Postfix SASL broken after upgrading to 2.3.7-3

To: debian-user@lists.debian.org
Subject: Postfix SASL broken after upgrading to 2.3.7-3
From: Justin L Graham <jgraham@lucidillusion.org>
Date: Wed, 7 Mar 2007 05:57:08 -0600
Message-id: <[🔎] 7BBF4E1E-BEBA-4786-9531-1B176B59EA98@lucidillusion.org>

I have a mail server that is running testing and was updated lastnight. Immediately after the upgrade SMTP SASL authentication inPostfix broke. SASL still works properly from the "testsaslauthd"command and for Cyrus IMAP/POP. Postfix is still processing in-boundmail and works fine for un-authenticated out-bound mail. GSSAPI/Kerberos5 is my SASL mechanism.

When clients try to use SASL auth the smtpd process gets a signal11. If I alter /etc/postfix/master.cf to run smtpd with -v I get:

postfix/smtpd[13451]: match_hostname: client.host.fqdn ~? xxx.xxx.xxx.0/22

postfix/smtpd[13451]: match_hostaddr: xx.xxx.xxx.xx ~? xxx.xxx.xxx.0/22

postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 220server.host.fqdn ESMTP Postfixpostfix/smtpd[13451]: < client.host.fqdn[xx.xxx.xxx.xx]: EHLO[xx.xxx.xxx.xx]postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250-server.host.fqdn

postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250-PIPELINING

postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250-SIZE20480000

postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250-VRFY
postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250-ETRN

postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250-AUTHGSSAPI PLAIN NTLM LOGIN DIGEST-MD5 CRAM-MD5

postfix/smtpd[13451]: match_list_match: client.host.fqdn: no match
postfix/smtpd[13451]: match_list_match: xx.xxx.xxx.xx: no match

postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250-AUTH=GSSAPI PLAIN NTLM LOGIN DIGEST-MD5 CRAM-MD5postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250-ENHANCEDSTATUSCODES

postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250-8BITMIME
postfix/smtpd[13451]: > client.host.fqdn[xx.xxx.xxx.xx]: 250 DSN

postfix/smtpd[13451]: < client.host.fqdn[xx.xxx.xxx.xx]: AUTH GSSAPI<AuthDataHere>postfix/smtpd[13451]: xsasl_cyrus_server_first: sasl_method GSSAPI,init_response <AuthDataHere>postfix/smtpd[13451]: xsasl_cyrus_server_first: decoded initialresponse `?????*?H???????

postfix/smtpd pid 13451 killed by signal 11
postfix/smtpd: bad command startup -- throttling

I don't have the older Postfix packages (2.3.4-2) available toattempt downgrading. I have attempted downgrading the libsasl* andsasl2-bin packages without success. I have also tried rebuilding thecyrus-sasl2 dev packages and then rebuilding Postfix using thosesources.


Output of 'postconf -n':

alias_database = hash:/etc/aliases
alias_maps = ldap:aliasdirectory
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
import_environment = KRB5_KTNAME=/etc/postfix/postfix.keytab
inet_interfaces = all
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:/var/run/cyrus/socket/lmtp
message_size_limit = 20480000

mydestination = mydomain.here, mail.mydomain.here,server2.mydomain.here, server.mydomain.here, localhost.mydomain.here,localhost

myhostname = server.mydomain.here
mynetworks = 127.0.0.0/8, xxx.xxx.xxx.0/22, xxx.xxx.xxx.xxx/26
myorigin = /etc/mailname
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name

smtpd_client_restrictions = permit_mynetworks check_client_accesshash:/etc/postfix/banned_ips reject_rbl_clientrelays.ordb.org permitsmtpd_data_restrictions = check_policy_service unix:private/maillistpolicy reject_unauth_pipeliningreject_multi_recipient_bounce permit

smtpd_delay_reject = yes
smtpd_etrn_restrictions = permit_mynetworks     reject
smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworksreject_invalid_hostname reject_non_fqdn_sender permitsmtpd_recipient_restrictions = reject_unknown_sender_domainreject_unknown_recipient_domain permit_sasl_authenticatedreject_non_fqdn_recipient reject_non_fqdn_senderpermit_mynetworks reject_unauth_destinationcheck_recipient_access hash:/etc/postfix/recipient_accesscheck_policy_service inet:127.0.0.1:60000 check_policy_serviceunix:private/spfpolicy check_recipient_access hash:/etc/postfix/filtered_domains permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mydomain.here
smtpd_sasl_security_options = noanonymous

smtpd_sender_restrictions = permit_mynetworkspermit_sasl_authenticated reject_unknown_sender_domainreject_non_fqdn_sender reject_unknown_address check_sender_accesshash:/etc/postfix/sender_address permit

smtpd_tls_CAfile = /etc/ssl/certs/sf_issuing.crt
smtpd_tls_cert_file = /etc/ssl/certs/mail.mydomain.here.crt
smtpd_tls_key_file = /etc/ssl/certs/mail.mydomain.here.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom

If anyone has any insight on this I would greatly appreciate it.

Thanks,

-Justin

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply to:

Prev by Date: Re: A question about Apache &
Next by Date: Re: [OT] aargh.. the big swirl of offtopicness sucks me in, too. help!
Previous by thread: Re: How to reject spam with embedded graphics
Next by thread: Exec user change
Index(es):
- Date
- Thread