Loading ...
Sorry, an error occurred while loading the content.
 

Another SASL authentication error

Expand Messages
  • John WH Smith
    Hello, I am trying to setup a Postfix server on a Debian Wheezy system, and I m encountering a little problem with SMTP authentication... Since I don t need
    Message 1 of 6 , May 28, 2014
      Hello,

      I am trying to setup a Postfix server on a Debian Wheezy system, and I'm
      encountering a little problem with SMTP authentication...

      Since I don't need mailboxes (messages can go out, but nothing has to
      come in), I decided not to install Dovecot (or another IMAP/POP3).
      However, this is the first time I make such a "partial" setup, and
      authenticating users over SMTPs is getting tricky.

      First, my logs :

      ---
      (...)
      localhost postfix/smtps/smtpd[14222]: <
      localhost.localdomain[127.0.0.1]: bXl1c2Vy
      localhost postfix/smtps/smtpd[14222]: xsasl_cyrus_server_next: decoded
      response: myuser
      (...)
      localhost postfix/smtps/smtpd[14222]: <
      localhost.localdomain[127.0.0.1]: bXlwYXNz
      localhost postfix/smtps/smtpd[14222]: xsasl_cyrus_server_next: decoded
      response: mypass
      (...)
      localhost postfix/smtps/smtpd[14222]: warning:
      localhost.localdomain[127.0.0.1]: SASL LOGIN authentication failed:
      authentication failure
      localhost postfix/smtps/smtpd[14222]: >
      localhost.localdomain[127.0.0.1]: 535 5.7.8 Error: authentication
      failed: authentication failure
      ---

      (I've removed irrelevant lines, the challenges were correct, and here's
      all I have about the authentication process)

      Now, to the configuration (main.cf, master.cf) :

      ---
      smtp_sasl_auth_enable = yes
      smtp_sasl_password_maps = hash:/etc/postfix/users
      smtp_sasl_security_options = noplaintext, noanonymous
      smtpd_recipient_restrictions =
      permit_sasl_authenticated,
      permit_mynetworks,
      reject_unauth_destination
      ---
      smtp inet n - - - - smtpd
      smtps inet n - - - - smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions=permit_sasl_authenticated,reject
      -o milter_macro_daemon_name=ORIGINATING
      ---

      The SSL/TLS parameters are correct, since encryption/decryption succeeds
      in the logs (decoding the credentials, encoding the challenges).

      My "users" file contains :
      mydomain.tld myuser:mypass

      It has been postmap-ed. SASLauthd is configured (START=yes), and I can
      see my processes running without trouble. I've also made sure Postfix
      could contact it by moving the socket and PID files into the Postfix
      chroot (and linking accordingly).

      I would gladly give you more information if I had some but... the logs
      are quiet silent on this one (even with a high verbosity level)... Is
      there any way I could get more information about this failure ? Or have
      I missed something ?
    • Wietse Venema
      ... You move sockets, but how do you know that the SASL library (invoked by smtpd) is really connected to the saslauthd process? You may find out with strace
      Message 2 of 6 , May 28, 2014
        John WH Smith:
        > localhost postfix/smtps/smtpd[14222]: warning:
        > localhost.localdomain[127.0.0.1]: SASL LOGIN authentication failed:
        > authentication failure
        > localhost postfix/smtps/smtpd[14222]: >
        > localhost.localdomain[127.0.0.1]: 535 5.7.8 Error: authentication
        > failed: authentication failure
        ...
        > It has been postmap-ed. SASLauthd is configured (START=yes), and I can
        > see my processes running without trouble. I've also made sure Postfix
        > could contact it by moving the socket and PID files into the Postfix
        > chroot (and linking accordingly).

        You move sockets, but how do you know that the SASL library (invoked
        by smtpd) is really connected to the saslauthd process?

        You may find out with strace or equivalent:

        http://www.postfix.org/DEBUG_README.html#auto_trace

        Wietse
      • Viktor Dukhovni
        ... This error is with your SMTP *server* authenticating submission users. ... These settings are for your SMTP *client* to authenticate itself to remote relay
        Message 3 of 6 , May 28, 2014
          On Wed, May 28, 2014 at 07:17:22PM +0100, John WH Smith wrote:

          > localhost postfix/smtps/smtpd[14222]: warning:
          > localhost.localdomain[127.0.0.1]: SASL LOGIN authentication failed:
          > authentication failure
          > localhost postfix/smtps/smtpd[14222]: >
          > localhost.localdomain[127.0.0.1]: 535 5.7.8 Error: authentication
          > failed: authentication failure

          This error is with your SMTP *server* authenticating submission users.

          > smtp_sasl_auth_enable = yes
          > smtp_sasl_password_maps = hash:/etc/postfix/users
          > smtp_sasl_security_options = noplaintext, noanonymous

          These settings are for your SMTP *client* to authenticate itself
          to remote relay hosts that require SASL authentication.

          > My "users" file contains :
          > mydomain.tld myuser:mypass

          This is therefore irrelevant. To configure SASL to authenticate
          users requires some expertise with an appropriate SASL backend
          driver (often PAM) and a .conf file that selects the right driver
          and driver options. You may need to run saslauthd, ...

          You're probably better off with dovecot, it is a less steep learning
          curve. Cyrus SASL is substantially more configurable, at great
          cost in interface complexity.

          --
          Viktor.
        • John WH Smith
          ... I actually created the appropriate symlinks to avoid path breaking. Fact is : if it was related to an non-existant process/file (which Postfix wouldn t
          Message 4 of 6 , May 28, 2014
            On 28/05/14 19:41, Wietse Venema wrote:
            > You move sockets, but how do you know that the SASL library (invoked
            > by smtpd) is really connected to the saslauthd process?

            I actually created the appropriate symlinks to avoid path breaking. Fact
            is : if it was related to an non-existant process/file (which Postfix
            wouldn't connect to), I would get more than just "authentication failure".

            On 28/05/14 19:49, Viktor Dukhovni wrote:
            > You're probably better off with dovecot, it is a less steep learning
            > curve. Cyrus SASL is substantially more configurable, at great
            > cost in interface complexity.

            Now that's a far too simple idea to my ears. I've already set up quite a
            few Postfix+Dovecot installs, and this is not what I'm trying to achieve
            here.

            I understand the problem you're mentioning (mixing up server/client-side
            configurations), now that was silly of me.

            I may have got confused between several references online, but is there
            a simple "universal?" way to set up authentication support for outgoing
            email, without setting up a full incoming email service ? Actually, I
            only need a few addresses for some web applications to send emails
            through our server... When I asked the devs if they needed mailboxes,
            full setup, they said no, so they're gonna stick to it.

            Thank you both!
          • Wietse Venema
            ... OK, so you did not verify that the two actually talk to each other. You are assuming that they did, without having observed actual evidence that the socket
            Message 5 of 6 , May 28, 2014
              John WH Smith:
              > On 28/05/14 19:41, Wietse Venema wrote:
              > > You move sockets, but how do you know that the SASL library (invoked
              > > by smtpd) is really connected to the saslauthd process?
              >
              > I actually created the appropriate symlinks to avoid path breaking. Fact
              > is : if it was related to an non-existant process/file (which Postfix
              > wouldn't connect to), I would get more than just "authentication failure".

              OK, so you did not verify that the two actually talk to each other.
              You are assuming that they did, without having observed actual
              evidence that the socket call worked.

              My support ends here.

              Wietse
            • Viktor Dukhovni
              ... You don t have to provision mailboxes or run an IMAP server to implement just the authentication side of Dovecot. ... No, because there there are so many
              Message 6 of 6 , May 28, 2014
                On Wed, May 28, 2014 at 08:00:22PM +0100, John WH Smith wrote:

                > On 28/05/14 19:49, Viktor Dukhovni wrote:
                > > You're probably better off with dovecot, it is a less steep learning
                > > curve. Cyrus SASL is substantially more configurable, at great
                > > cost in interface complexity.
                >
                > Now that's a far too simple idea to my ears. I've already set up quite a
                > few Postfix+Dovecot installs, and this is not what I'm trying to achieve
                > here.

                You don't have to provision mailboxes or run an IMAP server to
                implement just the authentication side of Dovecot.

                > I may have got confused between several references online, but is there
                > a simple "universal?" way to set up authentication support for outgoing
                > email, without setting up a full incoming email service?

                No, because there there are so many different ways of handling user
                credentials: GSSAPI, DIGEST-MD5, RADIUS, LDAP bind, rimap, OTP, ...

                For hashed passwords I generally use saslauthd with PAM and sometimes
                an smtp PAM configuration that bypasses the system password database
                using a password file dedicated for just email relay accounts.

                This is a vast topic, you've been warned. Experience is what you
                get when you don't get what you want. You'll be a lot more
                experienced by the time you get this working.

                --
                Viktor.
              Your message has been successfully submitted and would be delivered to recipients shortly.