Relay between 2 Postfix : SASL authentication failure
in [Postfix]
|
From: Gregory BELLIER on 19 Apr 2010 12:28 Hi all ! I would like to set up authentication between 2 postfix hosted on Debian Lenny and until now it doesn't work. Here is a log sample : warning: SASL authentication failure: No worthy mechs found SASL authentication failed; cannot authenticate to server 10.0.0.6[10.0.0.6]: no mechanism available At this time, authentication works between a MUA and both postfix but not between them when they act as a relay. MUA -> MTA1 ok MUA -> MTA2 ok MUA -> MTA1 -> MTA2 nok This last line works fine when SASL is not involved. From what I've seen on the internet, most of the time people miss the libplain. This is not my case. Both MTA have the same configuration. At the end of this email, you can find postconf -n and saslfinger -c. Clearly the error is visible in saslfinger because it tells this : -- mechanisms on 10.0.0.6 -- -- mechanisms on 10.0.0.5 -- I don't know how to correct this. I guess there is something wrong with my smtpd.conf. Would you please take a look at it ? The authentication is done in plain using saslauthd which refers to the shadow file. The file /etc/postfix/sasl_passwd is like this (for mta1): 10.0.0.6 username:passwd username (it's obviously not the real one) is a real unix user on the machine. Thanks, Greg. *** postconf -n *** mta1:/etc/postfix# postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = no config_directory = /etc/postfix home_mailbox = Maildir/ inet_interfaces = all mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0 message_size_limit = 0 mydestination = mta1.local, localhost.local, , localhost myhostname = mta1.local mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = 10.0.0.6 smtp_sasl_auth_enable = yes smtp_sasl_mechanism_filter = plain smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_loglevel = 2 smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU) smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = cyrus smtpd_tls_CAfile = /etc/CA/ca.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/certificate/postfix_mta1.crt smtpd_tls_key_file = /etc/postfix/certificate/postfix_mta1.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_security_level = encrypt smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache *** saslfinger -c *** mta1:/etc/postfix# saslfinger -c saslfinger - postfix Cyrus sasl configuration lundi 19 avril 2010, 18:13:08 (UTC+0200) version: 1.0.4 mode: client-side SMTP AUTH -- basics -- Postfix: 2.5.5 System: Debian GNU/Linux 5.0 \n \l -- smtp is linked to -- libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d2c000) -- active SMTP AUTH and TLS parameters for smtp -- relayhost = 10.0.0.6 smtp_sasl_auth_enable = yes smtp_sasl_mechanism_filter = plain smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_loglevel = 2 smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes -- listing of /usr/lib/sasl2 -- total 680 drwxr-xr-x 2 root root 4096 avr 14 15:43 . drwxr-xr-x 50 root root 12288 avr 14 15:46 .. -rw-r--r-- 1 root root 13476 mai 24 2009 libanonymous.a -rw-r--r-- 1 root root 855 mai 24 2009 libanonymous.la -rw-r--r-- 1 root root 13016 mai 24 2009 libanonymous.so -rw-r--r-- 1 root root 13016 mai 24 2009 libanonymous.so.2 -rw-r--r-- 1 root root 13016 mai 24 2009 libanonymous.so.2.0.22 -rw-r--r-- 1 root root 15814 mai 24 2009 libcrammd5.a -rw-r--r-- 1 root root 841 mai 24 2009 libcrammd5.la -rw-r--r-- 1 root root 15352 mai 24 2009 libcrammd5.so -rw-r--r-- 1 root root 15352 mai 24 2009 libcrammd5.so.2 -rw-r--r-- 1 root root 15352 mai 24 2009 libcrammd5.so.2.0.22 -rw-r--r-- 1 root root 46420 mai 24 2009 libdigestmd5.a -rw-r--r-- 1 root root 864 mai 24 2009 libdigestmd5.la -rw-r--r-- 1 root root 43500 mai 24 2009 libdigestmd5.so -rw-r--r-- 1 root root 43500 mai 24 2009 libdigestmd5.so.2 -rw-r--r-- 1 root root 43500 mai 24 2009 libdigestmd5.so.2.0.22 -rw-r--r-- 1 root root 13650 mai 24 2009 liblogin.a -rw-r--r-- 1 root root 835 mai 24 2009 liblogin.la -rw-r--r-- 1 root root 13460 mai 24 2009 liblogin.so -rw-r--r-- 1 root root 13460 mai 24 2009 liblogin.so.2 -rw-r--r-- 1 root root 13460 mai 24 2009 liblogin.so.2.0.22 -rw-r--r-- 1 root root 29076 mai 24 2009 libntlm.a -rw-r--r-- 1 root root 829 mai 24 2009 libntlm.la -rw-r--r-- 1 root root 28532 mai 24 2009 libntlm.so -rw-r--r-- 1 root root 28532 mai 24 2009 libntlm.so.2 -rw-r--r-- 1 root root 28532 mai 24 2009 libntlm.so.2.0.22 -rw-r--r-- 1 root root 13970 mai 24 2009 libplain.a -rw-r--r-- 1 root root 835 mai 24 2009 libplain.la -rw-r--r-- 1 root root 14036 mai 24 2009 libplain.so -rw-r--r-- 1 root root 14036 mai 24 2009 libplain.so.2 -rw-r--r-- 1 root root 14036 mai 24 2009 libplain.so.2.0.22 -rw-r--r-- 1 root root 21710 mai 24 2009 libsasldb.a -rw-r--r-- 1 root root 866 mai 24 2009 libsasldb.la -rw-r--r-- 1 root root 18080 mai 24 2009 libsasldb.so -rw-r--r-- 1 root root 18080 mai 24 2009 libsasldb.so.2 -rw-r--r-- 1 root root 18080 mai 24 2009 libsasldb.so.2.0.22 -- listing of /etc/postfix/sasl -- total 12 drwxr-xr-x 2 root root 4096 avr 19 15:54 . drwxr-xr-x 4 root root 4096 avr 19 17:47 .. -rw-r--r-- 1 root root 27 avr 19 15:31 smtpd.conf -- permissions for /etc/postfix/sasl_passwd -- -rw-r--r-- 1 root root 43 avr 19 17:43 /etc/postfix/sasl_passwd -- permissions for /etc/postfix/sasl_passwd.db -- -rw-r--r-- 1 root root 12288 avr 19 17:43 /etc/postfix/sasl_passwd.db /etc/postfix/sasl_passwd.db is up to date. -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - - - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp -o smtp_fallback_relay= showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} -- mechanisms on 10.0.0.6 -- -- mechanisms on 10.0.0.5 -- -- end of saslfinger output --
From: Victor Duchovni on 19 Apr 2010 14:18 On Mon, Apr 19, 2010 at 06:28:47PM +0200, Gregory BELLIER wrote: > Hi all ! > > I would like to set up authentication between 2 postfix hosted on Debian > Lenny and until now it doesn't work. > > Here is a log sample : > warning: SASL authentication failure: No worthy mechs found > SASL authentication failed; cannot authenticate to server > 10.0.0.6[10.0.0.6]: no mechanism available Try again, with a more useful log sample, and configuration settings for the receiving side. The log sample should include multiple lines of logging from the SMTP client, showing any TLS handshake, ... > relayhost = 10.0.0.6 Per the documentation, this must be: relayhost = [10.0.0.6] and the SMTP client password table: [10.0.0.6] user:pass > smtp_sasl_auth_enable = yes > smtp_sasl_mechanism_filter = plain > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > smtp_tls_loglevel = 2 Too verbose. > smtp_use_tls = yes Obsolete, with 2.3 and later, use: smtp_tls_security_level = may > -- permissions for /etc/postfix/sasl_passwd -- > -rw-r--r-- 1 root root 43 avr 19 17:43 /etc/postfix/sasl_passwd This should NOT be world-readable. > -- permissions for /etc/postfix/sasl_passwd.db -- > -rw-r--r-- 1 root root 12288 avr 19 17:43 /etc/postfix/sasl_passwd.db Ditto, but postmap will take care of that, when you fix the source permissions. -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
From: Victor Duchovni on 20 Apr 2010 15:47 On Tue, Apr 20, 2010 at 09:37:48PM +0200, Gregory BELLIER wrote: In the session below, the client did not want to use PLAIN, presumably because TLS was not in effect. Leave TLS enabled. I asked you to disable TLS very verbose logging (smtp*_tls_loglevel=0 or 1) not TLS. Now test with a client that supports PLAIN without TLS, or that uses TLS. If you read your logs carefully, there is enough there to figure it all out... You should be able to solve the problem now that you can see everything in the logs. > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 220 mta2.local ESMTP Postfix (Debian/GNU) > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: < mta1.local[10.0.0.5]: EHLO mta1.local > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-mta2.local > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-PIPELINING > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-SIZE > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-VRFY > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-ETRN > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-AUTH LOGIN PLAIN > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-ENHANCEDSTATUSCODES > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-8BITMIME > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250 DSN > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: < mta1.local[10.0.0.5]: QUIT > Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 221 2.0.0 Bye However, it does not mind doing CRAM-MD5, but this requires unhashed passwords, and so cannot work with "shadow". > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 220 mta2.local ESMTP Postfix (Debian/GNU) > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: < mta1.local[10.0.0.5]: EHLO mta1.local > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-mta2.local > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-PIPELINING > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-SIZE > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-VRFY > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-ETRN > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 NTLM PLAIN > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-ENHANCEDSTATUSCODES > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-8BITMIME > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250 DSN > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: < mta1.local[10.0.0.5]: AUTH DIGEST-MD5 > Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 235 2.7.0 Authentication successful -- Viktor. P.S. Morgan Stanley is looking for a New York City based, Senior Unix system/email administrator to architect and sustain our perimeter email environment. If you are interested, please drop me a note.
|
Pages: 1 Prev: Wildcard certificate warning Next: Rejecting Spam Based on Spamassassin Score |