From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OHgYQ-0003EL-VY for garchives@archives.gentoo.org; Thu, 27 May 2010 17:07:35 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 3D210E0812; Thu, 27 May 2010 17:06:29 +0000 (UTC) Received: from inception.Mines.EDU (inception.Mines.EDU [138.67.130.4]) by pigeon.gentoo.org (Postfix) with ESMTP id 1DB2FE0812 for ; Thu, 27 May 2010 17:06:29 +0000 (UTC) Received: from [192.168.125.11] (c-76-25-183-245.hsd1.co.comcast.net [76.25.183.245]) (authenticated bits=0) by inception.Mines.EDU (8.13.1/8.13.1) with ESMTP id o4RH6SZ4025842 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 27 May 2010 11:06:28 -0600 Subject: Re: [gentoo-user] Postfix question about auth and blocklists... From: Brandon Vargo To: gentoo-user@lists.gentoo.org In-Reply-To: <4BFE9CDA.3080807@shic.co.uk> References: <4BFD32C5.9050306@shic.co.uk> <1274902364.11900.92.camel@bvargo2.homeip.net> <4BFE9CDA.3080807@shic.co.uk> Content-Type: text/plain; charset="UTF-8" Date: Thu, 27 May 2010 11:06:27 -0600 Message-ID: <1274979987.11900.142.camel@bvargo2.homeip.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.28.3.1 Content-Transfer-Encoding: 7bit X-Archives-Salt: d3bf0548-7ca6-4ff5-8e5f-263af3ce1810 X-Archives-Hash: ba8277419762b1ec357b0bd94bbf0bc7 On Thu, 2010-05-27 at 17:24 +0100, Steve wrote: > On 26/05/2010 20:32, Brandon Vargo wrote: > > I hope the above helps. > > > > Thank you very much... that was very informative. Unfortunately, I > now discover I fibbed when I said I had SASL auth set up - I only > thought I had... When I correctly configure thunderbird, I get the > following postfix messages in the log: > > > May 27 17:06:20 ken postfix/smtpd[19973]: connect from > > ur.shic.co.uk[10.0.1.253] > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL > > authentication failure: Could not open /etc/sasl2/sasldb2: > > gdbm_errno=5 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL > > authentication failure: Could not open /etc/sasl2/sasldb2: > > gdbm_errno=5 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL > > authentication failure: no secret in database > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: > > ur.shic.co.uk[10.0.1.253]: SASL CRAM-MD5 authentication failed: > > authentication failure > > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 1 > > May 27 17:06:20 ken postfix/smtpd[19973]: client flags: ffff8207 > > May 27 17:06:20 ken postfix/smtpd[19973]: NTLM server step 2 > > May 27 17:06:20 ken postfix/smtpd[19973]: client user: myusername > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL > > authentication failure: Could not open /etc/sasl2/sasldb2: > > gdbm_errno=5 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL > > authentication failure: Could not open /etc/sasl2/sasldb2: > > gdbm_errno=5 > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: SASL > > authentication failure: no secret in database > > May 27 17:06:20 ken postfix/smtpd[19973]: warning: > > ur.shic.co.uk[10.0.1.253]: SASL NTLM authentication failed: > > authentication failure > > I'm sure I'm doing something silly - because googling the first > warning just gives me this bug, which doesn't seem to fit. I have > this installed: > > > $ eix mail-mta/postfix > > [I] mail-mta/postfix > > Available versions: 2.6.5 ~2.6.6 {cdb dovecot-sasl hardened > > ipv6 ldap mbox mysql nis pam postgres sasl selinux ssl vda} > > Installed versions: 2.6.5(09:08:29 05/27/10)(ipv6 pam sasl ssl > > -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres > > -selinux -vda) > > Homepage: http://www.postfix.org/ > > Description: A fast and secure drop-in replacement for > > sendmail. > > If I alter thunderbird to not use secure authentication, I get the > following instead. > > > May 27 17:14:26 ken postfix/smtpd[20115]: connect from > > ur.shic.co.uk[10.0.1.253] > > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL > > authentication problem: unknown password verifier > > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL > > authentication failure: Password verification failed > > May 27 17:14:26 ken postfix/smtpd[20115]: warning: > > ur.shic.co.uk[10.0.1.253]: SASL PLAIN authentication failed: no > > mechanism available > > May 27 17:14:26 ken postfix/smtpd[20115]: warning: SASL > > authentication problem: unknown password verifier > > May 27 17:14:26 ken postfix/smtpd[20115]: warning: > > ur.shic.co.uk[10.0.1.253]: SASL LOGIN authentication failed: no > > mechanism available > > Which seems quite strange. > > My /etc/sasl2/smtpd.conf is the default for gentoo - i.e. it contains > the single config line: > > > pwcheck_method:pam > > I don't care if I use PAM or something else - as long as it lets me > authenticate. In the medium term, it would be best if neither IMAP > nor SMTP passwords had any relation to my system password (not that I > allow remote logins unsing it) - but, for the time being, I just want > it to let me authenticate and send from my phone. > > By any chance can anyone give me any further clues? > You mentioned in your first mail that you use Dovecot. The easiest way to setup SASL for Postfix is to have Postfix authenticate against Dovecot, assuming that you want the same usernames and passwords for both. Recompile mail-mta/postfix with the dovecot-sasl USE flag enabled. Then, add the following to Postfix's configuration file after commenting/removing the other SASL lines: smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth Then, in dovecot's configuration file, add the following to the "auth default" section: socket listen { client { path = /var/spool/postfix/private/auth mode = 0660 user = postfix group = postfix } } Adjust the path, user, and group as appropriate. The user and group should be set to whatever user postfix is running under. Note that private/auth in the path corresponds to the smtpd_sasl_path setting in Postfix. Restart Dovecot and then Postfix. I also recommend adding the following option to main.cf if your clients support TLS encryption, which will not allow authentication over unencrypted connections: smtpd_tls_auth_only = yes See http://www.postfix.org/SASL_README.html for other SASL mechanisms, if you do not use or do not want to use Dovecot. Regards, Brandon Vargo