I'm having some trouble authenticating. I think it may involve the realm
but can't say for sure.
$ /usr/sbin/saslauthd -v
saslauthd 2.1.24
authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow ldap
/etc/group:
sasl:x:45:cyrus,postfix
$ ls -l /etc/sasldb2
-rw-rw---- 1 root sasl 12288 2012-03-25 15:34 /etc/sasldb2
$ grep -v '^#' /etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="sasldb"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/run/saslauthd"
/etc/imapd.conf:
admins: cyrus
allowanonymouslogin: no
allowplaintext: yes
sasl_mech_list: PLAIN LOGIN
loginrealms: DOMAIN.org
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
sasl_auto_transition: no
$ cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN
$ sudo saslpasswd2 -c test@xxxxxxxxxx
[The password is "test" so I'm pretty sure the problem isn't there.]
$ sudo sasldblistusers2
cyrus@demeter: userPassword
test@xxxxxxxxxx: userPassword
$ sudo testsaslauthd -u test@xxxxxxxxxx -p test
0: NO "authentication failed"
/var/log/auth.log:
demeter saslauthd[9701]: do_auth : auth failure:
[user=test@xxxxxxxxxx] [service=imap] [realm=] [mech=sasldb]
[reason=Unknown]
I see that realm is empty. I'm unsure about how that works. I didn't
include one when setting the password, although I don't believe I've
ever done so before. As I understand it, by passing the @DOMAIN.org when
creating the password, that part will be used as the realm, and the same
when authenticating. And if I don't include @DOMAIN.org when
authenticating, the hostname will be used (which I don't want).
$ postconf -h myhostname
demeter.DOMAIN.org
But this works:
$ sudo testsaslauthd -u test -p test -r DOMAIN.org
0: OK "Success."
Alright, it's looking more promising.
$ echo -ne '\0test@xxxxxxxxxx\0test' | openssl enc -base64
AHRlc3RAYWZ2Ym0ub3JnAHRlc3Q=
$ telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 demeter.DOMAIN.org ESMTP Postfix
EHLO localhost
250-demeter.DOMAIN.org
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHRlc3RAYWZ2Ym0ub3JnAHRlc3Q=
535 5.7.8 Error: authentication failed: authentication failure
I've also tried it with the output of all of these:
echo -ne 'test@xxxxxxxxxx\0test@xxxxxxxxxx\0test' | openssl enc -base64
echo -ne '\0test\0test' | openssl enc -base64
perl -MMIME::Base64 -e 'print
encode_base64("test@xxxxxxxxxx\0test@xxxxxxxxxx\0test");'
perl -MMIME::Base64 -e 'print encode_base64("test\0test\0test");'
I'm thoroughly confused as to whether the domain should be appended
here. I always have done in the past. The saslauthd startup options include:
-r Combine the realm with the login before passing to authentication
mechanism
Ex. login: "foo" realm: "bar" will get passed as login: "foo@bar"
The realm name is passed untouched.
So, if I include the -r and restart the service:
$ sudo testsaslauthd -u test -p test -r DOMAIN.org
0: NO "authentication failed"
$ sudo testsaslauthd -u test -p test@xxxxxxxxxx -r DOMAIN.org
0: NO "authentication failed"
$ sudo testsaslauthd -u test -p test@xxxxxxxxxx
0: NO "authentication failed"
OK, so I removed -r and testsaslauthd works again. But what else should
I be looking for to figure out how to do auth through postfix?
BTW, before I thought to use testsaslauthd first (which makes clear the
mech used), i changed /etc/default/saslauthd to:
OPTIONS="-c -m /var/run/saslauthd -a sasldb"
But it failed to start up, even though it lists one of the available
mechanisms for the -a flag as "sasldb".
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
