Re: [gentoo-user] Postfix question about auth and blocklists...

[Brandon Vargo <brandon.vargo@gmail.com>]

On Thu, 2010-05-27 at 17:24 +0100, Steve wrote:
> On 26/05/2010 20:32, Brandon Vargo wrote:
> > I hope the above helps.
> >   
> 
> Thank you very much... that was very informative.  Unfortunately, I
> now discover I fibbed when I said I had SASL auth set up - I only
> thought I had...  When I correctly configure thunderbird, I get the
> following postfix messages in the log:
> 
> > May 27 17:06:20 ken postfix/smtpd[19973]: connect from
> > ur.shic.co.uk[10.0.1.253]
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: Could not open /etc/sasl2/sasldb2:
> > gdbm_errno=5
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: Could not open /etc/sasl2/sasldb2:
> > gdbm_errno=5
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: no secret in database
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning:
> > ur.shic.co.uk[10.0.1.253]: SASL CRAM-MD5 authentication failed:
> > authentication failure
> > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 1
> > May 27 17:06:20 ken postfix/smtpd[19973]: client flags: ffff8207
> > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 2
> > May 27 17:06:20 ken postfix/smtpd[19973]: client user: myusername
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: Could not open /etc/sasl2/sasldb2:
> > gdbm_errno=5
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: Could not open /etc/sasl2/sasldb2:
> > gdbm_errno=5
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL
> > authentication failure: no secret in database
> > May 27 17:06:20 ken postfix/smtpd[19973]: warning:
> > ur.shic.co.uk[10.0.1.253]: SASL NTLM authentication failed:
> > authentication failure
> 
> I'm sure I'm doing something silly - because googling the first
> warning just gives me this bug, which doesn't seem to fit.  I have
> this installed:
> 
> > $ eix mail-mta/postfix
> > [I] mail-mta/postfix
> >      Available versions:  2.6.5 ~2.6.6 {cdb dovecot-sasl hardened
> > ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda}
> >      Installed versions:  2.6.5(09:08:29 05/27/10)(ipv6 pam sasl ssl
> > -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres
> > -selinux -vda)
> >      Homepage:            http://www.postfix.org/
> >      Description:         A fast and secure drop-in replacement for
> > sendmail.
> 
> If I alter thunderbird to not use secure authentication, I get the
> following instead.
> 
> > May 27 17:14:26 ken postfix/smtpd[20115]: connect from
> > ur.shic.co.uk[10.0.1.253]
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL
> > authentication problem: unknown password verifier
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL
> > authentication failure: Password verification failed
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning:
> > ur.shic.co.uk[10.0.1.253]: SASL PLAIN authentication failed: no
> > mechanism available
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL
> > authentication problem: unknown password verifier
> > May 27 17:14:26 ken postfix/smtpd[20115]: warning:
> > ur.shic.co.uk[10.0.1.253]: SASL LOGIN authentication failed: no
> > mechanism available
> 
> Which seems quite strange.
> 
> My /etc/sasl2/smtpd.conf is the default for gentoo - i.e. it contains
> the single config line:
> 
> > pwcheck_method:pam
> 
> I don't care if I use PAM or something else - as long as it lets me
> authenticate.  In the medium term, it would be best if neither IMAP
> nor SMTP passwords had any relation to my system password (not that I
> allow remote logins unsing it) - but, for the time being, I just want
> it to let me authenticate and send from my phone.
> 
> By any chance can anyone give me any further clues?
> 

You mentioned in your first mail that you use Dovecot. The easiest way
to setup SASL for Postfix is to have Postfix authenticate against
Dovecot, assuming that you want the same usernames and passwords for
both. Recompile mail-mta/postfix with the dovecot-sasl USE flag enabled.
Then, add the following to Postfix's configuration file after
commenting/removing the other SASL lines:

smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

Then, in dovecot's configuration file, add the following to the "auth
default" section:

socket listen {
   client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
   }
}

Adjust the path, user, and group as appropriate. The user and group
should be set to whatever user postfix is running under. Note that
private/auth in the path corresponds to the smtpd_sasl_path setting in
Postfix. Restart Dovecot and then Postfix.

I also recommend adding the following option to main.cf if your clients
support TLS encryption, which will not allow authentication over
unencrypted connections:

smtpd_tls_auth_only = yes

See http://www.postfix.org/SASL_README.html for other SASL mechanisms,
if you do not use or do not want to use Dovecot.

Regards,

Brandon Vargo