[gentoo-user] cyrus-sasl 2.1.23 remote server rejected your credentials

[gentoo-user] cyrus-sasl 2.1.23 remote server rejected your credentials

[laurent]

Hi,

Using Postfix and TLS for a MTA, my password is rejected.

Here the log message:
 saslauthd[4358]: do_auth         : auth failure: [user=user@domain.com]
[service=smtp] [realm=domain.com] [mech=rimap] [reason=remote server
rejected your credentials]

could it be a bug from cyrus-sasl 2.1.23 ?

thx
Laurent

[gentoo-user] cyrus-sasl 2.1.23 remote server rejected your credentials

[laurent]

ok, it's 3 days I'm tryin to fix my smtp connection, I have been through
the whole configuration many times and getting the certificates also.

The last thing I did is add this line again in /etc/postfix/main.cf:
smtpd_sasl_path = smtpd

which changed the error into a warning for postfix:
warning: foo[b.a.r.x]: SASL PLAIN authentication failed: authentication
failure

then, same for LOGIN:
postfix/smtpd[3962]: warning: foo[b.a.r.x]: SASL LOGIN authentication
failed: authentication failure

I used this howto at first:
http://www.gentoo.org/doc/fr/virt-mail-howto.xml

and it was working for a long time.

I can post mor info if you need.

thx
Laurent

Re: [gentoo-user] cyrus-sasl 2.1.23 remote server rejected your credentials

[kashani]

On 4/21/2010 12:56 PM, laurent@logiquefloue.org wrote:
> ok, it's 3 days I'm tryin to fix my smtp connection, I have been through
> the whole configuration many times and getting the certificates also.
>
> The last thing I did is add this line again in /etc/postfix/main.cf:
> smtpd_sasl_path = smtpd
>
> which changed the error into a warning for postfix:
> warning: foo[b.a.r.x]: SASL PLAIN authentication failed: authentication
> failure
>
> then, same for LOGIN:
> postfix/smtpd[3962]: warning: foo[b.a.r.x]: SASL LOGIN authentication
> failed: authentication failure
>
> I used this howto at first:
> http://www.gentoo.org/doc/fr/virt-mail-howto.xml
>
> and it was working for a long time.
>
> I can post mor info if you need.

You shouldn't need to add that line because it's part of the default 
config. Post the output of postconf | grep smtpd_sasl so we can see if 
their is anything odd in your config.

Also make sure that you allow mynetworks before requiring authentication 
like this example below. If you don't, your mail server will try to 
authenticate access from localhost.

smtpd_recipient_restrictions =
         permit_mynetworks
         permit_sasl_authenticated

kashani

Re: [gentoo-user] cyrus-sasl 2.1.23 remote server rejected your credentials

[laurent]

Hi!

I changed the restrictions line like you said:
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination

but this way it will try to see if the ip is part of mynetworks first, and
as it wont be it will reject or ... because my squirremail morks and I
think it does not use the authentification but rather the mynetworks.
Well.. :)

here is postconf | grep smtpd_sasl
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtp
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus


I also now have all the authentification methods in the telnet EHLO
response. Which should not be
telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ks359684.kimsufi.com ESMTP Postfix
EHLO localhost
250-ks359684.kimsufi.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS

Which I don't understand how because the /etc/sasl2/smtpd.conf is sayin:
mech_list: PLAIN LOGIN
pwcheck_method: saslauthd

I will continue to look now, need to clean somethin somewhere.
Thank you for the help ;)

Laurent

Re: [gentoo-user] cyrus-sasl 2.1.23 remote server rejected your credentials

[laurent]

I changed back to a saved /etc/postfix/main.cf file I had.
The PLAIN LOGIN auth reappear fine, STARTLS work

still

testsaslauthd -u user@domain.com -p password
0: NO "authentication failed"

logs:

Apr 22 14:08:48 xx saslauthd[12159]: do_auth         : auth failure:
[user=user@domain.com] [service=imap] [realm=] [mech=rimap] [reason=remote
server rejected your credentials]
Apr 22 14:48:47 xx saslauthd[12161]: do_auth         : auth failure:
[user=user@domain.com] [service=imap] [realm=] [mech=rimap] [reason=remote
server rejected your credentials]

so I tried with telnet and my username password base64 encoded with this:
% printf 'username\0username\0password' | openssl base64

and I got those:

telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 host.domain.com ESMTP Postfix
EHLO localhost
250-host.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
STARTTLS
220 2.0.0 Ready to start TLS
AUTH PLAIN myencodedbase64string=
Connection closed by foreign host.

~ # telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 host.domain.com ESMTP Postfix
EHLO localhost
250-host.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN myencodedbase64string=
535 5.7.8 Error: authentication failed: authentication failure


saslauthd is like a black box now. How could I open it?

thx
Laurent