SASL and default domain

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm having some trouble configuring SASL for a new server. Specifically, 
it seems, with realms. I'm now at the point where imtest works with the 
virtual domains but not with the default domain.

I'm using sasldb through auxprop. In the past I've always done:

saslpasswd2 -c username@xxxxxxxxxx

But in order to get SASL working with Postfix this time I had to specify 
the realm with -u and use a bare account name:

saslpasswd2 -c -u DEFAULT.TLD username
saslpasswd2 -c -u VDOMAIN1.TLD username
etc

After days of struggle, I've got Postfix responding well when testing 
via telnet. The base64 hash was created with:

perl -MMIME::Base64 -e 'print 
encode_base64("\000user\@DOMAIN.TLD\000password");'

I mention all that because it seems as if realms are the issue. Or it 
was before and I suppose that's been resolved. Now it's just the default 
domain that's giving me problems. It's been days and days now and I'm so 
close that I'm reluctant to fiddle any more because I know that the 
chances are good that I'll make things worse (as I've probably 
repeatedly done already). I'd appreciate it if someone could suggest 
something to save the rest of my hair.

FWIW, this server has no DNS records pointing to it yet. My goal is to 
get Postfix & Cyrus working to the point where I can use imapsync, then 
deal with DNS. This is what I've done in the past.

(And imapsync is working now with the virtual domains.)


$ hostname -f
poseidon.DEFAULT.TLD

$ imtest -v -m plain -a user@xxxxxxxxxxx localhost
S: * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS AUTH=PLAIN 
AUTH=LOGIN AUTH=DIGEST-MD5 AUTH=CRAM-MD5 SASL-IR] poseidon Cyrus IMAP 
v2.4.12-Debian-2.4.12-2 server ready
Please enter your password:
C: A01 AUTHENTICATE PLAIN xxxxxxxxxxxxxxxxxxxxxxxx
S: A01 NO authentication failure
Authentication failed. generic failure
Security strength factor: 0


The log says:
cyrus/imap[12036]: badlogin: localhost [::1] PLAIN [SASL(-13): user not 
found: Password verification failed]

But sasldblistusers2 says otherwise. Again, it's only the accounts under 
the default domain that are failing. If i separate out the realm with -a 
user -r DEFAULT.TLD I get the same error in the log saying the user 
wasn't found.

-----

/etc/imapd.conf:

loginrealms: DEFAULT.TLD VDOMAIN1.TLD VDOMAIN2.tld
virtdomains: userid
defaultdomain: DEFAULT.TLD  # also tried this empty
allowplaintext: yes
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sasldb
sasl_mech_list: PLAIN LOGIN DIGEST-MD5 CRAM-MD5
sasl_auto_transition: no
configdirectory: /var/lib/cyrus
proc_path: /run/cyrus/proc
mboxname_lockpath: /run/cyrus/lock
defaultpartition: default
partition-default: /var/spool/cyrus/mail
partition-news: /var/spool/cyrus/news
newsspool: /var/spool/news
altnamespace: no
unixhierarchysep: no
lmtp_downcase_rcpt: yes
admins: cyrus
imap_admins: cyrus
allowanonymouslogin: no
popminpoll: 1
autocreatequota: 0
umask: 077
sieveusehomedir: false
sievedir: /var/spool/sieve
hashimapspool: true
tls_cert_file: /etc/ssl/certs/smtpd.crt
tls_key_file: /etc/ssl/private/smtpd.key
tls_ca_file: /etc/ssl/certs/cacert.pem
tls_ca_path: /etc/ssl/certs
tls_session_timeout: 1440
tls_cipher_list: TLSv1+HIGH:!aNULL:@STRENGTH
lmtpsocket: /var/run/cyrus/socket/lmtp
idlesocket: /var/run/cyrus/socket/idle
notifysocket: /var/run/cyrus/socket/notify
syslog_prefix: cyrus

-----

$ cat /etc/group | grep sasl
sasl:x:45:smmta,smmsp,cyrus,postfix

$ ls -l /etc/sasldb2
-rw-r----- 1 root sasl 12288 Aug 17 20:22 /etc/sasldb2

-----

/usr/lib/sasl2/saslpasswd.conf:

#auto_transition: true
pwcheck_method: auxprop
auxprop_plugin: sasldb
allowanonymouslogin: 0
allowplaintext: 1
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

-----

I have Cyrus 2.4 installed:

cyrus-admin-2.4                 2.4.12-2
cyrus-clients-2.4               2.4.12-2
cyrus-common                    2.4.12-2
cyrus-common-2.4                2.4.12-2
cyrus-imapd-2.2                 2.4.12-2
cyrus-imapd-2.4                 2.4.12-2
libcyrus-imap-perl24            2.4.12-2

-----

saslfinger - postfix Cyrus sasl configuration Sun Aug 19 17:47:11 EDT 2012
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.9.3
System: Ubuntu 12.04 LTS \n \l

-- smtpd is linked to --
         libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 
(0x00007f5b2ed2a000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous


-- listing of /usr/lib/sasl2 --
total 28
drwxr-xr-x  2 root  root   4096 Aug 17 16:16 .
drwxr-xr-x 53 root  root  12288 Jul 26 20:51 ..
-rw-r--r--  1 root  root      1 May  4 00:15 berkeley_db.txt
-rw-r-----  1 root  root    698 Aug 17 16:16 saslpasswd.conf
-rw-r-----  1 smmta smmsp   885 Jul 24 15:07 Sendmail.conf

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 Aug 17 15:34 .
drwxr-xr-x 3 root root 4096 Aug 17 15:41 ..
-rw-r--r-- 1 root root  125 Aug 17 15:34 smtpd.conf

-- content of /etc/postfix/sasl/smtpd.conf --
log_level: 2
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login DIGEST-MD5 CRAM-MD5
allow_plaintext: true


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       -       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
($recipient)
ifmail    unix  -       n       n       -       -       pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
($recipient)
ifmail    unix  -       n       n       -       -       pipe
   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
   flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender 
$recipient
scalemail-backend unix  -       n       n       -       2       pipe
   flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store 
${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
   flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
   ${nexthop} ${user}

-- mechanisms on localhost --
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN LOGIN DIGEST-MD5 CRAM-MD5

-- end of saslfinger output --

Postfix is chrooted but I'm using /etc/sasldb2, which is copied to the 
chroot when Postfix is started.
----
Cyrus Home Page: http://www.cyrusimap.org/
List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
To Unsubscribe:
https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus


[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux