openSuSE 11.4 Postfix - sasl2 - sasldb2

Dienstag, 05. Juli 2011 22:10:22

Ich hatte schon an die Mailingliste gepostet, das kam aber irgendwie nicht an. Deshalb hier noch mal meine Frage:
-------------------------SNIP---------------------------------
Hallo,
ich möchte gerne postfix gegen saslauthd (sasldb2) prüfen lassen (SMTP-AUTH)
Das schlägt fehl.
Habe nun seit 3 Tagen diverse Blogs/logs/foren/google durchsucht und diverse
Tests/Konfigurationen ausprobiert. Nichts hat geholfen.

Vielleicht hat ja jemand von Euch das schon hinbekommen.

Die Ausgangslage:

Ich möchte user gegen /etc/sasldb2 prüfen. Die User sind NICHT in
/etc/passwd - shadow enthalten.

Pakete:
sasl:
cyrus-sasl-gssapi-2.1.23-15.1.i586
cyrus-sasl-crammd5-2.1.23-15.1.i586
cyrus-sasl-plain-2.1.23-15.1.i586
cyrus-sasl-saslauthd-2.1.23-15.2.i586
cyrus-sasl-devel-2.1.23-15.1.i586
cyrus-sasl-2.1.23-15.1.i586
cyrus-sasl-digestmd5-2.1.23-15.1.i586

postfix:
postfix-debuginfo-2.8.3-89.1.i586
postfix-2.8.3-89.1.i586
postfix-doc-2.8.3-89.1.noarch

System:
uname -a
Linux ispcp2 2.6.37.6-0.5-desktop #1 SMP PREEMPT 2011-04-25 21:48:33
+0200 i686 i686 i386 GNU/Linux

saslfinger -s:

saslfinger - postfix Cyrus sasl configuration Tue Jul 5 16:30:07 CEST 2011
version: 1.0
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.8.3
System: Welcome to openSUSE 11.4 "Celadon" - Kernel \r (\l).

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb768c000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous


-- listing of /usr/lib/sasl2 --
total 652
drwxr-xr-x 2 root root 4096 Jul 3 10:30 .
drwxr-xr-x 171 root root 69632 Jul 3 18:04 ..
-rwxr-xr-x 1 root root 18068 Feb 18 19:18 libanonymous.so
-rwxr-xr-x 1 root root 18068 Feb 18 19:18 libanonymous.so.2
-rwxr-xr-x 1 root root 18068 Feb 18 19:18 libanonymous.so.2.0.23
-rwxr-xr-x 1 root root 22160 Feb 18 19:18 libcrammd5.so
-rwxr-xr-x 1 root root 22160 Feb 18 19:18 libcrammd5.so.2
-rwxr-xr-x 1 root root 22160 Feb 18 19:18 libcrammd5.so.2.0.23
-rwxr-xr-x 1 root root 51124 Feb 18 19:18 libdigestmd5.so
-rwxr-xr-x 1 root root 51124 Feb 18 19:18 libdigestmd5.so.2
-rwxr-xr-x 1 root root 51124 Feb 18 19:18 libdigestmd5.so.2.0.23
-rwxr-xr-x 1 root root 30416 Feb 18 19:18 libgssapiv2.so
-rwxr-xr-x 1 root root 30416 Feb 18 19:18 libgssapiv2.so.2
-rwxr-xr-x 1 root root 30416 Feb 18 19:18 libgssapiv2.so.2.0.23
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 liblogin.so
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 liblogin.so.2
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 liblogin.so.2.0.23
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 libplain.so
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 libplain.so.2
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 libplain.so.2.0.23
-rwxr-xr-x 1 root root 22044 Feb 18 19:18 libsasldb.so
-rwxr-xr-x 1 root root 22044 Feb 18 19:18 libsasldb.so.2
-rwxr-xr-x 1 root root 22044 Feb 18 19:18 libsasldb.so.2.0.23

-- listing of /etc/sasl2 --
total 24
drwxr-xr-x 2 root root 4096 Jul 5 15:38 .
drwxr-xr-x 123 root root 12288 Jul 5 15:48 ..
-rw------- 1 root root 249 Jul 5 15:38 sample.conf
-rw------- 1 root root 249 Jul 5 15:38 smtpd.conf




-- content of /etc/sasl2/smtpd.conf --
log_level: 7

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

saslauthd_path: /var/spool/postfix/var/run/sasl2/mux
# saslauthd_path: /var/run/sasl2/mux

#pwcheck_method: saslauthd
#mech_list: PLAIN LOGIN
#autotransition:true


-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - y - - smtpd -v

submission inet n - y - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject



pickup fifo n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - y - - showq
error unix - - y - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache






ispcp-arpl unix - n n - - pipe
flags=O user=vmail argv=/srv/www/ispcp/engine/messenger/ispcp-arpl-msgr

maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
procmail unix - n n - - pipe
flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${recipient}
retry unix - - n - - error
proxywrite unix - - n - 1 proxymap

-- mechanisms on localhost --
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN

-- end of saslfinger output --

postfix läuft im Jail (chroot)
(Anmerkung : auch ohne jail funktioniert es nicht)

l /var/spool/postfix/var/run/sasl2/
total 12
drwxr-xr-x 2 postfix root 4096 Jul 5 15:30 ./
drwxr-xr-x 3 root root 4096 Jul 5 15:30 ../
srwxrwxrwx 1 postfix root 0 Jul 5 15:30 mux=
-rw------- 1 postfix root 0 Jul 5 15:30 mux.accept
-rw------- 1 postfix root 6 Jul 5 15:30 saslauthd.pid

l /var/spool/postfix/etc/
total 804
drwxr-xr-x 4 root root 4096 Jul 2 16:32 ./
drwxr-xr-x 22 root root 4096 Jul 2 11:59 ../
-rw-r--r-- 1 root root 370 Feb 18 14:50 host.conf
-rw-r--r-- 1 root root 297 Jul 2 11:59 hosts
-rw-r--r-- 1 root root 2309 May 3 15:15 localtime
-rw-r--r-- 1 root root 1224 Jul 1 20:15 nsswitch.conf
drwxr-xr-x 2 root root 4096 Jul 3 18:04 pam.d/
-rw-r--r-- 1 root root 4165 Jul 3 17:58 passwd
-rw-r--r-- 1 root root 838 Jul 2 11:59 resolv.conf
drwxr-xr-x 2 root root 4096 Jul 3 18:04 sasl2/
-rw-rw-r-- 1 root postfix 12288 Jul 3 16:20 sasldb2
-rw-r--r-- 1 root root 764360 Feb 18 14:50 services

l /var/spool/postfix/etc/sasl2/
total 12
drwxr-xr-x 2 root root 4096 Jul 3 18:04 ./
drwxr-xr-x 4 root root 4096 Jul 2 16:32 ../
lrwxrwxrwx 1 root root 21 Jul 3 11:33 sample.conf ->
/etc/sasl2/smtpd.conf
-rw------- 1 root root 249 Jul 5 15:38 smtpd.conf

--------Anmerkung die sample ist zum testen gedacht -------
sasldblistusers2 | grep webmaster (die domains sind hier egalisiert)

webmaster@dom1.de: userPassword
webmaster@dom3.de: userPassword
webmaster@dom4.de: userPassword
webmaster@dom5.de: userPassword
webmaster@dom6.de: userPassword
webmaster@dom7.de: userPassword
webmaster@dom8.de: userPassword
-------------------------SNIP---------------------------------

testen gegen sasldb2

testsaslauthd -u webmaster -p PASSWORT -r dom1.de -s smtp -f
/var/spool/postfix/var/run/sasl2/mux

postfix/var/run/sasl2/mux
0: NO "authentication failed"

teste ich gegen einen Account aus /etc/passwd

testsaslauthd -u user -p password -s smtp -f
/var/spool/postfix/var/run/sasl2/mux
0: OK "Success."

-------------------------SNIP---------------------------------
weitere Tests

cyrus_sasl_sample_server -s rcmd -p 8000

cyrus_sasl_sample_client -s rcmd -p 8000 -m PLAIN 127.0.0.1

receiving capability list... recv: {11}
LOGIN PLAIN
LOGIN PLAIN
please enter an authentication id: webmaster@dom1.de
please enter an authorization id: webmaster@dom1.de
Password:
send: {5}
PLAIN
send: {1}
Y
send: {49}
webmaster@dom1.de[0]webmaster@dom1.de[0]password
successful authentication
closing connection

-------------------------SNIP---------------------------------
oder
cyrus_sasl_sample_client -s rcmd -p 8000 -m LOGIN 127.0.0.1
receiving capability list... recv: {11}
LOGIN PLAIN
LOGIN PLAIN
send: {5}
LOGIN
send: {1}
N
recv: {9}
Username:
please enter an authentication id: webmaster@dom1.de
Password:
send: {20}
webmaster@dom1.de
recv: {9}
Password:
send: {7}
password
successful authentication
closing connection

-------------------------SNIP---------------------------------
Also positiv

per telnet:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ispcp2.tuxplay.de ESMTP ispCP 1.0.7 OMEGA Managed
EHLO maschine
250-ispcp2.tuxplay.de
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN d2VibWFzdGVyQGRvbTEuZGU=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
Connection closed by foreign host.












/var/log/mail:
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]: <
ispcp2.tuxplay.de.local[127.0.0.1]: AUTH LOGIN <base64:webmaster@domain1.de>
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]: xsasl_cyrus_server_first:
sasl_method LOGIN, init_response <base64:webmaster@domain1.de>
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]: xsasl_cyrus_server_first:
decoded initial response webmaster@dom1.de
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]:
xsasl_cyrus_server_auth_response: uncoded server challenge: Password:
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]: >
ispcp2.tuxplay.de.local[127.0.0.1]: 334 UGFzc3dvcmQ6
Jul 5 16:59:21 ispcp2 postfix/smtpd[29623]: <
ispcp2.tuxplay.de.local[127.0.0.1]: <base64:password>
Jul 5 16:59:21 ispcp2 postfix/smtpd[29623]: xsasl_cyrus_server_next:
decoded response: password
Jul 5 16:59:21 ispcp2 postfix/master[28789]: warning: process
/usr/lib/postfix/smtpd pid 29623 killed by signal 11
Jul 5 16:59:21 ispcp2 postfix/master[28789]: warning:
/usr/lib/postfix/smtpd: bad command startup -- throttling


Thats it.

Und hier hänge ich seit Tagen fest.
Irgendwelche Ideen, wo ich falsch liege?
Was vergessen habe?
Was falsch geschrieben habe?

Danke für jeden Hinweis

-------------------------SNIP---------------------------------