openSuSE 11.4 Postfix - sasl2 - sasldb2

Forum › openSuSE 11.4 Postfix – sasl2 – sasldb2

Klaus Fichtner – Dienstag, 05. Juli 2011 22:10 Uhr

Ich hatte schon an die Mailingliste gepostet, das kam aber irgendwie nicht an. Deshalb hier noch mal meine Frage:
————————-SNIP———————————
Hallo,
ich möchte gerne postfix gegen saslauthd (sasldb2) prüfen lassen (SMTP-AUTH)
Das schlägt fehl.
Habe nun seit 3 Tagen diverse Blogs/logs/foren/google durchsucht und diverse
Tests/Konfigurationen ausprobiert. Nichts hat geholfen.

Vielleicht hat ja jemand von Euch das schon hinbekommen.

Die Ausgangslage:

Ich möchte user gegen /etc/sasldb2 prüfen. Die User sind NICHT in
/etc/passwd – shadow enthalten.

Pakete:
sasl:
cyrus-sasl-gssapi-2.1.23-15.1.i586
cyrus-sasl-crammd5-2.1.23-15.1.i586
cyrus-sasl-plain-2.1.23-15.1.i586
cyrus-sasl-saslauthd-2.1.23-15.2.i586
cyrus-sasl-devel-2.1.23-15.1.i586
cyrus-sasl-2.1.23-15.1.i586
cyrus-sasl-digestmd5-2.1.23-15.1.i586

postfix:
postfix-debuginfo-2.8.3-89.1.i586
postfix-2.8.3-89.1.i586
postfix-doc-2.8.3-89.1.noarch

System:
uname -a
Linux ispcp2 2.6.37.6-0.5-desktop #1 SMP PREEMPT 2011-04-25 21:48:33
+0200 i686 i686 i386 GNU/Linux

saslfinger -s:

saslfinger – postfix Cyrus sasl configuration Tue Jul 5 16:30:07 CEST 2011
version: 1.0
mode: server-side SMTP AUTH

— basics —
Postfix: 2.8.3
System: Welcome to openSUSE 11.4 “Celadon” – Kernel \r (\l).

— smtpd is linked to —
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb768c000)

— active SMTP AUTH and TLS parameters for smtpd —
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous

— listing of /usr/lib/sasl2 —
total 652
drwxr-xr-x 2 root root 4096 Jul 3 10:30 .
drwxr-xr-x 171 root root 69632 Jul 3 18:04 ..
-rwxr-xr-x 1 root root 18068 Feb 18 19:18 libanonymous.so
-rwxr-xr-x 1 root root 18068 Feb 18 19:18 libanonymous.so.2
-rwxr-xr-x 1 root root 18068 Feb 18 19:18 libanonymous.so.2.0.23
-rwxr-xr-x 1 root root 22160 Feb 18 19:18 libcrammd5.so
-rwxr-xr-x 1 root root 22160 Feb 18 19:18 libcrammd5.so.2
-rwxr-xr-x 1 root root 22160 Feb 18 19:18 libcrammd5.so.2.0.23
-rwxr-xr-x 1 root root 51124 Feb 18 19:18 libdigestmd5.so
-rwxr-xr-x 1 root root 51124 Feb 18 19:18 libdigestmd5.so.2
-rwxr-xr-x 1 root root 51124 Feb 18 19:18 libdigestmd5.so.2.0.23
-rwxr-xr-x 1 root root 30416 Feb 18 19:18 libgssapiv2.so
-rwxr-xr-x 1 root root 30416 Feb 18 19:18 libgssapiv2.so.2
-rwxr-xr-x 1 root root 30416 Feb 18 19:18 libgssapiv2.so.2.0.23
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 liblogin.so
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 liblogin.so.2
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 liblogin.so.2.0.23
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 libplain.so
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 libplain.so.2
-rwxr-xr-x 1 root root 18064 Feb 18 19:18 libplain.so.2.0.23
-rwxr-xr-x 1 root root 22044 Feb 18 19:18 libsasldb.so
-rwxr-xr-x 1 root root 22044 Feb 18 19:18 libsasldb.so.2
-rwxr-xr-x 1 root root 22044 Feb 18 19:18 libsasldb.so.2.0.23

— listing of /etc/sasl2 —
total 24
drwxr-xr-x 2 root root 4096 Jul 5 15:38 .
drwxr-xr-x 123 root root 12288 Jul 5 15:48 ..
-rw——- 1 root root 249 Jul 5 15:38 sample.conf
-rw——- 1 root root 249 Jul 5 15:38 smtpd.conf

— content of /etc/sasl2/smtpd.conf —
log_level: 7

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

saslauthd_path: /var/spool/postfix/var/run/sasl2/mux
# saslauthd_path: /var/run/sasl2/mux

#pwcheck_method: saslauthd
#mech_list: PLAIN LOGIN
#autotransition:true

— active services in /etc/postfix/master.cf —
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n – y – – smtpd -v

submission inet n – y – – smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

pickup fifo n cleanup unix n qmgr fifo n tlsmgr unix – rewrite unix – bounce unix – defer unix – trace unix – verify unix – flush unix n proxymap unix – smtp unix – relay unix – -o fallback_relay=
showq unix n error unix – discard unix – local unix – virtual unix – lmtp unix – anvil unix – scache unix – – y 60 1 pickup
– y – 0 cleanup
– n 300 1 qmgr
– n 1000? 1 tlsmgr
– y – – trivial-rewrite
– y – 0 bounce
– y – 0 bounce
– n – 0 bounce
– n – 1 verify
– n 1000? 0 flush
– n – – proxymap
– n – – smtp
– n – – smtp
– y – – showq
– y – – error
– n – – discard
n n – – local
n n – – virtual
– y – – lmtp
– n – 1 anvil
– n – 1 scache

ispcp-arpl unix – n n – – pipe
flags=O user=vmail argv=/srv/www/ispcp/engine/messenger/ispcp-arpl-msgr

maildrop unix – n n – – pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
cyrus unix – n n – – pipe
user=cyrus argv=/usr/lib/cyrus/bin/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix – n n – – pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender – $nexthop!rmail
($recipient)
ifmail unix – n n – – pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix – n n – – pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
procmail unix – n n – – pipe
flags=R user=nobody argv=/usr/bin/procmail -t -m /etc/procmailrc
${sender} ${recipient}
retry unix – – n – – error
proxywrite unix – – n – 1 proxymap

— mechanisms on localhost —
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN

— end of saslfinger output —

postfix läuft im Jail (chroot)
(Anmerkung : auch ohne jail funktioniert es nicht)

l /var/spool/postfix/var/run/sasl2/
total 12
drwxr-xr-x 2 postfix root 4096 Jul 5 15:30 ./
drwxr-xr-x 3 root root 4096 Jul 5 15:30 ../
srwxrwxrwx 1 postfix root 0 Jul 5 15:30 mux=
-rw——- 1 postfix root 0 Jul 5 15:30 mux.accept
-rw——- 1 postfix root 6 Jul 5 15:30 saslauthd.pid

l /var/spool/postfix/etc/
total 804
drwxr-xr-x 4 root root 4096 Jul 2 16:32 ./
drwxr-xr-x 22 root root 4096 Jul 2 11:59 ../
-rw-r–r– 1 root root 370 Feb 18 14:50 host.conf
-rw-r–r– 1 root root 297 Jul 2 11:59 hosts
-rw-r–r– 1 root root 2309 May 3 15:15 localtime
-rw-r–r– 1 root root 1224 Jul 1 20:15 nsswitch.conf
drwxr-xr-x 2 root root 4096 Jul 3 18:04 pam.d/
-rw-r–r– 1 root root 4165 Jul 3 17:58 passwd
-rw-r–r– 1 root root 838 Jul 2 11:59 resolv.conf
drwxr-xr-x 2 root root 4096 Jul 3 18:04 sasl2/
-rw-rw-r– 1 root postfix 12288 Jul 3 16:20 sasldb2
-rw-r–r– 1 root root 764360 Feb 18 14:50 services

l /var/spool/postfix/etc/sasl2/
total 12
drwxr-xr-x 2 root root 4096 Jul 3 18:04 ./
drwxr-xr-x 4 root root 4096 Jul 2 16:32 ../
lrwxrwxrwx 1 root root 21 Jul 3 11:33 sample.conf ->
/etc/sasl2/smtpd.conf
-rw——- 1 root root 249 Jul 5 15:38 smtpd.conf

——–Anmerkung die sample ist zum testen gedacht ——-
sasldblistusers2 | grep webmaster (die domains sind hier egalisiert)

webmaster@dom1.de: userPassword
webmaster@dom3.de: userPassword
webmaster@dom4.de: userPassword
webmaster@dom5.de: userPassword
webmaster@dom6.de: userPassword
webmaster@dom7.de: userPassword
webmaster@dom8.de: userPassword
————————-SNIP———————————

testen gegen sasldb2

testsaslauthd -u webmaster -p PASSWORT -r dom1.de -s smtp -f
/var/spool/postfix/var/run/sasl2/mux

postfix/var/run/sasl2/mux
0: NO “authentication failed”

teste ich gegen einen Account aus /etc/passwd

testsaslauthd -u user -p password -s smtp -f
/var/spool/postfix/var/run/sasl2/mux
0: OK “Success.”

————————-SNIP———————————
weitere Tests

cyrus_sasl_sample_server -s rcmd -p 8000

cyrus_sasl_sample_client -s rcmd -p 8000 -m PLAIN 127.0.0.1

receiving capability list… recv: {11}
LOGIN PLAIN
LOGIN PLAIN
please enter an authentication id: webmaster@dom1.de
please enter an authorization id: webmaster@dom1.de
Password:
send: {5}
PLAIN
send: {1}
Y
send: {49}
webmaster@dom1.de[0]webmaster@dom1.de[0]password
successful authentication
closing connection

————————-SNIP———————————
oder
cyrus_sasl_sample_client -s rcmd -p 8000 -m LOGIN 127.0.0.1
receiving capability list… recv: {11}
LOGIN PLAIN
LOGIN PLAIN
send: {5}
LOGIN
send: {1}
N
recv: {9}
Username:
please enter an authentication id: webmaster@dom1.de
Password:
send: {20}
webmaster@dom1.de
recv: {9}
Password:
send: {7}
password
successful authentication
closing connection

————————-SNIP———————————
Also positiv

per telnet:

telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 ispcp2.tuxplay.de ESMTP ispCP 1.0.7 OMEGA Managed
EHLO maschine
250-ispcp2.tuxplay.de
250-PIPELINING
250-SIZE
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN d2VibWFzdGVyQGRvbTEuZGU=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
Connection closed by foreign host.

/var/log/mail:
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]: < ispcp2.tuxplay.de.local[127.0.0.1]: AUTH LOGIN
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]: xsasl_cyrus_server_first:
sasl_method LOGIN, init_response
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]: xsasl_cyrus_server_first:
decoded initial response webmaster@dom1.de
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]:
xsasl_cyrus_server_auth_response: uncoded server challenge: Password:
Jul 5 16:59:13 ispcp2 postfix/smtpd[29623]: >
ispcp2.tuxplay.de.local[127.0.0.1]: 334 UGFzc3dvcmQ6
Jul 5 16:59:21 ispcp2 postfix/smtpd[29623]: < ispcp2.tuxplay.de.local[127.0.0.1]:
Jul 5 16:59:21 ispcp2 postfix/smtpd[29623]: xsasl_cyrus_server_next:
decoded response: password
Jul 5 16:59:21 ispcp2 postfix/master[28789]: warning: process
/usr/lib/postfix/smtpd pid 29623 killed by signal 11
Jul 5 16:59:21 ispcp2 postfix/master[28789]: warning:
/usr/lib/postfix/smtpd: bad command startup — throttling

Thats it.

Und hier hänge ich seit Tagen fest.
Irgendwelche Ideen, wo ich falsch liege?
Was vergessen habe?
Was falsch geschrieben habe?

Danke für jeden Hinweis

————————-SNIP———————————