Goal: Configure smtpd to authenticate connections by using postfix, cyrus, saslauthd, pam and mysql.
Investigation
Authentication via courier-pop3 & courier-imap using mysql works
saslauthd appears to be working correctly as
testsaslauthd -u "me@examplecom" -p "password" -r "example.com" -s smtp
returns
0: OK "Success."
In the above cases the query appears in mysql.log:
758 Connect postfix@localhost on postfix
758 Init DB postfix
758 Query SELECT password FROM mailbox WHERE username = 'me@example.com'
758 Query SELECT password FROM mailbox WHERE username = 'me@example.com'
758 Quit
759 Connect postfix@localhost on postfix
759 Init DB postfix
759 Query SELECT 0, password FROM mailbox WHERE username = 'me@example.com'
759 Quit
However when I attempt to authentic via smtp, the mysql.log does not contain the query, leading me to suspect an error in the configuration of SASL.
I explored using pwcheck_method auxprop and authdaemond without success.
Log Files
This is an extract from mail.log with debug on. The username and password match the expected values. I cannot find more details on why the authentication is failing.
postfix/smtpd[26153]: connect from client.example.com[10.0.0.1]
postfix/smtpd[26153]: smtp_stream_setup: maxtime=300 enable_deadline=0
postfix/smtpd[26153]: match_hostname: client.example.com ~? all
postfix/smtpd[26153]: match_hostaddr: 10.0.0.1 ~? all
postfix/smtpd[26153]: match_list_match: client.example.com: no match
postfix/smtpd[26153]: match_list_match: 10.0.0.1: no match
postfix/smtpd[26153]: send attr request = connect
postfix/smtpd[26153]: send attr ident = smtp:10.0.0.1
postfix/smtpd[26153]: private/anvil: wanted attribute: status
postfix/smtpd[26153]: input attribute name: status
postfix/smtpd[26153]: input attribute value: 0
postfix/smtpd[26153]: private/anvil: wanted attribute: count
postfix/smtpd[26153]: input attribute name: count
postfix/smtpd[26153]: input attribute value: 1
postfix/smtpd[26153]: private/anvil: wanted attribute: rate
postfix/smtpd[26153]: input attribute name: rate
postfix/smtpd[26153]: input attribute value: 1
postfix/smtpd[26153]: private/anvil: wanted attribute: (list terminator)
postfix/smtpd[26153]: input attribute name: (end)
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 220 server.example.com ESMTP Postfix (Ubuntu)
postfix/smtpd[26153]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
postfix/smtpd[26153]: name_mask: noanonymous
postfix/smtpd[26153]: watchdog_pat: 0x7f93f9fd1a20
postfix/smtpd[26153]: < client.example.com[10.0.0.1]: ehlo client.example.com
postfix/smtpd[26153]: match_list_match: client.example.com: no match
postfix/smtpd[26153]: match_list_match: 10.0.0.1: no match
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-server.example.com
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-PIPELINING
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-SIZE 40960000
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-VRFY
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-ETRN
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-STARTTLS
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-AUTH DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-AUTH=DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-ENHANCEDSTATUSCODES
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-8BITMIME
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250 DSN
postfix/smtpd[26153]: watchdog_pat: 0x7f93f9fd1a20
postfix/smtpd[26153]: < client.example.com[10.0.0.1]: auth login
postfix/smtpd[26153]: xsasl_cyrus_server_first: sasl_method login
postfix/smtpd[26153]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username:
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 334 VXNlcm5hbWU6
postfix/smtpd[26153]: < client.example.com[10.0.0.1]: md5encoded
postfix/smtpd[26153]: xsasl_cyrus_server_next: decoded response: me@example.com
postfix/smtpd[26153]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password:
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 334 UGFzc3dvcmQ6
postfix/smtpd[26153]: < client.example.com[10.0.0.1]: md5encoded
postfix/smtpd[26153]: xsasl_cyrus_server_next: decoded response: password
postfix/smtpd[26153]: warning: client.example.com[10.0.0.1]: SASL login authentication failed: authentication failure
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 535 5.7.8 Error: authentication failed: authentication failure
postfix/smtpd[26153]: watchdog_pat: 0x7f93f9fd1a20
saslfinger
saslfinger - postfix Cyrus sasl configuration
version: 1.0.4
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.9.6
System: Ubuntu 12.04.5 LTS \n \l
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f0f4de7f000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
-- listing of /usr/lib/sasl2 --
total 28
drwxr-xr-x 2 root root 4096 Jan 9 23:05 .
drwxr-xr-x 60 root root 12288 Jan 8 17:05 ..
-rw-r--r-- 1 root root 4 Jan 8 18:33 berkeley_db.active
-rw-r--r-- 1 root root 4 Jan 28 2020 berkeley_db.txt
-rw-r--r-- 1 root root 63 Jan 10 22:42 smtpd.conf
-- listing of /etc/postfix/sasl --
total 16
drwxr-xr-x 2 root root 4096 Jan 10 22:42 .
drwxr-xr-x 3 root root 4096 Jan 10 18:56 ..
-rw-r--r-- 1 root root 63 Jan 10 22:42 smtpd.conf
-rw-r--r-- 1 root root 493 Jan 10 16:19 smtpd.conf~
-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
log_level: 7
mech_list: plain login
-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
log_level: 7
mech_list: plain login
-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
log_level: 7
mech_list: plain login
-- active services in /etc/postfix/master.cf --
service type private unpriv chroot wakeup maxproc command + args
(yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}
-- mechanisms on localhost --
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
250-AUTH=DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
-- end of saslfinger output --
Questions I'd appreciate suggestions on how to find more debugging information.
