Postfix & SASL Authentication

Tue Aug 8 16:15:57 UTC 2006

Greg Groth wrote:

> On 8/8/2006 9:20 AM, Gerard Seibert wrote:
> > FreeBSD 6.1 STABLE
> > 
> > I have SASL and Postfix installed and for the most part they seem to
> > work all right together. However, there is one small problem.
> > 
> > When attempting to send a message from one of the PC's on the network,
> > actually any PC on the network except for the one with Postfix installed
> > on it, this error message is inserted into the maillog file.
> > 
> > Aug  8 10:11:32 scorpio postfix/smtpd[1310]: connect from boss.seibercom.net[192.168.0.4]
> > Aug  8 10:11:32 scorpio postfix/smtpd[1310]: warning: SASL authentication failure: no user in db
> > Aug  8 10:11:32 scorpio postfix/smtpd[1310]: 859B9BD6C: client=boss.seibercom.net[192.168.0.4], sasl_method=LOGIN, sasl_username=gerard at seibercom.net
> > 
> > All of the users are authenticated. Exactly what is it referring to and how do I correct it? The mail does get relayed however, so it is not a fatal warning.
> > 
> > 
> Which version of SASL?  v1 or v2?
> 
> The following is based on ym experience with v2, and I don't know if it 
> applies to v1 or not.
> 
> As far as the message in you log file, it's attempting to authenticate, 
> but it's not connecting to the user database to verify the user.  More 
> than likely it's allowing you to send mail from the local server because 
> you have Postfix configured to allow it to relay mail from localhost, 
> and that this is allowing you to send the email even though 
> authentication is failing.
> 
> To determine which authentication methods Postfix will accept, telnet to 
> localhost on port 25 and issue a EHLO:
> 
> mail# telnet localhost 25
> Trying ::1...
> Connected to localhost.domain.com.
> Escape character is '^]'.
> 220 mail.domain.com ESMTP Postfix
> 
> EHLO localhost
> 
> 250-mail.domain.com
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
> 250-AUTH=NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> 
> In this instance, the AUTH line dictates which authentication mechanisms 
> Postfix will accept.  In this case: NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 
> CRAM-MD5

This is the output of mine:

$ telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 scorpio.seibercom.net ESMTP Postfix (2.4-20060727)
ehlo localhost
250-scorpio.seibercom.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

I noticed that the first attempt is refused. Why I wonder.

> 
> Check your /usr/local/lib/sasl2/smtpd.conf file and make sure that you 
> have the correct auth mechanism listed.  For plain text login that's 
> verified against your existing users, your smtpd.conf file would read as 
> follows:
> 
> pwcheck_method: saslauthd
> 
> This will verify against your existing user accounts.  There are other 
> methods, such as pwcheck_method:  sasldb, that will verify against 
> SASL's own password database, which I've never used.
> 
> Make sure that you have saslauthd running (which it appears you do).
> 
> Issue the following:
> 
> # /usr/local/sbin/testsaslauthd -u username -p password
> 0: OK "Success."
> 
> If saslauthd is operating correctly, you'll recieve the OK "Success." 
> If not, your problem is with saslauthd.
> 
> If your AUTH line does not list the right AUTH mechanism, the problem is 
> with Postfix.  For instance, if you're trying to use SMTP-AUTH from a 
> client on your network, and have pwcheck_method: saslauthd defined in 
> your smtpd.conf file, you have to have PLAIN LOGIN appear in the AUTH 
> line when telnetting.

This is the contents of the smtpd.conf file:

##      Global Values
pwcheck_method: auxprop
auxprop_plugin: sasldb
log_level: 7
mech_list: PLAIN LOGIN

-- 
Gerard Seibert
gerard at seibercom.net