RV: Postfix + LDAP + SASL without TLS

Hi to all:

I’ve got a trouble configuring a postfix mail server using SASL authentication.

I followed the HOW-TO’s founded at tldp.org and in other sites and everything goes fine until I try to add the SASL authentication.

I don’t want to use TLS nor SSL encryption in the SMTP server, just SASL v2 authentication but I can get it to work: SASL must authenticate using the “saslauthd” daemon and search for users in a LDAP server

My Linux distribution is Debian 3.1 (Sarge) and I installed every package with “apt-get”, nothing has been compiled, so my configuration folders are the default for a Debian Linux.

This is the output of the “postconf –n” command:

alias_database = hash:/etc/aliases

alias_maps = hash:/etc/aliases

append_dot_mydomain = no

biff = no

broken_sasl_auth_clients = yes

config_directory = /etc/postfix

content_filter = smtp-amavis:[localhost]:10024

inet_interfaces = loopback-only

local_recipient_maps = unix:passwd.byname $alias_maps

local_transport = local

mailbox_command = procmail -a "$EXTENSION"

mailbox_size_limit = 0

mydestination = $myhostname,$mydomain,$localhost.$mydomain,/etc/postfix/mydestination

mydomain = interlogical.com

myhostname = desarrollo.interlogical.com

mynetworks = 127.0.0.0/8

myorigin = $mydomain

recipient_delimiter = +

relayhost =

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

smtpd_sasl_application_name = smtpd

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $mydomain

smtpd_sasl_security_options = noanonymous virtual_gid_maps = static:108 virtual_uid_maps = static:105

I’ve included as an attachment the “saslfinger –s” output when I start it outside the postfix chroot and other when I start it inside the postfix chroot.

I now my problem is related with that postfix in Debian runs inside a chroot and it can’t connect with the saslauthd daemon, but if I start saslauthd inside the postfix chroot with this defaults:

# This needs to be uncommented before saslauthd will be run automatically

START=yes

# You must specify the authentication mechanisms you wish to use.

# This defaults to "pam" for PAM support, but may also include

# "shadow" or "sasldb", like this:

# MECHANISMS="pam shadow"

MECHANISMS="ldap"

CHROOTDIR="/var/spool/postfix"

PWDIR="${CHROOTDIR}/var/run/saslauthd"

PIDFILE="${PWDIR}/saslauthd.pid"

PARAMS="-m ${PWDIR} -O ${CHROOTDIR}/etc/saslauthd.conf"

I get the “Connection refused” result when I use the testsaslauthd utility. I would like to known how to do to start that daemon properly inside the postfix chroot, I hope any of you can help with that.

Regards,

Alonso

saslfinger - postfix Cyrus sasl configuration mar jul 19 09:55:34 CEST 2005 version: 0.9.9.1 mode: server-side SMTP AUTH -- basics -- Postfix: 2.1.5 System: Debian GNU/Linux 3.1 \n \l -- smtpd is linked to -- libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4019f000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous -- listing of /usr/lib/sasl2 -- total 844 drwxr-xr-x 2 root root 4096 2005-07-18 19:15 . drwxr-xr-x 40 root root 8192 2005-07-18 09:39 .. -rw-r--r-- 1 root root 13488 2004-10-16 23:02 libanonymous.a -rw-r--r-- 1 root root 851 2004-10-16 23:02 libanonymous.la -rw-r--r-- 1 root root 13824 2004-10-16 23:02 libanonymous.so -rw-r--r-- 1 root root 13824 2004-10-16 23:02 libanonymous.so.2 -rw-r--r-- 1 root root 13824 2004-10-16 23:02 libanonymous.so.2.0.19 -rw-r--r-- 1 root root 16298 2004-10-16 23:02 libcrammd5.a -rw-r--r-- 1 root root 837 2004-10-16 23:02 libcrammd5.la -rw-r--r-- 1 root root 16180 2004-10-16 23:02 libcrammd5.so -rw-r--r-- 1 root root 16180 2004-10-16 23:02 libcrammd5.so.2 -rw-r--r-- 1 root root 16180 2004-10-16 23:02 libcrammd5.so.2.0.19 -rw-r--r-- 1 root root 47516 2004-10-16 23:02 libdigestmd5.a -rw-r--r-- 1 root root 860 2004-10-16 23:02 libdigestmd5.la -rw-r--r-- 1 root root 43944 2004-10-16 23:02 libdigestmd5.so -rw-r--r-- 1 root root 43944 2004-10-16 23:02 libdigestmd5.so.2 -rw-r--r-- 1 root root 43944 2004-10-16 23:02 libdigestmd5.so.2.0.19 -rw-r--r-- 1 root root 13726 2004-10-16 23:02 liblogin.a -rw-r--r-- 1 root root 831 2004-10-16 23:02 liblogin.la -rw-r--r-- 1 root root 14028 2004-10-16 23:02 liblogin.so -rw-r--r-- 1 root root 14028 2004-10-16 23:02 liblogin.so.2 -rw-r--r-- 1 root root 14028 2004-10-16 23:02 liblogin.so.2.0.19 -rw-r--r-- 1 root root 31248 2004-10-16 23:02 libntlm.a -rw-r--r-- 1 root root 825 2004-10-16 23:02 libntlm.la -rw-r--r-- 1 root root 30660 2004-10-16 23:02 libntlm.so -rw-r--r-- 1 root root 30660 2004-10-16 23:02 libntlm.so.2 -rw-r--r-- 1 root root 30660 2004-10-16 23:02 libntlm.so.2.0.19 -rw-r--r-- 1 root root 20142 2004-10-16 23:02 libotp.a -rw-r--r-- 1 root root 825 2004-10-16 23:02 libotp.la -rw-r--r-- 1 root root 43184 2004-10-16 23:02 libotp.so -rw-r--r-- 1 root root 43184 2004-10-16 23:02 libotp.so.2 -rw-r--r-- 1 root root 43184 2004-10-16 23:02 libotp.so.2.0.19 -rw-r--r-- 1 root root 13886 2004-10-16 23:02 libplain.a -rw-r--r-- 1 root root 831 2004-10-16 23:02 libplain.la -rw-r--r-- 1 root root 14096 2004-10-16 23:02 libplain.so -rw-r--r-- 1 root root 14096 2004-10-16 23:02 libplain.so.2 -rw-r--r-- 1 root root 14096 2004-10-16 23:02 libplain.so.2.0.19 -rw-r--r-- 1 root root 21798 2004-10-16 23:02 libsasldb.a -rw-r--r-- 1 root root 852 2004-10-16 23:02 libsasldb.la -rw-r--r-- 1 root root 18692 2004-10-16 23:02 libsasldb.so -rw-r--r-- 1 root root 18692 2004-10-16 23:02 libsasldb.so.2 -rw-r--r-- 1 root root 18692 2004-10-16 23:02 libsasldb.so.2.0.19 -- content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: PLAIN LOGIN -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -- mechanisms on localhost -- 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN -- end of saslfinger output --

saslfinger - postfix Cyrus sasl configuration mar jul 19 10:15:13 CEST 2005 version: 0.9.9.1 mode: server-side SMTP AUTH -- basics -- Postfix: 2.1.5 System: Debian GNU/Linux 3.1 \n \l -- smtpd is linked to -- libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4019f000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous -- listing of /usr/lib/sasl2 -- total 844 drwxr-xr-x 2 root root 4096 2005-07-18 19:15 . drwxr-xr-x 40 root root 8192 2005-07-18 09:39 .. -rw-r--r-- 1 root root 13488 2004-10-16 23:02 libanonymous.a -rw-r--r-- 1 root root 851 2004-10-16 23:02 libanonymous.la -rw-r--r-- 1 root root 13824 2004-10-16 23:02 libanonymous.so -rw-r--r-- 1 root root 13824 2004-10-16 23:02 libanonymous.so.2 -rw-r--r-- 1 root root 13824 2004-10-16 23:02 libanonymous.so.2.0.19 -rw-r--r-- 1 root root 16298 2004-10-16 23:02 libcrammd5.a -rw-r--r-- 1 root root 837 2004-10-16 23:02 libcrammd5.la -rw-r--r-- 1 root root 16180 2004-10-16 23:02 libcrammd5.so -rw-r--r-- 1 root root 16180 2004-10-16 23:02 libcrammd5.so.2 -rw-r--r-- 1 root root 16180 2004-10-16 23:02 libcrammd5.so.2.0.19 -rw-r--r-- 1 root root 47516 2004-10-16 23:02 libdigestmd5.a -rw-r--r-- 1 root root 860 2004-10-16 23:02 libdigestmd5.la -rw-r--r-- 1 root root 43944 2004-10-16 23:02 libdigestmd5.so -rw-r--r-- 1 root root 43944 2004-10-16 23:02 libdigestmd5.so.2 -rw-r--r-- 1 root root 43944 2004-10-16 23:02 libdigestmd5.so.2.0.19 -rw-r--r-- 1 root root 13726 2004-10-16 23:02 liblogin.a -rw-r--r-- 1 root root 831 2004-10-16 23:02 liblogin.la -rw-r--r-- 1 root root 14028 2004-10-16 23:02 liblogin.so -rw-r--r-- 1 root root 14028 2004-10-16 23:02 liblogin.so.2 -rw-r--r-- 1 root root 14028 2004-10-16 23:02 liblogin.so.2.0.19 -rw-r--r-- 1 root root 31248 2004-10-16 23:02 libntlm.a -rw-r--r-- 1 root root 825 2004-10-16 23:02 libntlm.la -rw-r--r-- 1 root root 30660 2004-10-16 23:02 libntlm.so -rw-r--r-- 1 root root 30660 2004-10-16 23:02 libntlm.so.2 -rw-r--r-- 1 root root 30660 2004-10-16 23:02 libntlm.so.2.0.19 -rw-r--r-- 1 root root 20142 2004-10-16 23:02 libotp.a -rw-r--r-- 1 root root 825 2004-10-16 23:02 libotp.la -rw-r--r-- 1 root root 43184 2004-10-16 23:02 libotp.so -rw-r--r-- 1 root root 43184 2004-10-16 23:02 libotp.so.2 -rw-r--r-- 1 root root 43184 2004-10-16 23:02 libotp.so.2.0.19 -rw-r--r-- 1 root root 13886 2004-10-16 23:02 libplain.a -rw-r--r-- 1 root root 831 2004-10-16 23:02 libplain.la -rw-r--r-- 1 root root 14096 2004-10-16 23:02 libplain.so -rw-r--r-- 1 root root 14096 2004-10-16 23:02 libplain.so.2 -rw-r--r-- 1 root root 14096 2004-10-16 23:02 libplain.so.2.0.19 -rw-r--r-- 1 root root 21798 2004-10-16 23:02 libsasldb.a -rw-r--r-- 1 root root 852 2004-10-16 23:02 libsasldb.la -rw-r--r-- 1 root root 18692 2004-10-16 23:02 libsasldb.so -rw-r--r-- 1 root root 18692 2004-10-16 23:02 libsasldb.so.2 -rw-r--r-- 1 root root 18692 2004-10-16 23:02 libsasldb.so.2.0.19 -- content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: saslauthd mech_list: PLAIN LOGIN -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - - - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr fifo n - - 300 1 qmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -d -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} smtp-amavis unix - - y - 2 smtp -o smtp_data_done_timeout=1200 -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - y - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -- mechanisms on localhost -- 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN -- end of saslfinger output --

Reply to: