postfix and sasl questions

To: current-users%netbsd.org@localhost
Subject: postfix and sasl questions
From: Dave Tyson <dtyson%anduin.org.uk@localhost>
Date: Mon, 7 Jan 2013 23:10:36 +0000

I have been trying to set up postfix to use SASL authentication so that mail 
clients on untrusted networks can route mail through my test mail-server. This 
is running a very recent current (6.99.16) on i386.

There is a huge amount of information on the web about doing this, 
unfortunately this really concentrates on the postfix side of things rather 
than sasl :-(

I compiled postfix from pkgsrc with the sasl option (which dragged in the 
cyrus-sasl package and edited the postfix main.cf to add:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_application_name = smtpd
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
   permit_mynetworks, check_relay_domains

I installed saslauthd and then pondered where to put the smtpd.conf file with 
the lines: 

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

The documentation is not very clear but /usr/pkg/lib/sasl2 seemed to be the 
right place. After starting saslauthd and testing it with the testsaslauthd 
command I kicked off postfix and was not surprised that a telnet to port 25 
immediately cleared and the maillog showed errors:

Jan  7 18:41:26 newbase postfix/smtpd[23145]: connect from 
unknown[192.168.0.100]
Jan  7 18:41:26 newbase postfix/smtpd[23145]: warning: SASL authentication 
failure: Internal Error -4 in server.c near line 1757
Jan  7 18:41:26 newbase syslogd[179]: last message repeated 2 times
Jan  7 18:41:26 newbase postfix/smtpd[23145]: warning: 
xsasl_cyrus_server_get_mechanism_list: no mechanism available
Jan  7 18:41:26 newbase postfix/smtpd[23145]: fatal: no SASL authentication 
mechanisms
Jan  7 18:41:27 newbase postfix/master[1174]: warning: process 
/usr/pkg/libexec/postfix/smtpd pid 23145 exit status 1

On a whim I added the cy2-login package and noticed things started to work  - 
EHLO reported AUTH LOGIN and the mechanism errors disappeared.

The smtpd.conf file appeared to be being ignored and so was deleted.
I added the cy2-crammd5 and cy2-digestmd5 packages and these appeared on the
AUTH options displayed by EHLO. I got rid of the saslauthd package as it 
wasn't  needed. I'll probably stick with this config as I can use the more 
secure cram-md5 authentication, but I have a few questions:

1) I am guessing if I found the right place to stow the smtpd.conf file then
   saslauthd would have worked. Where should it have been placed? How is
   postfix finding out how to interact with sasl without it?

2) The version on postfix in pkgsrc is 2.8.13 - ie it is back release compared
     to the base version (2.9.5) in current. It would be nice if the base
     postfix could have the sasl option compiled in by default. There is a old
    PR (bin/37162) about this.  It looks like libsasl is now in the base, and
    has a documentation PR (bin/47027) against it. Could postfix use this
    library? I appreciate that other sasl components  from pkgsrc would be
    needed to get authentication to work...

Cheers,
Dave

-- 
=====================================================================
Phone: 07805784357
Open Source O/S: http://www.netbsd.org
Caving: http://www.wirralcavinggroup.org.uk
=====================================================================

Follow-Ups:
- Re: postfix and sasl questions
  - From: Thomas Klausner

Prev by Date: Re: HEADS UP: Postfix 2.9.5 imported
Next by Date: daily CVS update output
Previous by Thread: Build failure for port-alpha
Next by Thread: Re: postfix and sasl questions
Indexes:

Home | Main Index | Thread Index | Old Index