0

It seems that I don't have SASL support, althou I've checked my configuration against ALL the online tutorials, and it seems fine to me. I've also checked /var/log/mail.log and there's no word "SASL" in it.

telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 GOD
ehlo localhost
250-mail.local
250-PIPELINING
250-SIZE 30720000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

While it should also spit out something like this:

250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5

The SASL daemon is up: 

ps aux | grep sasl
root     10219  0.0  0.2  77836  2368 ?        Ss   04:56   0:00 /usr/sbin/saslauthd -a     pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5

The file /etc/default/saslauthd seems ok:

START=yes
NAME="saslauthd"
MECHANISMS="pam"
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Permissions for /var/spool/postfix/var/run/saslauthd look ok:

ls -l /var/spool/postfix/var/run/saslauthd
-rw-rw---- 1 root sasl      0 Aug 22 04:56 cache.flock
-rw-rw---- 1 root sasl 986112 Aug 22 05:08 cache.mmap
srw-rw---- 1 root sasl      0 Aug 22 04:56 mux
-rw-rw---- 1 root sasl      0 Aug 22 04:56 mux.accept
-rw-rw---- 1 root sasl      6 Aug 22 04:56 saslauthd.pid

The user postfix is part of group sasl:

getent group sasl
sasl:x:45:postfix

The /etc/postfix/sasl/smtpd.conf looks good:

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: mail
sql_passwd: mail
sql_database: mail
sql_select: select password from users where email = '%u'

Part of my /etc/postfix/main.cf file:

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_ask_ccert = yes
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
tls_random_source = dev:/dev/urandom
smtp_use_tls = yes
smtp_tls_cert_file = /etc/postfix/smtpd.cert
smtp_tls_key_file = /etc/postfix/smtpd.key
myhostname = mail.local
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Part of my /etc/postfix/master.cf:

smtp      inet  n       -       -       -       -       smtpd
-o cleanup_service_name=subcleanup
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated

submission inet n       -       -       -       -       smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o cleanup_service_name=subcleanup
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_tls_wrappermode=yes

Part of my /etc/dovecot/dovecot.con file:

disable_plaintext_auth = yes
ssl = required
auth default {
user = root
mechanisms = plain login
passdb sql {
    args = /etc/dovecot/dovecot-sql.conf
}

userdb static {
    args = uid=5000 gid=5000 home=/home/vmail/%d/%n allow_all_users=yes
}

socket listen {
    master {
        path = /var/run/dovecot/auth-master
        mode = 0600
        user = vmail
    }

    client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
    }
}
}
danator
  • 95
  • 1
  • 1
  • 5

1 Answers1

1

According to the Postfix documentation, smtpd_tls_auth_only = yes means your smtpd will only offer AUTH after starting TLS (using STARTTLS) and performing the handshake.

To test your server, you could use openssl

openssl s_client -starttls smtp -crlf -connect 192.0.2.1:25
gparent
  • 3,601
  • 2
  • 24
  • 28
  • So I sould set `smtpd_tls_auth_only = no` ? I want to use both TLS and SASL. SSL works and your command established a SSL handshake on 25. – danator Aug 22 '13 at 03:06
  • I've re-read the documentation, and it doesen't accept SASL authentication over unencrypted connections, but it does accept if TLS is available. – danator Aug 22 '13 at 03:25
  • I'm surprised because that's kind of the point of `smtpd_sasl_security_options`'s `noplaintext`, which isn't in your config. – gparent Aug 22 '13 at 03:32