Solved

Help configuring and debugging SMTP-AUTH (Cyrus/Posftix/SASL/TLS/SSL on FreeBSD 5.4)

Posted on 2006-07-02
2
1,592 Views
Last Modified: 2013-11-30
Hi folks,
  I've been working on setting up a nice new FreeBSD 5.4 server (updates, patches, etc work like a charm) but I'm having a terrible time getting SMTP Auth to work right.  Here's the deal.  I've got Cyrus IMAP setup, along with SASL and SASLAUTHD running.  Creating mailboxes with cyradm works fine.  Logging into IMAP server works fine.  Reading mail, moving mail, deleting mail, etc. works fine.  Postfix... well, kinda works, kinda doesn't.  It starts up and responds, but doesn't do what it should do.  SMTP Auth claims it can't find the SASLDB (when using SSL) and postfix says it can't find the mailbox (when using just TLS, no SSL).  Any help would be greatly appreciated (gotta have this running on Monday).  Here are some configuration files and some log output:

main.cf
===========================

biff = no
soft_bounce = yes
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
mail_owner = postfix
default_privs = nobody
myhostname = checker2.divisionpoint.net
mydomain = divisionpoint.net
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain $mydomain
local_recipient_maps = unix:passwd.byname $alias_maps
unknown_local_recipient_reject_code = 550
mynetworks_style = host
mynetworks = 192.168.2.0/24, 127.0.0.0/8
relay_domains = $mydestination
recipient_delimiter = +
mailbox_transport       = lmtp:unix:/var/imap/socket/lmtp
virtual_transport       = lmtp:unix:/var/imap/socket/lmtp
virtual_mailbox_domains = checker2.divisonpoint.net, divisionpoint.net, checkertaxistand.com
virtual_alias_maps      = hash:/usr/local/etc/postfix/virtual
fallback_transport = cyrus
luser_relay = $local@other.host
smtpd_banner = $myhostname ESMTP $mail_name
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = no
masquerade_domains = $mydomain

smtpd_recipient_restrictions =
        permit_sasl_authenticated
        reject_non_fqdn_recipient
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_sender_domain
        permit
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_require_helo      = yes
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
empty_address_recipient = thepostmaster
message_size_limit = 7340032
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /usr/local/etc/postfix/server.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/server.pem
smtpd_tls_CAfile = /usr/local/etc/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 360s
tls_random_source = dev:/dev/urandom

===========================


master.cf (just the smtps line)
===========================

smtps     inet  n       -       y       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

===========================


smtpd.conf

===========================

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN CRAM-MD5
#saslauthd_path: /var/run/saslauthd/mux

===========================


SMTP with SSL (log output)
===========================

Jul  1 23:45:23 checker2 postfix/smtpd[39662]: TLS connection established from unknown[192.168.2.100]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul  1 23:45:27 checker2 postfix/smtpd[39662]: warning: SASL authentication failure: no user in db
Jul  1 23:45:27 checker2 postfix/smtpd[39662]: 6BFC745024: client=unknown[192.168.2.100], sasl_method=CRAM-MD5, sasl_username=[username at domain]
Jul  1 23:45:27 checker2 postfix/cleanup[39665]: 6BFC745024: message-id=<44A741B7.5090306@[domain]>
Jul  1 23:45:27 checker2 postfix/qmgr[39641]: 6BFC745024: from=<[username at domain]>, size=769, nrcpt=1 (queue active)
Jul  1 23:45:27 checker2 postfix/smtpd[39662]: disconnect from unknown[192.168.2.100]
Jul  1 23:45:27 checker2 postfix/lmtp[39667]: 6BFC745024: to=<[username2 at domain]>, orig_to=<[username at domain]>, relay=/var/imap/socket/lmtp[/var/imap/socket/lmtp], delay=0, status=SOFTBOUNCE (host /var/imap/socket/lmtp[/var/imap/socket/lmtp] said: 550-Mailbox unknown.  Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command))

===========================


SMTP with TLS only, no SSL (log output)

===========================

Jul  1 23:41:56 checker2 postfix/smtpd[39642]: TLS connection established from unknown[192.168.2.100]: SSLv3 with cipher D$
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: no secret in database
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: unknown[192.168.2.100]: SASL CRAM-MD5 authentication failed
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db  
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Password verification failed
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: unknown[192.168.2.100]: SASL PLAIN authentication failed
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: unknown[192.168.2.100]: SASL LOGIN authentication failed
Jul  1 23:42:03 checker2 postfix/smtpd[39642]: lost connection after AUTH from unknown[192.168.2.100]
Jul  1 23:42:03 checker2 postfix/smtpd[39642]: disconnect from unknown[192.168.2.100]

===========================


0
Comment
Question by:digitaly
2 Comments
 
LVL 3

Accepted Solution

by:
DVB earned 500 total points
Comment Utility
Turn off the chroot in master.cf. That should help you debug the issue of sasldb not being found.

As for the mailbox unknown, check that you don't have spelling mistakes, and that you aren't trying to do virtual hosting with Cyrus without explicitly enabling it.
0
 

Author Comment

by:digitaly
Comment Utility
Actually, I figured this out yesterday, but your tips would very likely have helped me to figure out the problems.  First, turning off chroot would have let saslauthd work correctly (since the problem turned out to be saslauthd being outside of the Postfix jail).  So good call there.  Second, I am indeed running virtual domains, but I had the format incorrect in Postfix's virtual file (had the email address and local recipient swapped... perhaps a little more sleep could have prevented this!).  Also, I had an unnecessary CRAM-MD5 in the smtpd.conf file on the mech list.  And finally, I had configuration options for saslauthd set in two places (which had the mux all over the place).  So, hope this helps others.  I'll give you the points though, cuz if I hadn't figured it out by then, your tips would have certainly helped.  Thanks!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Microsoft Outlook provides an easy way to recover permanently deleted items. When you empty the Deleted Items or simply deleted an Outlook data items using shift+Del key then it can be recovered using Registry Key settings.  Caution- Wrong Registry…
There was an incident about the POP3 issue for the double read receipts and delivery receipts in Exchange 2013.  There was huge research been done and found solution for the duplicate mails. Especially when the user gets  duplicate mails.
This Micro Tutorial will demonstrate the easy use of Gmail embedding images in your email so the recipient of your email can view them in context.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now