Hi again! On 24/05/17 21:21, Daniel Bareiro wrote: >>> I am configuring SASL to authenticate against IMAP. When I try to >>> authenticate, I get an error: >>> >>> ------------------------------------------------------------------ >>> root@Wserver2:~# saslpasswd2 -c daniel >>> ------------------------------------------------------------------ >>> root@Wserver2:~# testsaslauthd -u daniel -p password >>> 0: NO "authentication failed" >>> ------------------------------------------------------------------ >>> >>> However it works when I provide the realm: >>> >>> ------------------------------------------------------------------ >>> root@Wserver2:~# testsaslauthd -u daniel -r server2 -p password >>> 0: OK "Success." >>> ------------------------------------------------------------------ >>> >>> It's strange because I have another server where it works without problems: >>> >>> ------------------------------------------------------------------ >>> root@mail:~# testsaslauthd -u daniel -p password >>> 0: OK "Success." >>> ------------------------------------------------------------------ >>> >>> Both hosts have Debian Jessie and the SASL configuration is the same: >>> >>> ------------------------------------------------------------------ >>> root@mail:~# grep ^[^#] /etc/default/saslauthd >>> START=yes >>> DESC="SASL Authentication Daemon" >>> NAME="saslauthd" >>> MECHANISMS="sasldb" >>> MECH_OPTIONS="" >>> THREADS=5 >>> OPTIONS="-c -m /var/run/saslauthd" >>> ------------------------------------------------------------------ >>> root@server2:~# grep ^[^#] /etc/default/saslauthd >>> START=yes >>> DESC="SASL Authentication Daemon" >>> NAME="saslauthd" >>> MECHANISMS="sasldb" >>> MECH_OPTIONS="" >>> THREADS=5 >>> OPTIONS="-c -m /var/run/saslauthd" >>> ------------------------------------------------------------------ >>> >>> "mail" has some updates to apply, but I do not see any differences in >>> the versions of the SASL packages: >>> >>> ------------------------------------------------------------------ >>> root@mail:~# aptitude show libsasl2-2 | grep Versión >>> Versión: 2.1.26.dfsg1-13+deb8u1 >>> >>> root@mail:~# aptitude show libsasl2-modules | grep Versión >>> Versión: 2.1.26.dfsg1-13+deb8u1 >>> >>> root@mail:~# aptitude show sasl2-bin | grep Versión >>> Versión: 2.1.26.dfsg1-13+deb8u1 >>> ------------------------------------------------------------------ >>> >>> ------------------------------------------------------------------ >>> root@server2:~# aptitude show libsasl2-2 | grep Version >>> Version: 2.1.26.dfsg1-13+deb8u1 >>> >>> root@server2:~# aptitude show libsasl2-modules | grep Version >>> Version: 2.1.26.dfsg1-13+deb8u1 >>> >>> root@server2:~# aptitude show sasl2-bin | grep Version >>> Version: 2.1.26.dfsg1-13+deb8u1 >>> ------------------------------------------------------------------ >>> >>> In this case I'm not doing the authentication test against IMAP but >>> directly against SASL, so I guess the problem will be directly related >>> to the SASL configuration itself. >>> >>> Any thoughts about what might differ between the two environments? >> In case it is useful, when the authentication fails I get this in >> /var/log/auth.log: >> >> ------------------------------------------------------------------ >> May 24 15:31:38 server2 saslauthd[2701]: do_auth : auth failure: >> [user=daniel] [service=imap] [realm=] [mech=sasldb] [reason=Unknown] >> ------------------------------------------------------------------ >> >> It seems that authentication is done through IMAP and I have previously >> installed the Cyrus packages. > Apparently, despite this difference, the SASL authentication via IMAP is > working. > > /var/log/mail.log: > > ------------------------------------------------------------------ > May 24 19:38:51 server2 cyrus/imaps[3711]: starttls: TLSv1.2 with cipher > ECDHE-RSA-AES128-SHA (128/128 bits new) no authentication > May 24 19:38:51 server2 cyrus/imaps[3711]: login: host.domain.tld.net > [x.y.z.t] daniel CRAM-MD5+TLS User logged in > SESSIONID=<cyrus-3711-1495665531-1> > May 24 19:38:51 server2 cyrus/imaps[3711]: created decompress buffer of > 4102 bytes > May 24 19:38:51 server2 cyrus/imaps[3711]: created compress buffer of > 4102 bytes > May 24 19:38:51 server2 cyrus/imaps[3711]: client id: "name" > "Thunderbird" "version" "45.8.0" > May 24 19:38:53 server2 cyrus/master[3800]: about to exec > /usr/lib/cyrus/bin/imapd > May 24 19:38:53 server2 cyrus/imaps[3800]: executed > May 24 19:38:53 server2 cyrus/imaps[3800]: accepted connection > May 24 19:38:53 server2 cyrus/imaps[3800]: imapd:Loading hard-coded DH > parameters > May 24 19:38:53 server2 cyrus/imaps[3800]: SSL_accept() incomplete -> wait > May 24 19:38:54 server2 cyrus/imaps[3800]: SSL_accept() succeeded -> done > ------------------------------------------------------------------ > > But SMTP authentication for sending mail is not working. > > /var/log/auth.log: > > ------------------------------------------------------------------ > May 24 20:12:38 server2 saslauthd[3685]: do_auth : auth failure: > [user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown] > May 24 20:12:38 server2 saslauthd[3683]: do_auth : auth failure: > [user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown] > May 24 20:12:56 server2 saslauthd[3684]: do_auth : auth failure: > [user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown] > May 24 20:12:56 server2 saslauthd[3682]: do_auth : auth failure: > [user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown] > ------------------------------------------------------------------ > > /var/log/mail.log: > > ------------------------------------------------------------------ > May 24 20:12:37 server2 postfix/smtpd[4122]: Anonymous TLS connection > established from unknown[x.y.z.t] TLSv1.2 with cipher > ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > May 24 20:12:38 server2 postfix/smtpd[4122]: warning: SASL > authentication failure: Password verification failed > May 24 20:12:38 server2 postfix/smtpd[4122]: warning: unknown[x.y.z.t] > SASL PLAIN authentication failed: authentication failure > May 24 20:12:38 server2 postfix/smtpd[4122]: warning: unknown[x.y.z.t] > SASL LOGIN authentication failed: authentication failure > May 24 20:12:56 server2 postfix/smtpd[4122]: warning: SASL > authentication failure: Password verification failed > May 24 20:12:56 server2 postfix/smtpd[4122]: warning: unknown[x.y.z.t] > SASL PLAIN authentication failed: authentication failure > May 24 20:12:56 server postfix/smtpd[4122]: warning: unknown[x.y.z.t] > SASL LOGIN authentication failed: authentication failure > ------------------------------------------------------------------ Well, I was comparing the configuration of both mail servers and doing several more tests. I could not find the difference yet but it seems that the SMTP authentication error is also related to the authentication fails if the realm is not provided. ----------------------------------------------------------------------- root@server2:~# /usr/sbin/saslauthd -a sasldb -V -c -m /var/run/saslauthd -n 5 -d saslauthd[6020] :main : num_procs : 5 saslauthd[6020] :main : mech_option: NULL saslauthd[6020] :main : run_path : /var/run/saslauthd saslauthd[6020] :main : auth_mech : sasldb saslauthd[6020] :cache_alloc_mm : mmaped shared memory segment on file: /var/run/saslauthd/cache.mmap saslauthd[6020] :cache_init : bucket size: 96 bytes saslauthd[6020] :cache_init : stats size : 36 bytes saslauthd[6020] :cache_init : timeout : 28800 seconds saslauthd[6020] :cache_init : cache table: 985828 total bytes saslauthd[6020] :cache_init : cache table: 1711 slots saslauthd[6020] :cache_init : cache table: 10266 buckets saslauthd[6020] :cache_init_lock : flock file opened at /var/run/saslauthd/cache.flock saslauthd[6020] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept saslauthd[6020] :detach_tty : master pid is: 0 saslauthd[6020] :ipc_init : listening on socket: /var/run/saslauthd/mux saslauthd[6020] :main : using process model saslauthd[6020] :have_baby : forked child: 6021 saslauthd[6020] :have_baby : forked child: 6022 saslauthd[6020] :have_baby : forked child: 6023 saslauthd[6020] :have_baby : forked child: 6024 saslauthd[6020] :get_accept_lock : acquired accept lock saslauthd[6020] :rel_accept_lock : released accept lock saslauthd[6024] :get_accept_lock : acquired accept lock ----------------------------------------------------------------------- Without using the realm for authenticate against SMTP: ----------------------------------------------------------------------- root@server2:/etc/postfix# testsaslauthd -u daniel -p password -s smtp 0: NO "authentication failed" ----------------------------------------------------------------------- May 25 12:54:19 server2 saslauthd[6023]: rel_accept_lock : released accept lock May 25 12:54:19 server2 saslauthd[6022]: get_accept_lock : acquired accept lock May 25 12:54:19 server2 saslauthd[6023]: cache_get_rlock : attempting a read lock on slot: 750 May 25 12:54:19 server2 saslauthd[6023]: cache_lookup : [login=daniel] [service=smtp] [realm=]: not found, update pending May 25 12:54:19 server2 saslauthd[6023]: cache_un_lock : attempting to release lock on slot: 750 May 25 12:54:19 server2A saslauthd[6023]: do_auth : auth failure: [user=daniel] [service=smtp] [realm=] [mech=sasldb] [reason=Unknown] May 25 12:54:19 server2 saslauthd[6023]: do_request : response: NO ----------------------------------------------------------------------- Using the realm for authenticate against SMTP: ----------------------------------------------------------------------- root@server2:/etc/postfix# testsaslauthd -u daniel -p passwprd -s smtp -r server2 0: OK "Success." ----------------------------------------------------------------------- May 25 12:53:20 server2 saslauthd[6024]: rel_accept_lock : released accept lock May 25 12:53:20 server2 saslauthd[6023]: get_accept_lock : acquired accept lock May 25 12:53:20 server2 saslauthd[6024]: cache_get_rlock : attempting a read lock on slot: 1143 May 25 12:53:20 server2 saslauthd[6024]: cache_lookup : [login=daniel] [service=smtp] [realm=server2]: found with valid passwd May 25 12:53:20 server2 saslauthd[6024]: cache_un_lock : attempting to release lock on slot: 1143 May 25 12:53:20 server2 saslauthd[6024]: do_auth : auth success (cached): [user=daniel] [service=smtp] [realm=server2] May 25 12:53:20 server2 saslauthd[6024]: do_request : response: OK ----------------------------------------------------------------------- So it's all limited to that saslauth is not able to authenticate without the realm. What I can not find out is why this happens. I do not see the difference in the configuration between both servers. In any case, it seems that Cyrus IMAP is able to run smoothly. But it's not the same with Postfix. Anyway I'm still thinking what can differ between both servers so that the authentication without realm does not work here. All comments are greatly appreciated. Kind regards, Daniel
Attachment:
signature.asc
Description: OpenPGP digital signature