1

My system is Debian 7 aka Wheezy with postfix, courier, and mysql installed. Courier works well and if I issue

testsaslauthd -u user@domain -p password -f /var/spool/postfix/var/run/saslauthd/mux -s smtp

I get a

0: OK "Success."

However, if I get an base64 encoded username/password with

echo -ne '\000user@domain\000password' | openssl base64

and try to use that in a SMTP session using

helo localhost
auth plain (output from above)

I always get a

535 5.7.8 Error: authentication failed: authentication failure

In /var/log/syslog I find then

Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: warning: SASL authentication failure: Password verification failed
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: warning: localhost[::1]: SASL plain authentication failed: authentication failure

and in /var/log/auth.log

Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin Parse the username username@domain
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin try and connect to a host
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin trying to open db 'postfixadmin' on host '127.0.0.1'
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: begin transaction
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin create statement from userPassword username domain
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin doing query SELECT password FROM mailbox WHERE username="username@domain";
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: commit transaction
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin Parse the username username@domain
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin try and connect to a host
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin trying to open db 'postfixadmin' on host '127.0.0.1'
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin Parse the username username@domain
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin try and connect to a host
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin trying to open db 'postfixadmin' on host '127.0.0.1'
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: begin transaction
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin create statement from userPassword username domain
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin doing query SELECT password FROM mailbox WHERE username="username@domain";
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin create statement from cmusaslsecretPLAIN username domain
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin doing query SELECT password FROM mailbox WHERE username="username@domain";
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: commit transaction
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin Parse the username username@domain
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin try and connect to a host
Sep 29 21:49:34 (hostname obfuscated) postfix/smtpd[15814]: sql plugin trying to open db 'postfixadmin' on host '127.0.0.1'

Relevant SASL entries in my postfix configuration:

# postconf | grep -e cyrus_sasl -e smtpd_sasl
cyrus_sasl_config_path =
send_cyrus_sasl_authzid = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus

Can anyone give me a hint how to analyse or debug this?

Update 2014/10/01: After trying around more and more, I found out that it is definitely a problem with reading the password from the mysql database. I edited /etc/postfix/sasl/smtpd.conf and in the last line I wrote

sql_select: SELECT 'some hardcoded password' password FROM mailbox WHERE username="%u@%r"

and now it works. However, this is obviously not what I intended to do.

Second Update 2014/10/01: Interesting... When smtpd.conf just contains

pwcheck_method: saslauthd
mech_list: plain login

everything works as it should! Solved for me.

Michael Kremser
  • 108
  • 1
  • 3
  • 11
  • command `echo -ne '\000user@domain\000password' | openssl base64` was one method to test auth via telnet. Did you try other option described in http://www.postfix.org/SASL_README.html#server_test ? – masegaloeh Sep 29 '14 at 22:08
  • @masegaloeh: Which other option? Connecting via openssl? Yes, I tried that, the result is exactly the same. – Michael Kremser Oct 01 '14 at 15:03
  • I mean to method to format your username & password to AUTH format, for example `perl -MMIME::Base64 -e 'print encode_base64("\0username\0password");'` – masegaloeh Oct 01 '14 at 15:26
  • @masegaloeh: Okay, now I know what you mean. Yes, I tried that too, the result was the same as with bash's echo. – Michael Kremser Oct 01 '14 at 16:40
  • Congratulations, You should post the solution to the answer section, so this question doesn't float in *unanswered* pool :) – masegaloeh Oct 01 '14 at 23:29

2 Answers2

3

Solution: /etc/postfix/sasl/smtpd.conf only has to contain

pwcheck_method: saslauthd
mech_list: plain login
Michael Kremser
  • 108
  • 1
  • 3
  • 11
0

The solution that worked for me was to change 

smtpd_sasl_type = cyrus

to 

smtpd_sasl_type = dovecot

and make sure dovecot-imapd is installed.

Thorsten Staerk
  • 387
  • 2
  • 11