2

We're having difficulties authenticating over smtp, running postfix + cyrus on centos 7.

When I try to telnet to port 25 (or 587) locally and auth plain, I get the following errors in the mail log:

Sep 25 10:25:00 blabla postfix/smtpd[3858]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: Permission denied

Sep 25 10:25:00 blabla postfix/smtpd[31106]: warning: SASL authentication failure: Password verification failed

Sep 25 10:25:00 blabla postfix/smtpd[31106]: warning: unknown[::1]: SASL plain authentication failed: authentication failure

Not sure what sasldb2 has to do with anything and if that warning has any real bearing on the problem. testsaslauthd with the same credentials returns OK.

Postfix is not running in chroot mode:

smtp inet n - n - - smtpd

smtps inet n - n - - smtpd

submission inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes

I'm using /etc/shadow for authentication, so ps aux | grep sasl says:

/usr/sbin/saslauthd -m /var/run/saslauthd -a shadow

Socket dir is /var/run/saslauthd so in main.cf, I have:

smtpd_sasl_path = /var/run/saslauthd/
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
tls_random_source = dev:/dev/urandom
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_sasl_exceptions_networks =
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_policy_service unix:/var/spool/postfix/postgrey/socket

Finally, /etc/sasl2/smtpd.conf has:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
saslauthd_path: /var/run/saslauthd/
allow_plaintext: true

Any pointers? I am stumped... Most of the docs I find online seem to point to chrooted postfix configs or more complicated auth methods.

Thanks!

Community
  • 1
sdragnev
  • 211
  • 2
  • 3
  • 6
  • Could you add IP address of smtp client to [debug_peer_list](http://postfix.org/postconf.5.html#debug_peer_list) directive in main.cf? It will turn on debug log for your IP where you tested smtp auth. – masegaloeh Sep 25 '14 at 14:42
  • Done but it's not telling me anything else. One update: I'm also getting warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: Permission denied (updated original description) – sdragnev Sep 25 '14 at 14:57
  • If the **verbose log** doesn't tell you anything, then add to above question. Perhaps, some folks here can get additional info from the verbose log. – masegaloeh Sep 26 '14 at 02:51

1 Answers1

2

The error message

unable to open Berkeley db /etc/sasldb2: Permission denied

was generic message that postfix can't open that directory because permission issue. Use chmod and/or chown to grant access on /etc/sasldb2 to postfix

chown postfix:postfix /etc/sasldb2
chmod 660 /etc/sasldb2

or

chmod 644 /etc/sasldb2

For security reason, I would suggest the first option.

Reference: blog.penumbra.be | www.murat.ws | this thread

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
  • 1
    Eventually I did that and got rid of that message. Unfortunately, this didn't get rid of the general auth problem. (which kinda makes sense since I'm not using sasldb2 to authenticate) – sdragnev Sep 26 '14 at 02:42