 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Sep-2007 | Next-Thread | Next-Msg |
| Subject: | Re: Postfix 'falling back' on sasldb? I don't want it to! |
| Group: | Postfix-users |
| From: | Stefán Freyr Stefánsson |
| Date: | 22 Sep 2007 |
Great success! I did what you suggested and added the mech_list
parameter and indeed my SMTP server then only offered PLAIN and LOGIN.
That got me thinking, so I tried turning off saslauthd while having
the mech_list present in the configuration file and low and behold, I
got an authentication error.
So for what it's worth, the mech_list configuration item seems to be
non-optional unless you want the SASL library to fall back to going
straight to sasldb (bypassing saslauthd).
Kind regards and thanks for your help,
Stefán Freyr.
On 9/22/07, Patrick Ben Koetter <p> wrote:
> * Stefán Freyr Stefánsson <stefan.freyr>:
> > Hello.
> >
> > I've been battling setting up Postfix to authenticate SMTP users via
> > SASL on a Nexenta (Debian like OpenSolaris distro). For this I've been
> > following various howtos and to make a long story short I have managed
> > to get this up and running so my users are now authenticated from the
> > sasldb.
> >
> > I configured SASL to use the sasldb backend and I've configured
> > Postfix (to the best of my knowledge) to use the saslauthd by:
> > 1) creating the file /etc/postfix/sasl/smtpd.conf which contains the line:
> > pwcheck_method: saslauthd
> > 2) editing the main.cf file to contain this:
> > smtpd_sasl_application_name = smtpd
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_security_options = noanonymous
> > smtpd_sasl_local_domain = $myhostname
> > broken_sasl_auth_clients = yes
> > smtpd_recipient_restrictions =
> > permit_sasl_authenticated,
> > permit_mynetworks,
> > reject_unauth_destination
> >
> > As I said... this works... even too well.
> >
> > The problem is that I tried turning off saslauthd but Postfix is still
> > authenticating users from my sasldb!
> >
> > I did an strace (actually called truff on Solaris) run of Postfix and
> > found out that grepping the output for "sasldb" yielded a lot of
> > responses BOTH when saslauthd was turned of as well as when it was
> > running. Grepping for "saslauth" however, yields nothing!
> >
> > Can anyone explain to me why Postfix seems to be "falling back" to a
> > mechanism that it shouldn't know anything about (according to my
> > configuration files at least)? How can I force Postfix to use
> > saslauthd and _only_ saslauthd?
>
> As Wietse wrote Postfix is totally ignostic of the things Cyrus SASL does.
> Postfix merely hands the auth data over to libsasl and expects it to return a
> result.
>
> As for your problem: sasldb is the default authentication backend in Cyrus
> SASL. It get's called when you configure Cyrus SASL to use sasldb _and_ it
> gets called when everything else fails _or_ no (valid) password verification
> backend has been configured.
>
> You have prepared configuration in /etc/postfix/sasl/smtpd.conf to be read and
> followed by libsasl. Do you use a patched Postfix version or is it stock
> Postfix from the sources? Unless you use a patched version it is quite
> unlikely that libsasl will look for configuration advice in
> /etc/postfix/sasl/smtpd.conf - this is usually only the case for patched
> Debian packages.
>
> Usually Cyrus SASL will look for configuration files in /usr/lib/sasl2,
> /usr/lib64/sasl2 and since Cyrus SASL 2.1.22 in /etc/sasl2. I recommend to use
> the latter in case you run 2.1.22 to follow file system standards.
>
> But how can you tell libsasl follows configuration? Here's a trick! Add the
> mech_list parameter to smtpd.conf, which you must do anyway when you use
> saslauthd:
>
> # /etc/sasl2/smtpd.conf
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN
>
> This advises libsasl only to promote the mechanisms PLAIN and LOGIN to the
> Postfix smtpd daemon (and these are the only ones saslauthd can handle). You
> can tell libsasl reads your smtpd.conf when you telnet to Postfix on port 25.
>
> Postfix should only offer PLAIN and LOGIN in the AUTH statement in its list of
> capabilities after you've send some 'EHLO foo' to get ESMTP.
>
> p@rick
>
>
> > With kind regards and gratitude for an otherwise great piece of software.
> > Stefan Freyr.
> >
> > p.s. I'm attaching a link to both trace files in case anyone is
> > interested. Both contain the call traces for postfix (and all child
> > processes), one of them is for a run when saslauthd was running and
> > the other one was for a run when saslauthd was not running. Both
> > "runs" just consisted of starting postfix, sending a single mail (mail
> > was identical in both runs) using SMTP authentication and turning off
> > postfix.
> >
> > Here are the files but be warned, they're each ~1.6Mb:
> > http://datalab.ru.is/~stefan/postfix_nosasl.truss
> > http://datalab.ru.is/~stefan/postfix_withsasl.truss
>
> --
> The Book of Postfix
> <http://www.postfix-book.com>
> saslfinger (debugging SMTP AUTH):
> <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
>
| Prev-Msg | Prev-Thread | Postfix-users | Sep-2007 | Next-Thread | Next-Msg |