?
Solved

SASL: could not find auxprop plugin

Posted on 2006-05-29
8
Medium Priority
?
2,424 Views
Last Modified: 2013-11-18
Hello all,

I am about to pull my hair out...

I have a working Postfix server, which I installed from an RPM that comes with my OS' install DVD (Mandrakelinux 10.1). Everything works fine and well. However, now it is needed to support SMTP authentication so our laptop users can send mail from outside the house. So I read all kinds of HOWTOs and installed OpenSSL and CyrusSASL. The Postfix RPM description states that it supports SASL.

Here's what I changed in the configuration files:

/etc/postfix/main.cfg:
smtpd_sasl_auth_enable = yes
smtpd_reipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

/etc/postfix/master.cfg:
turned off all chroot options

/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: pwcheck
mech_list: plain login

I also have to link /usr/lib/sasl2 pointing to /usr/local/lib/sasl2.

According to what I've read (and that's not quite a bit), it should work. However, clients can not log on, and I get the following in my log:

SASL authentication misc: could not find auxprop plugin, was searching for '[all]'

warning: SASL authentication problem: unknown password verifier

warning: SASL authentication failure: Password verification failed

warning: localhost.localdomain[127.0.0.1]: SASL PLAIN authentication failed

localhost.localdomain[127.0.0.1]: 535 Error: authentication failed


Any ideas? Please help me...


0
Comment
Question by:PappP
  • 2
  • 2
  • 2
6 Comments
 
LVL 27

Expert Comment

by:Nopius
ID: 16787075
What HOWTO's did you read? First of all check you have a capital 'S' in /usr/local/lib/sasl2/Smtpd.conf

I have working sendmail with SASL authentication (via ldap). You may have sasldb or some other backend.
What exactly password backend database are you using?

That's my /usr/lib/sasl2/Sendmail.conf (ldapdb backend probably will not work for you), but the syntax should be the similar:

log_level: 127
auxprop_plugin: ldapdb
pwcheck_method: auxprop
mech_list: DIGEST-MD5 CRAM-MD5 PLAIN LOGIN NTLM
ldapdb_uri: ldaps://ldap.xxx.xx.xx.xx/
ldapdb_id: xxxxx
ldapdb_pw: *****
ldapdb_mech: DIGEST-MD5

Add to your Smtpd.conf log_level and auxprop_plugin lines.
At least you will get more debug info (also enable debug level logging in syslog).
0
 

Author Comment

by:PappP
ID: 16796255
Hello Nopius

Thank you for your comment.

Why is the capital 'S'? I have lowercase 's', and if I write something to the file, it has its effects. For example, I changed "pwcheck_method: pwcheck" to be "pwcheck_method: saslauthd" and the error message has changed (just as I expeted): "cannot connect to saslauthd server: No such file or directory". I started saslauthd with the "shadow" option.

Peter
0
 
LVL 27

Accepted Solution

by:
Nopius earned 1360 total points
ID: 16825463
http://www.sendmail.org/~ca/email/cyrus2/sysadmin.html#saslconf

1) smtpd is an application (client of SASL library), so it must be named sith capital 'S' as written in the manual.
2) If you are using 'shadow', you cannot use 'auxprop' plugin, since SASL has no access to cleartext password
try this options instead:

/usr/local/lib/sasl2/Smtpd.conf:
pwcheck_method: saslauthd
mech_list: plain login

Read here for possible list of options: http://www.sendmail.org/~ca/email/cyrus2/options.html

3) If your SASL library cannot connect to saslauthd, probably your applivation has no rigths to write to saslauthd/mux unix socket. Look to the owner and rights of that socket after saslauthd starts. It shouldbe somewhere below /var (by default /var/state/saslauthd/mux). Also look to the owner of smtpd process.
Also it's possible that application cannot find specified path, but this case is rare.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17168539
PappP,

Still have an issue with this.  If so, I use smtp auth on Postfix without issue and can help.  If not, then please give an update as to the fix.
0
 

Author Comment

by:PappP
ID: 17354249
Dear Cyclops3590,

I agree to close the question, as I have it solved. However, Nopius's comment had nothing to do with the problem was (especially not the capital S thing). It was something with the symlink, dut I did not have the time to discover the whole thing, finally I installed an older version RPM of postfix from my OS' install DVD, instead of the newer version source distro I tried before, and all of a sudden everything is working just fine. If I felt that any of the comments is the answer to my problem than I already had the points awarded to that.

Best wishes
PappP
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 17355116
PappP, just wanted to tell you why I chose Nopius' second recommendation.  I have set up SMTP Auth with Postfix several times before.  While I know his comment about the capital 'S' seems to not mean anything, it could have.  Linux is case-sensitive and although by default it is actually a small 's' that postfix uses; who really knows how all the distros mess with the rpms.

The other part of it was even though Nopius kept referring to Sendmail, the steps outlined to get SMTP Auth (while not entirely complete) are the same as what is used in Postfix.  And since there was no feedback for Nopius, no more help could be given.
Example, if you would have responded with
>>It was something with the symlink
earlier
Nopius could have pointed out that this has to do with
>>Look to the owner and rights of that socket after saslauthd starts. It shouldbe somewhere below /var (by default /var/state/saslauthd/mux)
most likely.  But since there wasn't feedback Nopius didn't have a chance to help make things clearer.

I also want to point out my comment about wishing to help if you still needed it, I assume you already reverted to the older rpms by then?

At any rate, that is how I came to my decision, and honestly I still feel Nopius deserves the points here (even though it may only be a grade of B since it wasn't entirely complete being he didn't have the main.cf or master.cf config changes needed to get it working).  But that's just my opinion.

However, I would also like to ask you to please respond to suggestions or give an update when you change directions like that.  It helps the experts out tremendously by knowing what the current status is with your situation.  And if you do feel that you want to close a question, then there is a Support link in the upper right hand corner of the page you can click.  Post a free Q in that area referencing the URL of your orig Q and the action you wish to have taken on that Q.  Hope that comes in helpful in the future   :)
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question