SMTP AUTH with TLS to work with an openldap directory
      > and am stuck.
      >
      > Environment:
      > Solaris 9 (sparc), Cyrus-SASL 2.1.19, Postfix 2.2.7, Openldap 2.3.11
      >
      > testsaslauthd (and ldapsearch) works fine:
      > /usr/local/bin/testsaslauthd -u <user> -p <password>
      > 0: OK "Success."

      Do you use pam_ldap or the ldap-support in saslauthd? If pam, you should add
      "-s smtp" to testsaslauthd. This makes a difference.

      > When I telnet to port 25 and EHLO, I get:
      > <....>
      > 250-PIPELINING
      > 250-SIZE 50240000
      > 250-ETRN
      > 250-STARTTLS
      > 250-AUTH LOGIN PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
      > 250-AUTH=LOGIN PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
      > 250 8BITMIME

      You are offering mechanisms which are not supported from saslauthd. Only plain
      and login will work. Add a line

      mech_list: plain login

      to your smtpd.conf.

      > and then authentication fails. (AUTH PLAIN base64-mime-string)
      > Logs show:
      > postfix/smtpd: warning: SASL authentication failure: Can only find
      > author/en (no password)
      > SASL PLAIN authentication failed

      This means the base64 Encoded string is wrong. I would guess your Password
      begins with a number. If you are unsure with using echo/print(f) best to use
      a real MUA to test it. To help here, you have to show the Base64-Encoded
      string which includes your username/password, this is not the preferred way.
      Use a MUA (or if you have Cyrus-Imapd installed there is a Tool included
      named smtptest).

      > Anything anyone could suggest would be greatly appreciated.

      > -------------------------------------------------------------
      > and saslfinger -s output:
      >
      > saslfinger - postfix Cyrus sasl configuration Wed Dec 28 22:07:32 EST 2005
      > version: 1.0
      > mode: server-side SMTP AUTH
      >
      > -- basics --
      > Postfix: 2.2.7
      >
      > -- smtpd is linked to --
      > libsasl2.so.2 => /home/sasl/lib/libsasl2.so.2
      >
      > -- active SMTP AUTH and TLS parameters for smtpd --
      > broken_sasl_auth_clients = yes
      > smtpd_sasl_application_name = smptd
      > smtpd_sasl_auth_enable = yes
      > smtpd_sasl_local_domain =
      > smtpd_sasl_security_options = noanonymous
      > smtpd_sasl_tls_security_options = noanonymous
      > smtpd_tls_CAfile = /usr/local/ssl/certs/cacert.pem
      > smtpd_tls_auth_only = no
      > smtpd_tls_cert_file = /usr/local/ssl/certs/opal.crt
      > smtpd_tls_key_file = /usr/local/ssl/certs/opal.key
      > smtpd_tls_loglevel = 1
      > smtpd_tls_received_header = yes
      > smtpd_tls_session_cache_timeout = 3600s
      > smtpd_use_tls = yes
      >
      >
      > -- listing of /usr/lib/sasl2 --
      > total 10682
      > drwxr-xr-x 3 root other 1024 Dec 28 19:13 .
      > drwxr-xr-x 3 root other 512 Dec 27 14:36 ..
      > drwxr-xr-x 2 root other 512 Dec 27 18:41 ldap
      > -rwxr-xr-x 1 root other 795 Dec 27 14:36 libanonymous.la
      > -rwxr-xr-x 1 root other 173596 Dec 27 14:36 libanonymous.so
      > -rwxr-xr-x 1 root other 173596 Dec 27 14:36 libanonymous.so.2
      > -rwxr-xr-x 1 root other 173596 Dec 27 14:36
      > libanonymous.so.2.0.21 -rwxr-xr-x 1 root other 783 Dec 27
      > 14:36 libcrammd5.la -rwxr-xr-x 1 root other 183052 Dec 27 14:36
      > libcrammd5.so -rwxr-xr-x 1 root other 183052 Dec 27 14:36
      > libcrammd5.so.2 -rwxr-xr-x 1 root other 183052 Dec 27 14:36
      > libcrammd5.so.2.0.21 -rwxr-xr-x 1 root other 828 Dec 27 14:36
      > libdigestmd5.la -rwxr-xr-x 1 root other 259864 Dec 27 14:36
      > libdigestmd5.so -rwxr-xr-x 1 root other 259864 Dec 27 14:36
      > libdigestmd5.so.2 -rwxr-xr-x 1 root other 259864 Dec 27 14:36
      > libdigestmd5.so.2.0.21 -rwxr-xr-x 1 root other 828 Dec 27
      > 14:36 libgssapiv2.la -rwxr-xr-x 1 root other 198044 Dec 27 14:36
      > libgssapiv2.so -rwxr-xr-x 1 root other 198044 Dec 27 14:36
      > libgssapiv2.so.2 -rwxr-xr-x 1 root other 198044 Dec 27 14:36
      > libgssapiv2.so.2.0.21 -rwxr-xr-x 1 root other 771 Dec 27 14:36
      > liblogin.la
      > -rwxr-xr-x 1 root other 175048 Dec 27 14:36 liblogin.so
      > -rwxr-xr-x 1 root other 175048 Dec 27 14:36 liblogin.so.2
      > -rwxr-xr-x 1 root other 175048 Dec 27 14:36 liblogin.so.2.0.21
      > -rwxr-xr-x 1 root other 762 Dec 22 16:11 libotp.la
      > -rwxr-xr-x 1 root other 268100 Dec 22 16:11 libotp.so
      > -rwxr-xr-x 1 root other 268100 Dec 22 16:11 libotp.so.2
      > -rwxr-xr-x 1 root other 268100 Dec 22 16:11 libotp.so.2.0.21
      > -rwxr-xr-x 1 root other 771 Dec 27 14:36 libplain.la
      > -rwxr-xr-x 1 root other 174572 Dec 27 14:36 libplain.so
      > -rwxr-xr-x 1 root other 174572 Dec 27 14:36 libplain.so.2
      > -rwxr-xr-x 1 root other 174572 Dec 27 14:36 libplain.so.2.0.21
      > -rwxr-xr-x 1 root other 804 Dec 27 14:36 libsasldb.la
      > -rwxr-xr-x 1 root other 280156 Dec 27 14:36 libsasldb.so
      > -rwxr-xr-x 1 root other 280156 Dec 27 14:36 libsasldb.so.2
      > -rwxr-xr-x 1 root other 280156 Dec 27 14:36 libsasldb.so.2.0.21
      > -rw-r--r-- 1 root other 111 Dec 22 16:21 saslauthd.conf
      > -rw-r--r-- 1 root other 62 Dec 28 11:31 smtpd.conf
      >
      > -- listing of /usr/local/lib/sasl2 --
      > total 8
      > drwxr-xr-x 2 root other 512 Dec 28 19:09 .
      > drwxr-xr-x 5 root bin 512 Dec 28 19:09 ..
      > -rw-r--r-- 1 root other 111 Dec 22 16:21 saslauthd.conf
      > -rw-r--r-- 1 root other 62 Dec 28 11:31 smtpd.conf

      There should be a link between /usr/local/lib/sasl2 and /usr/lib/sasl2.

      > -- content of /usr/lib/sasl2/smtpd.conf --
      > log_level: 7
      > pwcheck_method: saslauthd
      > mech_list: PLAIN LOGIN
      >
      > -- content of /usr/local/lib/sasl2/smtpd.conf --
      > log_level: 7
      > pwcheck_method: saslauthd
      > mech_list: PLAIN LOGIN

      > -- mechanisms on localhost --
      > 250-AUTH LOGIN PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
      > 250-AUTH=LOGIN PLAIN GSSAPI OTP DIGEST-MD5 CRAM-MD5
      >
      > -- end of saslfinger output --

      The mech_list Option does not work, so you can be almost sure, that the
      smtpd.conf is in the wrong directory. Check the Documentation from your
      Distribution Cyrus-SASL and Postfix, maybe google. Or use something like
      strace/truss/...

      --
      Andreas
    Your message has been successfully submitted and would be delivered to recipients shortly.