1 |
On Thu, 2010-05-27 at 17:24 +0100, Steve wrote: |
2 |
> On 26/05/2010 20:32, Brandon Vargo wrote: |
3 |
> > I hope the above helps. |
4 |
> > |
5 |
> |
6 |
> Thank you very much... that was very informative. Unfortunately, I |
7 |
> now discover I fibbed when I said I had SASL auth set up - I only |
8 |
> thought I had... When I correctly configure thunderbird, I get the |
9 |
> following postfix messages in the log: |
10 |
> |
11 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: connect from |
12 |
> > ur.shic.co.uk[10.0.1.253] |
13 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL |
14 |
> > authentication failure: Could not open /etc/sasl2/sasldb2: |
15 |
> > gdbm_errno=5 |
16 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL |
17 |
> > authentication failure: Could not open /etc/sasl2/sasldb2: |
18 |
> > gdbm_errno=5 |
19 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL |
20 |
> > authentication failure: no secret in database |
21 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: |
22 |
> > ur.shic.co.uk[10.0.1.253]: SASL CRAM-MD5 authentication failed: |
23 |
> > authentication failure |
24 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 1 |
25 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: client flags: ffff8207 |
26 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 2 |
27 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: client user: myusername |
28 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL |
29 |
> > authentication failure: Could not open /etc/sasl2/sasldb2: |
30 |
> > gdbm_errno=5 |
31 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL |
32 |
> > authentication failure: Could not open /etc/sasl2/sasldb2: |
33 |
> > gdbm_errno=5 |
34 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL |
35 |
> > authentication failure: no secret in database |
36 |
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: |
37 |
> > ur.shic.co.uk[10.0.1.253]: SASL NTLM authentication failed: |
38 |
> > authentication failure |
39 |
> |
40 |
> I'm sure I'm doing something silly - because googling the first |
41 |
> warning just gives me this bug, which doesn't seem to fit. I have |
42 |
> this installed: |
43 |
> |
44 |
> > $ eix mail-mta/postfix |
45 |
> > [I] mail-mta/postfix |
46 |
> > Available versions: 2.6.5 ~2.6.6 {cdb dovecot-sasl hardened |
47 |
> > ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda} |
48 |
> > Installed versions: 2.6.5(09:08:29 05/27/10)(ipv6 pam sasl ssl |
49 |
> > -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres |
50 |
> > -selinux -vda) |
51 |
> > Homepage: http://www.postfix.org/ |
52 |
> > Description: A fast and secure drop-in replacement for |
53 |
> > sendmail. |
54 |
> |
55 |
> If I alter thunderbird to not use secure authentication, I get the |
56 |
> following instead. |
57 |
> |
58 |
> > May 27 17:14:26 ken postfix/smtpd[20115]: connect from |
59 |
> > ur.shic.co.uk[10.0.1.253] |
60 |
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL |
61 |
> > authentication problem: unknown password verifier |
62 |
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL |
63 |
> > authentication failure: Password verification failed |
64 |
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: |
65 |
> > ur.shic.co.uk[10.0.1.253]: SASL PLAIN authentication failed: no |
66 |
> > mechanism available |
67 |
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL |
68 |
> > authentication problem: unknown password verifier |
69 |
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: |
70 |
> > ur.shic.co.uk[10.0.1.253]: SASL LOGIN authentication failed: no |
71 |
> > mechanism available |
72 |
> |
73 |
> Which seems quite strange. |
74 |
> |
75 |
> My /etc/sasl2/smtpd.conf is the default for gentoo - i.e. it contains |
76 |
> the single config line: |
77 |
> |
78 |
> > pwcheck_method:pam |
79 |
> |
80 |
> I don't care if I use PAM or something else - as long as it lets me |
81 |
> authenticate. In the medium term, it would be best if neither IMAP |
82 |
> nor SMTP passwords had any relation to my system password (not that I |
83 |
> allow remote logins unsing it) - but, for the time being, I just want |
84 |
> it to let me authenticate and send from my phone. |
85 |
> |
86 |
> By any chance can anyone give me any further clues? |
87 |
> |
88 |
|
89 |
You mentioned in your first mail that you use Dovecot. The easiest way |
90 |
to setup SASL for Postfix is to have Postfix authenticate against |
91 |
Dovecot, assuming that you want the same usernames and passwords for |
92 |
both. Recompile mail-mta/postfix with the dovecot-sasl USE flag enabled. |
93 |
Then, add the following to Postfix's configuration file after |
94 |
commenting/removing the other SASL lines: |
95 |
|
96 |
smtpd_sasl_auth_enable = yes |
97 |
smtpd_sasl_type = dovecot |
98 |
smtpd_sasl_path = private/auth |
99 |
|
100 |
Then, in dovecot's configuration file, add the following to the "auth |
101 |
default" section: |
102 |
|
103 |
socket listen { |
104 |
client { |
105 |
path = /var/spool/postfix/private/auth |
106 |
mode = 0660 |
107 |
user = postfix |
108 |
group = postfix |
109 |
} |
110 |
} |
111 |
|
112 |
Adjust the path, user, and group as appropriate. The user and group |
113 |
should be set to whatever user postfix is running under. Note that |
114 |
private/auth in the path corresponds to the smtpd_sasl_path setting in |
115 |
Postfix. Restart Dovecot and then Postfix. |
116 |
|
117 |
I also recommend adding the following option to main.cf if your clients |
118 |
support TLS encryption, which will not allow authentication over |
119 |
unencrypted connections: |
120 |
|
121 |
smtpd_tls_auth_only = yes |
122 |
|
123 |
See http://www.postfix.org/SASL_README.html for other SASL mechanisms, |
124 |
if you do not use or do not want to use Dovecot. |
125 |
|
126 |
Regards, |
127 |
|
128 |
Brandon Vargo |