Трабла postfix+sasl и авторизация по smtp
Итак, версия postfix 2.2.11
sasl cyrus-sasl-2.1.22sasl собран
./configure --enable-loginpostfix собран с поддержкой sasl
Исходные данные
su-2.05b# ldd /usr/sbin/postfix
/usr/sbin/postfix:
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28072000)
libc.so.4 => /usr/lib/libc.so.4 (0x28087000)
su-2.05b#файл БД
su-2.05b# l /etc/sasldb2.db
-rw-rw-r-- 1 root postfix 16384 22 ноя 23:41 /etc/sasldb2.db
su-2.05b#less /usr/lib/sasl2/smtpd.conf
# This sets smtpd to authenticate using the saslauthd daemon.
pwcheck_method: saslauthd
#pwcheck_method: auxprop
# This allows only plain, login, cram-md5 and digest-md5 as the authentication mechanisms.
mech_list: plain login cram-md5 digest-md5less /etc/postfix/mail.cf
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfixmail_owner = postfix
default_privs = nobody
myhostname = mail.wad.spb.ru
mydomain = wad.spb.ru
mynetworks = 192.168.1.0/24, 127.0.0.0/8relayhost = smtp.rol.ru
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain, /etc/postfix/mydestination, mail.wad.spb.ru
default_transport = smtp
alias_database = hash:/etc/aliases
mailbox_command = /usr/local/bin/procmailenable_sasl_authentication = yes
smtpd_sasl_auth_enable = yes
smtpd_helo_required = yes
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
broken_sasl_auth_clients = yes
smtpd_etrn_restrictions = permit_mynetworks,reject
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname, reject_unknown
_hostnameheader_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks#home_mailbox = Maildir/
smtpd_banner = $myhostname ESMTP READY! NOT FOR CRACKERS CONNECT!
disable_vrfy_command = yes
smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client, reject_rbl_client, permit_mynetw
orks, regexp:/etc/postfix/brj_checks,
reject_rbl_client blackholes.mail-abuse.org,
reject_rbl_client dialups.mail-abuse.org,
reject_rbl_client relays.ordb.org,
reject_rbl_client dul.ru,
reject_rbl_client opm.blitzed.org,
reject_rbl_client list.dsbl.org,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client cbl.abuseat.org,
reject_rbl_client dul.dnsbl.sorbs.net,
reject_rbl_client dnsbl.njabl.org,
reject_rbl_client dynablock.njabl.org,
reject_rbl_client combined.njabl.org,
permit_mynetworks,
reject_unknown_client,
permit
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject
_unknown_address, reject_non_fqdn_sender, reject_invalid_hostname, check_sender_access hash:/etc/postfix/sende
r_access, warn_if_reject, reject_unverified_sender
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, permit_auth_destination, reject_u
nauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, check_relay_domains, reject_unknown_c
lient, reject_unknown_recipient_domain, reject_unverified_recipient, reject_maps_rblsmtpd_data_restrictions = reject_unauth_pipelining
strict_rfc821_envelopes = yes
maps_rbl_client = relays.ordb.org, rbl.ukr.net, bl.spamcop.net, sbl.spamhaus.org, spam.dnsrbl.net, dun.dnsrbl
.net
maps_rbl_reject_code = 550
in_flow_delay = 1s
bounce_queue_lifetime = 2h
#maximal_queue_lifetime = 5hcontent_filter = scan:127.0.0.1:10025
receive_override_options = no_address_mappingslocal_destination_concurrency_limit = 2
default_destination_concurrency_limit = 5
debug_peer_level = 2
debugger_command =
PATH=/usr/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
readme_directory = no
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
manpage_directory = /usr/local/man
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
queue_directory = /var/spool/postfix
unknown_local_recipient_reject_code = 450
virtual_alias_maps = hash:/etc/postfix/virtual
html_directory = noдалее......
su-2.05b# ps ax|grep sasl
90866 ?? Is 0:00,01 /usr/local/sbin/saslauthd -a pam
90867 ?? I 0:00,00 /usr/local/sbin/saslauthd -a pam
90868 ?? I 0:00,00 /usr/local/sbin/saslauthd -a pam
90869 ?? I 0:00,00 /usr/local/sbin/saslauthd -a pam
90870 ?? I 0:00,00 /usr/local/sbin/saslauthd -a pam
91059 p1 S+ 0:00,01 grep sasl
su-2.05b#
пользователь wadim@wad.spb.ru добавленsu-2.05b# saslpasswd2 -c -u wad.spb.ru -a smtpd wadim
Password:
Again (for verification):
su-2.05b#после чего при попытке отправить письмо
Nov 22 23:58:41 wad postfix/smtpd[91240]: connect from monkey.valuehost.ru[217.112.34.254]
Nov 22 23:58:41 wad postfix/smtpd[91240]: warning: SASL authentication failure: cannot connect to saslauthd se
rver: Permission denied
Nov 22 23:58:41 wad postfix/smtpd[91240]: warning: SASL authentication failure: Password verification failed
Nov 22 23:58:41 wad postfix/smtpd[91240]: warning: monkey.valuehost.ru[217.112.34.254]: SASL PLAIN authenticat
ion failed
Nov 22 23:58:41 wad postfix/smtpd[91240]: lost connection after AUTH from monkey.valuehost.ru[217.112.34.254]
Nov 22 23:58:41 wad postfix/smtpd[91240]: disconnect from monkey.valuehost.ru[217.112.34.254]
настройки прогиучётное имя wadim@wad.spb.ru
pass такой же как и тут
su-2.05b# saslpasswd2 -c -u wad.spb.ru -a smtpd wadim
Password:
Again (for verification):
У кого какие мысли? Какого хрена не работает?
Debian?http://lists.debian.org/debian-user/2005/07/msg01010.html
>Debian?
>
>http://lists.debian.org/debian-user/2005/07/msg01010.html
FreeBSD 4.11
А постфикс не в chroot?Можешь еще поробовать testsaslauthd.
>А постфикс не в chroot?
Нет
>Можешь еще поробовать testsaslauthd.
0: NO "authentication failed"
>>А постфикс не в chroot?
>Нет
>>Можешь еще поробовать testsaslauthd.
>
>
>0: NO "authentication failed"
pwcheck_method: auxprop
>>>А постфикс не в chroot?
>>Нет
>>>Можешь еще поробовать testsaslauthd.
>>
>>
>>0: NO "authentication failed"
>
>
>pwcheck_method: auxprop
Тоже самое
Попробуй сhmod на сокет даемона SASL
>Попробуй сhmod на сокет даемона SASL
А поточнее?
>>Попробуй сhmod на сокет даемона SASL
>
>
>А поточнее?ап
su-2.05b# ps ax|grep sasl
990 ?? Ss 0:00,00 /usr/local/sbin/saslauthd -a pam
991 ?? S 0:00,00 /usr/local/sbin/saslauthd -a pam
992 ?? S 0:00,00 /usr/local/sbin/saslauthd -a pam
993 ?? S 0:00,00 /usr/local/sbin/saslauthd -a pam
994 ?? S 0:00,00 /usr/local/sbin/saslauthd -a pam
997 p1 R+ 0:00,00 grep sasl (bash)
su-2.05b#ov 23 23:12:37 wad postfix/smtpd[998]: connect from monkey.valuehost.ru[217.112.34.254]
Nov 23 23:12:38 wad postfix/smtpd[998]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Nov 23 23:12:38 wad postfix/smtpd[998]: warning: SASL authentication failure: Password verification failed
Nov 23 23:12:38 wad postfix/smtpd[998]: warning: monkey.valuehost.ru[217.112.34.254]: SASL PLAIN authentication failed
Nov 23 23:12:38 wad postfix/smtpd[998]: lost connection after AUTH from monkey.valuehost.ru[217.112.34.254]
Nov 23 23:12:38 wad postfix/smtpd[998]: disconnect from monkey.valuehost.ru[217.112.34.254]
>>>Попробуй сhmod на сокет даемона SASL
>>
>>
>>А поточнее?
>
>ап
>
>su-2.05b# ps ax|grep sasl
> 990 ?? Ss 0:00,00
>/usr/local/sbin/saslauthd -a pam
> 991 ?? S
>0:00,00 /usr/local/sbin/saslauthd -a pam
> 992 ?? S
>0:00,00 /usr/local/sbin/saslauthd -a pam
> 993 ?? S
>0:00,00 /usr/local/sbin/saslauthd -a pam
> 994 ?? S
>0:00,00 /usr/local/sbin/saslauthd -a pam
> 997 p1 R+ 0:00,00
>grep sasl (bash)
>su-2.05b#
>
>ov 23 23:12:37 wad postfix/smtpd[998]: connect from monkey.valuehost.ru[217.112.34.254]
>Nov 23 23:12:38 wad postfix/smtpd[998]: warning: SASL authentication failure: cannot connect to
>saslauthd server: No such file or directory
>Nov 23 23:12:38 wad postfix/smtpd[998]: warning: SASL authentication failure: Password verification failed
>
>Nov 23 23:12:38 wad postfix/smtpd[998]: warning: monkey.valuehost.ru[217.112.34.254]: SASL PLAIN authentication failed
>Nov 23 23:12:38 wad postfix/smtpd[998]: lost connection after AUTH from monkey.valuehost.ru[217.112.34.254]
>Nov 23 23:12:38 wad postfix/smtpd[998]: disconnect from monkey.valuehost.ru[217.112.34.254]
>1. Если у вас в процессах болтается "/usr/local/sbin/saslauthd -a pam",
то зачем вы приводили права на /etc/sasldb2
Должен болтаться /usr/local/sbin/saslauthd -a sasldb
Для вашего случая впишите в /etc/rc.conf строки:
saslauthd_enable="YES" # Это у вас уже есть наверняка
saslauthd_flags="-a sasldb" # А вот это нужно добавить.
и сделайте /usr/local/etc/rc.d/saslauthd.sh restart
Должно всё взлететь.
2. В FreeBSD из портво база sasldb2 собирается, насколько я помню, в /usr/local/etc/sasldb2
Ну да впрочем saslpasswd2 сам знает, куда класть.
smpd.conf
saslauthd_path: /var/run/saslauthd/muxНу и права можешь попробовать поменять.
Да, покажи еще pam.conf если есть.