Loading ...
Sorry, an error occurred while loading the content.
 

Re: SASL question

Expand Messages
  • Curtis Maurand
    ... My currwnt setup has the imap connecting to a remote server on a private network. The imap server is dbmail 2.2.17. Postfix is a member of the sasl group.
    Message 1 of 17 , Feb 10, 2013
      Patrick Ben Koetter wrote:
      > * Curtis Maurand <curtis@...>:
      >>
      >>
      >> I had a server running on gentoo and it was running OK, but the latest
      >> updates in the gentoo tree killed it.  So I spent yesterday afternoon
      >> setting up new mail server using Ubuntu 12.04 LTS.
      >>
      >> It took a
      >> while, but I have it all working except for smtp authentication (which
      >> was working on the gentoo machine.  I copied the configuration over
      >> to the new machine and now I'm getting the following error:
      >>
      >> warning: SASL authentication problem: unable to open Berkeley db
      >> /etc/sasldb2: Invalid argument
      >
      > Did you follow the SASL documentation in Ubuntus Postfix documentation? On
      > Debian/Ubuntu etc. you have to add the postfix user to the sasl group.
      >
      >
      >> according to the redhat website
      >> that tells me that it is because postfix is linked against the wrong
      >> version of berkely db. 
      >> https://bugzilla.redhat.com/show_bug.cgi?id=734088
      >
      > Nope. Wrong path. Debian is not RedHat.
      >
      >> However, nothing in my configuration says to open the sasldb file
      >> anywhere
      >> as the auth machanism is set to imap, but postfix seems intent on
      >> opening
      >> this file anyway.
      >
      > Cyrus SASL opens sasldb as fallback when all other attempts to do AUTH
      > have
      > failed. That in turn says your current setup is non-functional. Which docs
      > did
      > you follow? What's your current setup?
      >
      >

      My currwnt setup has the imap connecting to a remote server on a private
      network. The imap server is dbmail 2.2.17.

      Postfix is a member of the sasl group. There is an sasldb2 file just in
      case.
      >
      >
    • Reindl Harald
      ... i am using dovecot as proxy in front of dbmail since 2009 and for sasl auth because this way you have ecryption, CRAM-MD5 and so on for IMAP as also the
      Message 2 of 17 , Feb 10, 2013
        Am 10.02.2013 23:59, schrieb Curtis Maurand:
        > My currwnt setup has the imap connecting to a remote server on a private
        > network. The imap server is dbmail 2.2.17.
        >
        > Postfix is a member of the sasl group. There is an sasldb2 file just in
        > case.

        i am using dovecot as proxy in front of dbmail
        since 2009 and for sasl auth because this way
        you have ecryption, CRAM-MD5 and so on for
        IMAP as also the same SASL auth mechs for SMTP
        if postfix is using dovecot for SASL

        the sql-config below is for a localhost where dbmail-imapd
        is listening on 127.0.0.1:20143 and dovecot on 0.0.0.0:143
        ________________________________

        relevant snippets from dovecot.conf

        # configure proxy-database
        passdb {
        driver = sql
        args = /etc/dovecot/sql.conf
        }

        # we are not using local users
        userdb {
        driver = static
        args = static uid=15000 gid=15000 home=/dev/null
        }

        # configure backend for postfix sasl-auth
        service auth {
        unix_listener /var/spool/postfix/private/auth {
        mode = 0660
        user = postfix
        group = postfix
        }
        }
        ________________________________

        [root@srv-rhsoft:~]$ cat /etc/dovecot/sql.conf
        driver = mysql
        connect = host=mysqlhost dbname=dbmail user=dbmail password=************
        password_query = SELECT passwd as password, '127.0.0.1' as host, '20143' as port, userid as destuser, passwd
        AS pass, 'Y' AS nologin, 'Y' AS nodelay, 'Y' AS proxy FROM dbmail_users WHERE userid='%u'
        default_pass_scheme = plain
      • Simon Walter
        ... Don t you mean ...the whole *Cyrus* SASL crap ? Isn t smtpd_sasl_type = dovecot using the dovecot implementation of SASL? Simon -- htholidays.com
        Message 3 of 17 , Feb 10, 2013
          On 02/11/2013 05:46 AM, Reindl Harald wrote:
          >
          >
          > what are you using for IMAP?
          > if dovecot throw away the whole SASL crap!
          >
          >


          Don't you mean "...the whole *Cyrus* SASL crap"? Isn't "smtpd_sasl_type
          = dovecot" using the dovecot implementation of SASL?

          Simon

          --
          htholidays.com
        • Reindl Harald
          ... ok, i word it the whole manually configured SASL crap usually you need authentication for SMTP/POP3/IMAP and so preferred is a single instance and the
          Message 4 of 17 , Feb 11, 2013
            Am 11.02.2013 04:53, schrieb Simon Walter:
            > On 02/11/2013 05:46 AM, Reindl Harald wrote:
            >>
            >> what are you using for IMAP?
            >> if dovecot throw away the whole SASL crap!
            >>
            > Don't you mean "...the whole *Cyrus* SASL crap"? Isn't "smtpd_sasl_type = dovecot" using the dovecot implementation
            > of SASL?

            ok, i word it "the whole manually configured SASL crap"

            usually you need authentication for SMTP/POP3/IMAP and so
            preferred is a single instance and the same aut-mechs on
            all services
          • Bob Proulx
            ... I am not sure it is your desire to use the sasldb2 file. But if it is then on Debian it needs to be made available in the chroot which on Debian is
            Message 5 of 17 , Feb 13, 2013
              Curtis Maurand wrote:
              > Patrick Ben Koetter wrote:
              > >> However, nothing in my configuration says to open the sasldb file
              > >> anywhere as the auth machanism is set to imap, but postfix seems
              > >> intent on opening this file anyway.
              > >
              > > Cyrus SASL opens sasldb as fallback when all other attempts to do
              > > AUTH have failed. That in turn says your current setup is
              > > non-functional. Which docs did you follow? What's your current
              > > setup?
              >
              > My currwnt setup has the imap connecting to a remote server on a private
              > network. The imap server is dbmail 2.2.17.
              >
              > Postfix is a member of the sasl group. There is an sasldb2 file
              > just in case.

              I am not sure it is your desire to use the sasldb2 file. But if it is
              then on Debian it needs to be made available in the chroot which on
              Debian is usually located at /var/spool/postfix/etc. For me it meant
              the easiest thing to do was to modify the /etc/init.d/postfix script
              to make sure it was copied into the chroot when it was started.

              I added etc/sasldb2 to this next section.

              FILES="etc/sasldb2 etc/localtime etc/services etc/resolv.conf etc/hosts \
              etc/nsswitch.conf etc/nss_mdns.config"
              for file in $FILES; do
              [ -d ${file%/*} ] || mkdir -p ${file%/*}
              if [ -f /${file} ]; then rm -f ${file} && cp -p /${file} ${file}; fi
              # if [ -f ${file} ]; then chmod a+rX ${file}; fi
              done

              And I also removed that line that is commented out so that the
              original permissions are preserved. That causes permissions to be
              preserved from the /etc file into the chroot area when the file is
              copied into it. Otherwise the file would be available to everyone.
              Using the original permissions on all of the files is okay.

              Again, that is only if you are intending to use the sasldb2 file. It
              is a nice simple fallback. But most schemes use other access control
              methods.

              Bob
            • Curtis Maurand
              ... Thanks for all your help everyone. I actually found the answer in an email from about a year ago. Thank you to google. Apparently saslauthd on Ubuntu
              Message 6 of 17 , Feb 18, 2013
                On 2/13/2013 7:35 PM, Bob Proulx wrote:
                > Curtis Maurand wrote:
                >> Patrick Ben Koetter wrote:
                >>>> However, nothing in my configuration says to open the sasldb file
                >>>> anywhere as the auth machanism is set to imap, but postfix seems
                >>>> intent on opening this file anyway.
                >>> Cyrus SASL opens sasldb as fallback when all other attempts to do
                >>> AUTH have failed. That in turn says your current setup is
                >>> non-functional. Which docs did you follow? What's your current
                >>> setup?
                >> My currwnt setup has the imap connecting to a remote server on a private
                >> network. The imap server is dbmail 2.2.17.
                >>
                >> Postfix is a member of the sasl group. There is an sasldb2 file
                >> just in case.
                > I am not sure it is your desire to use the sasldb2 file. But if it is
                > then on Debian it needs to be made available in the chroot which on
                > Debian is usually located at /var/spool/postfix/etc. For me it meant
                > the easiest thing to do was to modify the /etc/init.d/postfix script
                > to make sure it was copied into the chroot when it was started.
                >
                > I added etc/sasldb2 to this next section.
                >
                > FILES="etc/sasldb2 etc/localtime etc/services etc/resolv.conf etc/hosts \
                > etc/nsswitch.conf etc/nss_mdns.config"
                > for file in $FILES; do
                > [ -d ${file%/*} ] || mkdir -p ${file%/*}
                > if [ -f /${file} ]; then rm -f ${file} && cp -p /${file} ${file}; fi
                > # if [ -f ${file} ]; then chmod a+rX ${file}; fi
                > done
                >
                > And I also removed that line that is commented out so that the
                > original permissions are preserved. That causes permissions to be
                > preserved from the /etc file into the chroot area when the file is
                > copied into it. Otherwise the file would be available to everyone.
                > Using the original permissions on all of the files is okay.
                >
                > Again, that is only if you are intending to use the sasldb2 file. It
                > is a nice simple fallback. But most schemes use other access control
                > methods.
                >
                > Bob
                Thanks for all your help everyone. I actually found the answer in an
                email from about a year ago. Thank you to google. Apparently saslauthd
                on Ubuntu runs chrooted while postfix does not. In order to make things
                work I had to establish a symbolic link in
                /var/spool/postfix/var/run/saslauthd to /var/run/sadlauthd and that
                solved the trouble.

                Cheers,
                --Curtis
              Your message has been successfully submitted and would be delivered to recipients shortly.