[TriLUG] debian stable, postfix and smtp-auth (via saslauthd)

Mark Kempster mark at kempster.org
Fri Mar 5 11:44:03 EST 2004 

Help needed with postfix and smtp-auth on debian stable.

I'm fairly certain this has been covered before, but I can't find an
idiot-proof reference in the trilug mailing lists. Google has brought no
joy, so I figure I'll ask outright.

I've got a debian stable mail server running postfix that's been humming
right along for the past couple years. For various & sundry reasons, I'm
going to have to start grabbing mail from outside my local network, so
it's time to set up postfix+smtp-auth.

I'm attempting to use postfix -> saslauthd -> pam -> /etc/passwd
in an effort to avoid maintaining a separate sasldb, and synchronizing
password files in a chroot jail.


I seem to be at the point where TLS seems to be working - at least, to
the extent that running

  sudo openssl s_client -connect localhost:465

indicates that the things are ok. I get all sorts of goodies about the
certificate and the public key.


I'm able to test saslauthd like so

  sudo  /usr/sbin/testsaslauthd -u <username> -p <password>
  0: OK "Success."
  (if I test with an incorrect user/pass it complains appropriately)

I've got postfix hooked to saslauthd (/etc/postfix/sasl/smtpd.conf),
and saslauthd hooked to pam (/etc/pam.d/smtpd), but somethings not correct.
A sample session attempting to 'AUTH PLAIN'

  mark at jupiter:~$ telnet localhost 25
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  220 mail.kempster.org ESMTP Postfix (Debian/GNU)
  EHLO example.com
  250-mail.kempster.org
  250-PIPELINING
  250-SIZE 10240000
  250-VRFY
  250-ETRN
  250-STARTTLS
  250-AUTH LOGIN PLAIN CRAM-MD5 GSSAPI DIGEST-MD5
  250-XVERP
  250 8BITMIME
  AUTH PLAIN YW51AGFudQBBbnU=
  535 Error: authentication failed


ends up writing this to /var/log/mail.info

  postfix/smtpd[4143]: warning: SASL authentication problem: unrecognized plaintext verifier saslauthd
  postfix/smtpd[4143]: warning: localhost[127.0.0.1]: SASL PLAIN authentication failed

I'm assuming the hook between postfix and saslauthd is bad, but I'm not
sure what the remedy is, nor where to look.

Any pointers (solutions or documentation) greatly appreciated.
Thanks (a ton) in advance.
- Mark




Here are a couple tidbits about installed packages and config files, on
the off chance that somebody wearing the Captain Obvious cape can help out.

mark at jupiter:~$ dpkg --list | grep postfix
ii  postfix        1.1.11-0.woody A high-performance mail transport agent
ii  postfix-doc    1.1.11-0.woody Postfix documentation
ii  postfix-ldap   1.1.11-0.woody LDAP map support for Postfix
ii  postfix-pcre   1.1.11-0.woody PCRE map support for Postfix
ii  postfix-tls    1.1.11+tls0.7. TLS and SASL support for Postfix

mark at jupiter:~$ dpkg --list | grep sasl
ii  libsasl-digest 1.5.27-3       DIGEST-MD5 module for SASL
ii  libsasl-gssapi 1.5.24-15      Pluggable Authentication Modules for SASL -
ii  libsasl-module 1.5.27-3       Basic Pluggable Authentication Modules for S
ii  libsasl2       2.1.15-5.2     Authentication abstraction library
ii  libsasl2-modul 2.1.15-5.2     Pluggable Authentication Modules for SASL
ii  libsasl7       1.5.27-3       Authentication abstraction library.
ii  sasl-bin       1.5.27-3       Programs for manipulating the SASL users dat
ii  sasl2-bin      2.1.15-5.2     Programs for manipulating the SASL users dat


mark at jupiter:~$ cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd


mark at jupiter:~$ ls -l /etc/pam.d/smtp*
-rw-r--r--    1 root     root          163 Mar  4 22:07 /etc/pam.d/smtp
lrwxrwxrwx    1 root     root            4 Mar  5 11:24 /etc/pam.d/smtpd -> smtp


mark at jupiter:~$ cat /etc/pam.d/smtp
#%PAM-1.0

auth     required       pam_unix_auth.so
account  required       pam_unix_acct.so
password required       pam_unix_passwd.so
session  required       pam_unix_session.so



mark at jupiter:~$ ps -ef | grep saslauthd
root      4058     1  0 10:26 ?        00:00:00 /usr/sbin/saslauthd -a pam
root      4059  4058  0 10:26 ?        00:00:00 /usr/sbin/saslauthd -a pam
root      4060  4058  0 10:26 ?        00:00:00 /usr/sbin/saslauthd -a pam
root      4061  4058  0 10:26 ?        00:00:00 /usr/sbin/saslauthd -a pam
root      4062  4058  0 10:26 ?        00:00:00 /usr/sbin/saslauthd -a pam



grep smtp /etc/postfix/master.cf
# kempster 2003-nov-26: make sure smtpd is not chrooted
smtp      inet  n       -       n       -       -       smtpd
smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
587       inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes



grep ^smtpd_ /etc/postfix/main.cf
smtpd_sasl_auth_enable          = yes
smtpd_sasl_security_options     = noanonymous
smtpd_recipient_restrictions =
permit_tls_clientcerts,permit_sasl_authenticated,permit_mynetworks,
check_relay_domains

More information about the TriLUG mailing list