noplainpassword causing postfix not to start (due to sasl error)
in [Postfix]
|
Prev: WHAT IS "probe" Mail Delivery Status Report
Next: noplainpassword causing postfix not to start (due to saslerror)
From: Oliver Schinagl on 24 Apr 2010 14:09 Hey all, So I have tweaked my main.cf and enabled noplainpassword my sasl craps out. smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous works, smtpd_sasl_security_options = noplainpassword, noanonymous smtpd_sasl_tls_security_options = noanonymous gives me the following postfix error Apr 24 13:49:49 foo postfix/smtpd[3978]: warning: xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms Apr 24 13:49:49 foo postfix/smtpd[3978]: fatal: no SASL authentication mechanisms Apr 24 13:49:50 foo postfix/master[3919]: warning: process /usr/lib64/postfix/smtpd pid 3978 exit status 1 in /usr/lib/sasl2 I find the following libraries to auth against/with: foo sasl2 # ls /usr/lib/sasl2/ libanonymous.la libdigestmd5.so liblogin.so.2 libplain.so.2.0.23 libanonymous.so libdigestmd5.so.2 liblogin.so.2.0.23 libsasldb.la libanonymous.so.2 libdigestmd5.so.2.0.23 libntlm.la libsasldb.so libanonymous.so.2.0.23 libgssapiv2.la libntlm.so libsasldb.so.2 libcrammd5.la libgssapiv2.so libntlm.so.2 libsasldb.so.2.0.23 libcrammd5.so libgssapiv2.so.2 libntlm.so.2.0.23 libsql.la libcrammd5.so.2 libgssapiv2.so.2.0.23 libplain.la libsql.so libcrammd5.so.2.0.23 liblogin.la libplain.so libsql.so.2 libdigestmd5.la liblogin.so libplain.so.2 libsql.so.2.0.23 my /etc/sasl/smtpd.conf authenticates against courier-authlib, which I also use for courier-imap. # $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $ pwcheck_method: authdaemond mech_list: login plain authdaemon_path: /var/lib/courier/authdaemon/socket log_level: 1 Now I'll admit i'm no sasl (nor postfix) expert but I figure, if sasl uses courier-authlib to authenticate as does courier-imap that if the one works, that courier-authlib 'works'. So this error would come from sasl or postfix? In any case, wasn't the idea from the double option, to only allow plain text passwords on port 25 with tls enabled, but no plain text passwords on regular 25. (I suppose port smpts would also work yeah?) In any case, if this is the case, why won't sasl/postfix start normally? Also, as far as I can tell sending mail from a remote client works, and it even asks me for a password (after asking whether the certificate comes up to be accepted). So ... what am I missing here? I can auth fine with the postfix -> sasl-> authlib -> postgres setup but not when I disable the (unused) plaintext passwords.
From: Noel Jones on 24 Apr 2010 14:20 On 4/24/2010 1:09 PM, Oliver Schinagl wrote: > Hey all, > > So I have tweaked my main.cf and enabled noplainpassword my sasl craps out. > > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = noanonymous > > works, > > smtpd_sasl_security_options = noplainpassword, noanonymous > smtpd_sasl_tls_security_options = noanonymous The option name is "noplaintext", NOT noplainpassword. The documentation is always a good place to start when troubleshooting. http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options -- Noel Jones
From: Oliver Schinagl on 24 Apr 2010 14:31 Sahil Tandon wrote: > On Sat, 24 Apr 2010, Oliver Schinagl wrote: > >> smtpd_sasl_security_options = noplainpassword, noanonymous > ^^^^^^^^^^^^^^^ > Did you mean noplaintext? > > http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options > I'm such a tard, I should have just copy/pasted it :S I felt adventurous copy pasted it from my postconf -n and prepeended it; this i have in my main.cf (but uncommented to try it obviously). #smtpd_sasl_security_options = noplaintext, noanonymous is the option I had, i feel like such a tard now and stupid. The problem described eariler is valid however. Sorry :(
From: Noel Jones on 24 Apr 2010 15:34
On 4/24/2010 1:31 PM, Oliver Schinagl wrote: > Sahil Tandon wrote: >> On Sat, 24 Apr 2010, Oliver Schinagl wrote: >> >>> smtpd_sasl_security_options = noplainpassword, noanonymous >> ^^^^^^^^^^^^^^^ >> Did you mean noplaintext? >> >> http://www.postfix.org/postconf.5.html#smtpd_sasl_security_options >> > > I'm such a tard, I should have just copy/pasted it :S I felt adventurous copy pasted it from my postconf -n and prepeended it; this i have in my main.cf (but uncommented to try it obviously). > > #smtpd_sasl_security_options = noplaintext, noanonymous > > > is the option I had, i feel like such a tard now and stupid. The problem described eariler is valid however. Sorry :( Ah then. You said earlier: > my /etc/sasl/smtpd.conf authenticates against courier-authlib, which I also use for courier-imap. > # $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $ > pwcheck_method: authdaemond > mech_list: login plain > authdaemon_path: /var/lib/courier/authdaemon/socket > log_level: 1 It looks to me as if you've told courier to use plain-text only (login and plain are both plain text formats), and told postfix to not use plain text on unencrypted connections. Most folks solve this by setting in main.cf smtpd_tls_auth_only = yes which requires an encrypted connection before AUTH is offered, or I suppose you can add cram-md5 or some other method to your mech_list. http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only |