Link to home
Start Free TrialLog in
Avatar of digitaly
digitalyFlag for United States of America

asked on

Help configuring and debugging SMTP-AUTH (Cyrus/Posftix/SASL/TLS/SSL on FreeBSD 5.4)

Hi folks,
  I've been working on setting up a nice new FreeBSD 5.4 server (updates, patches, etc work like a charm) but I'm having a terrible time getting SMTP Auth to work right.  Here's the deal.  I've got Cyrus IMAP setup, along with SASL and SASLAUTHD running.  Creating mailboxes with cyradm works fine.  Logging into IMAP server works fine.  Reading mail, moving mail, deleting mail, etc. works fine.  Postfix... well, kinda works, kinda doesn't.  It starts up and responds, but doesn't do what it should do.  SMTP Auth claims it can't find the SASLDB (when using SSL) and postfix says it can't find the mailbox (when using just TLS, no SSL).  Any help would be greatly appreciated (gotta have this running on Monday).  Here are some configuration files and some log output:

main.cf
===========================

biff = no
soft_bounce = yes
queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
mail_owner = postfix
default_privs = nobody
myhostname = checker2.divisionpoint.net
mydomain = divisionpoint.net
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain $mydomain
local_recipient_maps = unix:passwd.byname $alias_maps
unknown_local_recipient_reject_code = 550
mynetworks_style = host
mynetworks = 192.168.2.0/24, 127.0.0.0/8
relay_domains = $mydestination
recipient_delimiter = +
mailbox_transport       = lmtp:unix:/var/imap/socket/lmtp
virtual_transport       = lmtp:unix:/var/imap/socket/lmtp
virtual_mailbox_domains = checker2.divisonpoint.net, divisionpoint.net, checkertaxistand.com
virtual_alias_maps      = hash:/usr/local/etc/postfix/virtual
fallback_transport = cyrus
luser_relay = $local@other.host
smtpd_banner = $myhostname ESMTP $mail_name
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = no
masquerade_domains = $mydomain

smtpd_recipient_restrictions =
        permit_sasl_authenticated
        reject_non_fqdn_recipient
        permit_mynetworks
        reject_unauth_destination
        reject_unknown_sender_domain
        permit
smtpd_helo_restrictions = reject_invalid_hostname
smtpd_require_helo      = yes
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
empty_address_recipient = thepostmaster
message_size_limit = 7340032
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /usr/local/etc/postfix/server.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/server.pem
smtpd_tls_CAfile = /usr/local/etc/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 360s
tls_random_source = dev:/dev/urandom

===========================


master.cf (just the smtps line)
===========================

smtps     inet  n       -       y       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

===========================


smtpd.conf

===========================

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN CRAM-MD5
#saslauthd_path: /var/run/saslauthd/mux

===========================


SMTP with SSL (log output)
===========================

Jul  1 23:45:23 checker2 postfix/smtpd[39662]: TLS connection established from unknown[192.168.2.100]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jul  1 23:45:27 checker2 postfix/smtpd[39662]: warning: SASL authentication failure: no user in db
Jul  1 23:45:27 checker2 postfix/smtpd[39662]: 6BFC745024: client=unknown[192.168.2.100], sasl_method=CRAM-MD5, sasl_username=[username at domain]
Jul  1 23:45:27 checker2 postfix/cleanup[39665]: 6BFC745024: message-id=<44A741B7.5090306@[domain]>
Jul  1 23:45:27 checker2 postfix/qmgr[39641]: 6BFC745024: from=<[username at domain]>, size=769, nrcpt=1 (queue active)
Jul  1 23:45:27 checker2 postfix/smtpd[39662]: disconnect from unknown[192.168.2.100]
Jul  1 23:45:27 checker2 postfix/lmtp[39667]: 6BFC745024: to=<[username2 at domain]>, orig_to=<[username at domain]>, relay=/var/imap/socket/lmtp[/var/imap/socket/lmtp], delay=0, status=SOFTBOUNCE (host /var/imap/socket/lmtp[/var/imap/socket/lmtp] said: 550-Mailbox unknown.  Either there is no mailbox associated with this 550-name or you do not have authorization to see it. 550 5.1.1 User unknown (in reply to RCPT TO command))

===========================


SMTP with TLS only, no SSL (log output)

===========================

Jul  1 23:41:56 checker2 postfix/smtpd[39642]: TLS connection established from unknown[192.168.2.100]: SSLv3 with cipher D$
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: no secret in database
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: unknown[192.168.2.100]: SASL CRAM-MD5 authentication failed
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db  
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Password verification failed
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: unknown[192.168.2.100]: SASL PLAIN authentication failed
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: SASL authentication failure: Could not open db
Jul  1 23:42:00 checker2 postfix/smtpd[39642]: warning: unknown[192.168.2.100]: SASL LOGIN authentication failed
Jul  1 23:42:03 checker2 postfix/smtpd[39642]: lost connection after AUTH from unknown[192.168.2.100]
Jul  1 23:42:03 checker2 postfix/smtpd[39642]: disconnect from unknown[192.168.2.100]

===========================


ASKER CERTIFIED SOLUTION
Avatar of DVB
DVB
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of digitaly
digitaly
Flag of United States of America image

ASKER

Actually, I figured this out yesterday, but your tips would very likely have helped me to figure out the problems.  First, turning off chroot would have let saslauthd work correctly (since the problem turned out to be saslauthd being outside of the Postfix jail).  So good call there.  Second, I am indeed running virtual domains, but I had the format incorrect in Postfix's virtual file (had the email address and local recipient swapped... perhaps a little more sleep could have prevented this!).  Also, I had an unnecessary CRAM-MD5 in the smtpd.conf file on the mech list.  And finally, I had configuration options for saslauthd set in two places (which had the mux all over the place).  So, hope this helps others.  I'll give you the points though, cuz if I hadn't figured it out by then, your tips would have certainly helped.  Thanks!