Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Brandon Vargo <brandon.vargo@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Postfix question about auth and blocklists...
Date: Thu, 27 May 2010 17:07:35
Message-Id: 1274979987.11900.142.camel@bvargo2.homeip.net
In Reply to: Re: [gentoo-user] Postfix question about auth and blocklists... by Steve
1 On Thu, 2010-05-27 at 17:24 +0100, Steve wrote:
2 > On 26/05/2010 20:32, Brandon Vargo wrote:
3 > > I hope the above helps.
4 > >
5 >
6 > Thank you very much... that was very informative. Unfortunately, I
7 > now discover I fibbed when I said I had SASL auth set up - I only
8 > thought I had... When I correctly configure thunderbird, I get the
9 > following postfix messages in the log:
10 >
11 > > May 27 17:06:20 ken postfix/smtpd[19973]: connect from
12 > > ur.shic.co.uk[10.0.1.253]
13 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
14 > > authentication failure: Could not open /etc/sasl2/sasldb2:
15 > > gdbm_errno=5
16 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
17 > > authentication failure: Could not open /etc/sasl2/sasldb2:
18 > > gdbm_errno=5
19 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
20 > > authentication failure: no secret in database
21 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning:
22 > > ur.shic.co.uk[10.0.1.253]: SASL CRAM-MD5 authentication failed:
23 > > authentication failure
24 > > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 1
25 > > May 27 17:06:20 ken postfix/smtpd[19973]: client flags: ffff8207
26 > > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 2
27 > > May 27 17:06:20 ken postfix/smtpd[19973]: client user: myusername
28 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
29 > > authentication failure: Could not open /etc/sasl2/sasldb2:
30 > > gdbm_errno=5
31 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
32 > > authentication failure: Could not open /etc/sasl2/sasldb2:
33 > > gdbm_errno=5
34 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
35 > > authentication failure: no secret in database
36 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning:
37 > > ur.shic.co.uk[10.0.1.253]: SASL NTLM authentication failed:
38 > > authentication failure
39 >
40 > I'm sure I'm doing something silly - because googling the first
41 > warning just gives me this bug, which doesn't seem to fit. I have
42 > this installed:
43 >
44 > > $ eix mail-mta/postfix
45 > > [I] mail-mta/postfix
46 > > Available versions: 2.6.5 ~2.6.6 {cdb dovecot-sasl hardened
47 > > ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda}
48 > > Installed versions: 2.6.5(09:08:29 05/27/10)(ipv6 pam sasl ssl
49 > > -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres
50 > > -selinux -vda)
51 > > Homepage: http://www.postfix.org/
52 > > Description: A fast and secure drop-in replacement for
53 > > sendmail.
54 >
55 > If I alter thunderbird to not use secure authentication, I get the
56 > following instead.
57 >
58 > > May 27 17:14:26 ken postfix/smtpd[20115]: connect from
59 > > ur.shic.co.uk[10.0.1.253]
60 > > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL
61 > > authentication problem: unknown password verifier
62 > > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL
63 > > authentication failure: Password verification failed
64 > > May 27 17:14:26 ken postfix/smtpd[20115]: warning:
65 > > ur.shic.co.uk[10.0.1.253]: SASL PLAIN authentication failed: no
66 > > mechanism available
67 > > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL
68 > > authentication problem: unknown password verifier
69 > > May 27 17:14:26 ken postfix/smtpd[20115]: warning:
70 > > ur.shic.co.uk[10.0.1.253]: SASL LOGIN authentication failed: no
71 > > mechanism available
72 >
73 > Which seems quite strange.
74 >
75 > My /etc/sasl2/smtpd.conf is the default for gentoo - i.e. it contains
76 > the single config line:
77 >
78 > > pwcheck_method:pam
79 >
80 > I don't care if I use PAM or something else - as long as it lets me
81 > authenticate. In the medium term, it would be best if neither IMAP
82 > nor SMTP passwords had any relation to my system password (not that I
83 > allow remote logins unsing it) - but, for the time being, I just want
84 > it to let me authenticate and send from my phone.
85 >
86 > By any chance can anyone give me any further clues?
87 >
88
89 You mentioned in your first mail that you use Dovecot. The easiest way
90 to setup SASL for Postfix is to have Postfix authenticate against
91 Dovecot, assuming that you want the same usernames and passwords for
92 both. Recompile mail-mta/postfix with the dovecot-sasl USE flag enabled.
93 Then, add the following to Postfix's configuration file after
94 commenting/removing the other SASL lines:
95
96 smtpd_sasl_auth_enable = yes
97 smtpd_sasl_type = dovecot
98 smtpd_sasl_path = private/auth
99
100 Then, in dovecot's configuration file, add the following to the "auth
101 default" section:
102
103 socket listen {
104 client {
105 path = /var/spool/postfix/private/auth
106 mode = 0660
107 user = postfix
108 group = postfix
109 }
110 }
111
112 Adjust the path, user, and group as appropriate. The user and group
113 should be set to whatever user postfix is running under. Note that
114 private/auth in the path corresponds to the smtpd_sasl_path setting in
115 Postfix. Restart Dovecot and then Postfix.
116
117 I also recommend adding the following option to main.cf if your clients
118 support TLS encryption, which will not allow authentication over
119 unencrypted connections:
120
121 smtpd_tls_auth_only = yes
122
123 See http://www.postfix.org/SASL_README.html for other SASL mechanisms,
124 if you do not use or do not want to use Dovecot.
125
126 Regards,
127
128 Brandon Vargo

Replies

Subject Author
Re: [gentoo-user] Postfix question about auth and blocklists... Tanstaafl <tanstaafl@×××××××××××.org>
Report Message
Find on MARC Find on Google Groups