From: Gregory BELLIER on
Hi all !

I would like to set up authentication between 2 postfix hosted on Debian
Lenny and until now it doesn't work.

Here is a log sample :
warning: SASL authentication failure: No worthy mechs found
SASL authentication failed; cannot authenticate to server
10.0.0.6[10.0.0.6]: no mechanism available

At this time, authentication works between a MUA and both postfix but
not between them when they act as a relay.

MUA -> MTA1 ok
MUA -> MTA2 ok
MUA -> MTA1 -> MTA2 nok

This last line works fine when SASL is not involved.

From what I've seen on the internet, most of the time people miss the
libplain. This is not my case.
Both MTA have the same configuration.

At the end of this email, you can find postconf -n and saslfinger -c.

Clearly the error is visible in saslfinger because it tells this :
-- mechanisms on 10.0.0.6 --

-- mechanisms on 10.0.0.5 --


I don't know how to correct this. I guess there is something wrong with
my smtpd.conf.
Would you please take a look at it ?

The authentication is done in plain using saslauthd which refers to the
shadow file.

The file /etc/postfix/sasl_passwd is like this (for mta1):
10.0.0.6 username:passwd

username (it's obviously not the real one) is a real unix user on the
machine.


Thanks,
Greg.



*** postconf -n ***
mta1:/etc/postfix# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 0
mydestination = mta1.local, localhost.local, , localhost
myhostname = mta1.local
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost = 10.0.0.6
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/CA/ca.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/certificate/postfix_mta1.crt
smtpd_tls_key_file = /etc/postfix/certificate/postfix_mta1.key
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache


*** saslfinger -c ***

mta1:/etc/postfix# saslfinger -c
saslfinger - postfix Cyrus sasl configuration lundi 19 avril 2010,
18:13:08 (UTC+0200)
version: 1.0.4
mode: client-side SMTP AUTH

-- basics --
Postfix: 2.5.5
System: Debian GNU/Linux 5.0 \n \l

-- smtp is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d2c000)

-- active SMTP AUTH and TLS parameters for smtp --
relayhost = 10.0.0.6
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes


-- listing of /usr/lib/sasl2 --
total 680
drwxr-xr-x 2 root root 4096 avr 14 15:43 .
drwxr-xr-x 50 root root 12288 avr 14 15:46 ..
-rw-r--r-- 1 root root 13476 mai 24 2009 libanonymous.a
-rw-r--r-- 1 root root 855 mai 24 2009 libanonymous.la
-rw-r--r-- 1 root root 13016 mai 24 2009 libanonymous.so
-rw-r--r-- 1 root root 13016 mai 24 2009 libanonymous.so.2
-rw-r--r-- 1 root root 13016 mai 24 2009 libanonymous.so.2.0.22
-rw-r--r-- 1 root root 15814 mai 24 2009 libcrammd5.a
-rw-r--r-- 1 root root 841 mai 24 2009 libcrammd5.la
-rw-r--r-- 1 root root 15352 mai 24 2009 libcrammd5.so
-rw-r--r-- 1 root root 15352 mai 24 2009 libcrammd5.so.2
-rw-r--r-- 1 root root 15352 mai 24 2009 libcrammd5.so.2.0.22
-rw-r--r-- 1 root root 46420 mai 24 2009 libdigestmd5.a
-rw-r--r-- 1 root root 864 mai 24 2009 libdigestmd5.la
-rw-r--r-- 1 root root 43500 mai 24 2009 libdigestmd5.so
-rw-r--r-- 1 root root 43500 mai 24 2009 libdigestmd5.so.2
-rw-r--r-- 1 root root 43500 mai 24 2009 libdigestmd5.so.2.0.22
-rw-r--r-- 1 root root 13650 mai 24 2009 liblogin.a
-rw-r--r-- 1 root root 835 mai 24 2009 liblogin.la
-rw-r--r-- 1 root root 13460 mai 24 2009 liblogin.so
-rw-r--r-- 1 root root 13460 mai 24 2009 liblogin.so.2
-rw-r--r-- 1 root root 13460 mai 24 2009 liblogin.so.2.0.22
-rw-r--r-- 1 root root 29076 mai 24 2009 libntlm.a
-rw-r--r-- 1 root root 829 mai 24 2009 libntlm.la
-rw-r--r-- 1 root root 28532 mai 24 2009 libntlm.so
-rw-r--r-- 1 root root 28532 mai 24 2009 libntlm.so.2
-rw-r--r-- 1 root root 28532 mai 24 2009 libntlm.so.2.0.22
-rw-r--r-- 1 root root 13970 mai 24 2009 libplain.a
-rw-r--r-- 1 root root 835 mai 24 2009 libplain.la
-rw-r--r-- 1 root root 14036 mai 24 2009 libplain.so
-rw-r--r-- 1 root root 14036 mai 24 2009 libplain.so.2
-rw-r--r-- 1 root root 14036 mai 24 2009 libplain.so.2.0.22
-rw-r--r-- 1 root root 21710 mai 24 2009 libsasldb.a
-rw-r--r-- 1 root root 866 mai 24 2009 libsasldb.la
-rw-r--r-- 1 root root 18080 mai 24 2009 libsasldb.so
-rw-r--r-- 1 root root 18080 mai 24 2009 libsasldb.so.2
-rw-r--r-- 1 root root 18080 mai 24 2009 libsasldb.so.2.0.22

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 avr 19 15:54 .
drwxr-xr-x 4 root root 4096 avr 19 17:47 ..
-rw-r--r-- 1 root root 27 avr 19 15:31 smtpd.conf


-- permissions for /etc/postfix/sasl_passwd --
-rw-r--r-- 1 root root 43 avr 19 17:43 /etc/postfix/sasl_passwd

-- permissions for /etc/postfix/sasl_passwd.db --
-rw-r--r-- 1 root root 12288 avr 19 17:43 /etc/postfix/sasl_passwd.db

/etc/postfix/sasl_passwd.db is up to date.

-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender
$recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

-- mechanisms on 10.0.0.6 --

-- mechanisms on 10.0.0.5 --


-- end of saslfinger output --

From: Victor Duchovni on
On Mon, Apr 19, 2010 at 06:28:47PM +0200, Gregory BELLIER wrote:

> Hi all !
>
> I would like to set up authentication between 2 postfix hosted on Debian
> Lenny and until now it doesn't work.
>
> Here is a log sample :
> warning: SASL authentication failure: No worthy mechs found
> SASL authentication failed; cannot authenticate to server
> 10.0.0.6[10.0.0.6]: no mechanism available

Try again, with a more useful log sample, and configuration settings
for the receiving side. The log sample should include multiple lines
of logging from the SMTP client, showing any TLS handshake, ...



> relayhost = 10.0.0.6

Per the documentation, this must be:

relayhost = [10.0.0.6]

and the SMTP client password table:

[10.0.0.6] user:pass

> smtp_sasl_auth_enable = yes
> smtp_sasl_mechanism_filter = plain
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

> smtp_tls_loglevel = 2

Too verbose.

> smtp_use_tls = yes

Obsolete, with 2.3 and later, use:

smtp_tls_security_level = may

> -- permissions for /etc/postfix/sasl_passwd --
> -rw-r--r-- 1 root root 43 avr 19 17:43 /etc/postfix/sasl_passwd

This should NOT be world-readable.

> -- permissions for /etc/postfix/sasl_passwd.db --
> -rw-r--r-- 1 root root 12288 avr 19 17:43 /etc/postfix/sasl_passwd.db

Ditto, but postmap will take care of that, when you fix the source
permissions.

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Victor Duchovni on
On Tue, Apr 20, 2010 at 09:37:48PM +0200, Gregory BELLIER wrote:

In the session below, the client did not want to use PLAIN, presumably
because TLS was not in effect. Leave TLS enabled. I asked you to disable
TLS very verbose logging (smtp*_tls_loglevel=0 or 1) not TLS.

Now test with a client that supports PLAIN without TLS, or that uses TLS.
If you read your logs carefully, there is enough there to figure it all
out... You should be able to solve the problem now that you can see everything
in the logs.

> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 220 mta2.local ESMTP Postfix (Debian/GNU)
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: < mta1.local[10.0.0.5]: EHLO mta1.local
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-mta2.local
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-PIPELINING
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-SIZE
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-VRFY
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-ETRN
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-AUTH LOGIN PLAIN
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-ENHANCEDSTATUSCODES
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250-8BITMIME
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 250 DSN
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: < mta1.local[10.0.0.5]: QUIT
> Apr 20 18:26:24 mta2 postfix/smtpd[5447]: > mta1.local[10.0.0.5]: 221 2.0.0 Bye

However, it does not mind doing CRAM-MD5, but this requires unhashed
passwords, and so cannot work with "shadow".

> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 220 mta2.local ESMTP Postfix (Debian/GNU)
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: < mta1.local[10.0.0.5]: EHLO mta1.local
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-mta2.local
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-PIPELINING
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-SIZE
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-VRFY
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-ETRN
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 NTLM PLAIN
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-ENHANCEDSTATUSCODES
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250-8BITMIME
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 250 DSN
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: < mta1.local[10.0.0.5]: AUTH DIGEST-MD5
> Apr 20 18:33:23 mta2 postfix/smtpd[5498]: > mta1.local[10.0.0.5]: 235 2.7.0 Authentication successful


--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.