当我使用 cyrus sasl 对 postfix 进行身份验证时,遇到 454 4.7.0 临时身份验证失败:通用失败。身份验证链是 telnet -> postfix -> sasl -> pam -> mysql ps:我发现如果我用 shadow 方法启动 saslauthd,testsaslauthd 可以测试 ubuntu 系统登录成功,但是改为 pam 后就失败了,那么身份验证失败是否由 pam 导致的?
1.操作系统
Ubuntu 16.04.03 Gnome
2. 软件版本
postfix-3.2.2
cyrus-sasl-2.1.26
Linux-PAM-1.3.0
mariadb-10.2.7
openldap-2.4.45
openssl-1.1.0f
dovecot-2.2.31
所有这些软件都是通过源代码编译安装的。
3.配置文件内容
vim /etc/default/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
vim /etc/pam.d/smtp
auth required pam_mysql.so user=mail_admin passwd=password-for-mail_admin host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mail_admin passwd=password-for-mail_admin host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
vim /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: mail_admin
sql_passwd: password-for-mail_admin
sql_database: mail
sql_select: select password from users where email = '%u@%r'
vim /etc/postfix/master.cf
canceled submission comments
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=$mua_client_restrictions
-o milter_macro_daemon_name=ORIGINATING
and and below at last
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
vim /etc/postfix/main.cf
compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
#default_privs = nobody
myhostname = localhost
mydomain = example.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
#mynetworks_style = subnet
mynetworks = 127.0.0.0/8, 192.168.0.0/24, 192.168.3.0/24, 192.168.1.0/24,hash:/etc/postfix/access
#masquerade_domains = mail.example.com www.example.com
#masquerade_exceptions = root
mydestination = example.com, localhost, localhost.localdomain
#relay_domains = $mydestination
#relayhost = $isp.com
notify_classes=2bounce, policy, protocol, software, resource
debug_peer_level = 2
debug_peer_list = 127.0.0.1
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = /usr/share/doc/postfix-3.2.2/html
manpage_directory = /usr/share/man
sample_directory = /etc/postfix
readme_directory = /usr/share/doc/postfix-3.2.2/readme
meta_directory = /etc/postfix
shlib_directory = no
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
#smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
allow_untrusted_routing = no
smtpd_sasl_type = cyrus
cyrus_sasl_config_path = /etc/postfix/sasl
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = example.com
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = smtpd
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_login_maps.cf
#smtpd_recipient_restrictions=check_sender_access hash:/etc/postfix/sender_access,permit_mynetworks,mysql:/etc/postfix/mysql_smtpd_sender_limit.cf,reject_sender_login_mismatch,eermit_sasl_authenticated,permit_auth_destination, reject
#smtpd_client_restrictions = mysql:/etc/postfix/mysql_smtpd_client_limit.cf,permit_sasl_authenticated
#smtpd_sender_restrictions = permit_mynetworks,mysql:/etc/postfix/mysql_smtpd_sender_limit.cf,reject_sender_login_mismatch,permit_sasl_authenticated,reject_unknown_sender_domain
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_exceptions_networks = !192.168.0.0/24, 192.168.1.0/24,192.168.2.0/24,192.168.3.0/24
#smtpd_restriction_classes = local_only
#local_only = check_recipient_access hash:/etc/postfix/local_domains,reject
smtpd_delay_reject=yes
disable_vrfy_command =yes
#smtpd_helo_restrictions = mysql:/etc/postfix/mysql_smtpd_client_limit.cf,mysql:/etc/postfixsmtpd_recipient_limitmysql_smtpd_helo_limit.cf
smtpd_helo_required = yes
maximal_queue_lifetime = 6h
queue_run_delay = 3600s
fallback_relay = mysql:/etc/postfix/mysql_fallbackrelay.cf
smtpd_hard_error_limit = 10
smtpd_client_connection_count_limit=200
smtp_data_done_timeout=3600
smtp_data_init_timeout=3600
smtp_data_xfer_timeout=3600
hopcount_limit = 50
always_add_missing_headers = yes
unknown_local_recipient_reject_code = 450
local_recipient_maps =
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
virtual_alias_domains =
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /home/vmail
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
home_mailbox=Maildir/
message_size_limit = 30720000
mailbox_size_limit = 62222222
bounce_size_limit = 50000
virtual_transport = dovecot
local_transport = dovecot
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
4.日志文件 saslfinger -s
saslfinger - postfix Cyrus sasl configuration Sun Aug 27 19:12:41 CST 2017
version: 1.0.4
mode: server-side SMTP AUTH
-- basics --
Postfix: 3.2.2
System: Ubuntu 16.04.3 LTS \n \l
-- smtpd is linked to --
libsasl2.so.3 => /usr/lib/libsasl2.so.3 (0x00007f566b162000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_exceptions_networks = !192.168.0.0/24, 192.168.1.0/24,192.168.2.0/24,192.168.3.0/24
smtpd_sasl_local_domain = example.com
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
-- listing of /usr/lib/sasl2 --
total 3788
drwxr-xr-x 2 root root 4096 Aug 27 16:55 .
drwxr-xr-x 189 root root 20480 Aug 27 16:55 ..
-rwxr-xr-x 1 root root 684 Aug 27 16:55 libanonymous.la
-rwxr-xr-x 1 root root 73088 Aug 27 16:55 libanonymous.so
-rwxr-xr-x 1 root root 73088 Aug 27 16:55 libanonymous.so.3
-rwxr-xr-x 1 root root 73088 Aug 27 16:55 libanonymous.so.3.0.0
-rwxr-xr-x 1 root root 672 Aug 27 16:55 libcrammd5.la
-rwxr-xr-x 1 root root 84752 Aug 27 16:55 libcrammd5.so
-rwxr-xr-x 1 root root 84752 Aug 27 16:55 libcrammd5.so.3
-rwxr-xr-x 1 root root 84752 Aug 27 16:55 libcrammd5.so.3.0.0
-rwxr-xr-x 1 root root 693 Aug 27 16:55 libdigestmd5.la
-rwxr-xr-x 1 root root 218144 Aug 27 16:55 libdigestmd5.so
-rwxr-xr-x 1 root root 218144 Aug 27 16:55 libdigestmd5.so.3
-rwxr-xr-x 1 root root 218144 Aug 27 16:55 libdigestmd5.so.3.0.0
-rwxr-xr-x 1 root root 704 Aug 27 16:55 libgs2.la
-rwxr-xr-x 1 root root 130464 Aug 27 16:55 libgs2.so
-rwxr-xr-x 1 root root 130464 Aug 27 16:55 libgs2.so.3
-rwxr-xr-x 1 root root 130464 Aug 27 16:55 libgs2.so.3.0.0
-rwxr-xr-x 1 root root 734 Aug 27 16:55 libgssapiv2.la
-rwxr-xr-x 1 root root 122640 Aug 27 16:55 libgssapiv2.so
-rwxr-xr-x 1 root root 122640 Aug 27 16:55 libgssapiv2.so.3
-rwxr-xr-x 1 root root 122640 Aug 27 16:55 libgssapiv2.so.3.0.0
-rwxr-xr-x 1 root root 668 Aug 27 16:55 liblogin.la
-rwxr-xr-x 1 root root 76808 Aug 27 16:55 liblogin.so
-rwxr-xr-x 1 root root 76808 Aug 27 16:55 liblogin.so.3
-rwxr-xr-x 1 root root 76808 Aug 27 16:55 liblogin.so.3.0.0
-rwxr-xr-x 1 root root 657 Aug 27 16:55 libotp.la
-rwxr-xr-x 1 root root 205728 Aug 27 16:55 libotp.so
-rwxr-xr-x 1 root root 205728 Aug 27 16:55 libotp.so.3
-rwxr-xr-x 1 root root 205728 Aug 27 16:55 libotp.so.3.0.0
-rwxr-xr-x 1 root root 668 Aug 27 16:55 libplain.la
-rwxr-xr-x 1 root root 76296 Aug 27 16:55 libplain.so
-rwxr-xr-x 1 root root 76296 Aug 27 16:55 libplain.so.3
-rwxr-xr-x 1 root root 76296 Aug 27 16:55 libplain.so.3.0.0
-rwxr-xr-x 1 root root 669 Aug 27 16:55 libscram.la
-rwxr-xr-x 1 root root 148848 Aug 27 16:55 libscram.so
-rwxr-xr-x 1 root root 148848 Aug 27 16:55 libscram.so.3
-rwxr-xr-x 1 root root 148848 Aug 27 16:55 libscram.so.3.0.0
-rwxr-xr-x 1 root root 687 Aug 27 16:55 libsql.la
-rwxr-xr-x 1 root root 114808 Aug 27 16:55 libsql.so
-rwxr-xr-x 1 root root 114808 Aug 27 16:55 libsql.so.3
-rwxr-xr-x 1 root root 114808 Aug 27 16:55 libsql.so.3.0.0
-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 Aug 19 15:31 .
drwxr-xr-x 4 root root 4096 Aug 27 17:26 ..
-rw-r--r-- 1 root root 257 Aug 19 15:31 smtpd.conf
-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: mail
sql_select: select password from users where email = '%u@%r'
-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: mail
sql_select: select password from users where email = '%u@%r'
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
smtp inet n - n - - smtpd -v
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
#-o smtpd_client_restrictions=$mua_client_restrictions
#-o smtpd_helo_restrictions=$mua_helo_restrictions
#-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
devocot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}
-- mechanisms on localhost --
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
-- end of saslfinger output --
vim /var/log/mail.log
Aug 27 17:48:44 tiger postfix/smtpd[17580]: warning: localhost[127.0.0.1]: SASL login authentication failed: generic failure
Aug 27 17:48:44 tiger postfix/smtpd[17580]: > localhost[127.0.0.1]: 454 4.7.0 Temporary authentication failure: generic failure
telnet 本地主机 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP Postfix
ehlo localhost
250-localhost
250-PIPELINING
250-SIZE 30720000
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
AUTH PLAIN AHRlc3QxQHhpZWRlYWNjLmNvbQBxaDYyODhRSFc=
454 4.7.0 Temporary authentication failure: generic failure
5.进程状态
mysql
ps -fe | grep mysql
root 15826 1 0 17:21 ? 00:00:00 /bin/sh /usr/local/mariadb/bin/mysqld_safe --defaults-file=/usr/local/mariadb/etc/my_3306.cnf --basedir=/usr/local/mariadb --datadir=/usr/local/mariadb/data/3306/data/dbdata_raw/data --log-error=/usr/local/mariadb/data/3306/logs/dblogs/mysqld.err --open-files-limit=65535 --pid-file=/usr/local/mariadb/data/3306/prod/mysql.pid --socket=/usr/local/mariadb/data/3306/prod/mysql.sock --port=3306 --user=mysql
mysql 16280 15826 0 17:21 ? 00:00:08 /usr/local/mariadb/bin/mysqld --defaults-file=/usr/local/mariadb/etc/my_3306.cnf --basedir=/usr/local/mariadb --datadir=/usr/local/mariadb/data/3306/data/dbdata_raw/data --plugin-dir=/usr/local/mariadb/lib/plugin --user=mysql --log-error=/usr/local/mariadb/data/3306/logs/dblogs/mysqld.err --open-files-limit=65535 --pid-file=/usr/local/mariadb/data/3306/prod/mysql.pid --socket=/usr/local/mariadb/data/3306/prod/mysql.sock --port=3306
root 19029 5101 0 19:16 pts/0 00:00:00 grep --color=auto mysql
saslauthd
ps -fe | grep sasl
root 1408 1 0 16:07 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root 1438 1408 0 16:07 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root 1439 1408 0 16:07 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root 1440 1408 0 16:07 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
root 1441 1408 0 16:07 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -r -n 5
postfix
ps -fe | grep postfix
root 2255 1 0 16:07 ? 00:00:00 /usr/lib/postfix/master -w
postfix 16796 2255 0 17:26 ? 00:00:00 qmgr -l -t unix -u
postfix 17581 2255 0 17:45 ? 00:00:00 tlsmgr -l -t unix -u
postfix 18865 2255 0 18:58 ? 00:00:00 trivial-rewrite -n rewrite -t unix -u
postfix 18922 2255 0 19:07 ? 00:00:00 pickup -l -t unix -u
postfix 19034 2255 0 19:17 ? 00:00:00 cleanup -z -t unix -u
root 19043 5101 0 19:18 pts/0 00:00:00 grep --color=auto postfix
dovecot
ps -fe | grep dovecot
root 1391 1 0 16:07 ? 00:00:00 /usr/sbin/dovecot
dovecot 1392 1391 0 16:07 ? 00:00:00 dovecot/anvil
root 1393 1391 0 16:07 ? 00:00:00 dovecot/log
root 1395 1391 0 16:07 ? 00:00:00 dovecot/config
谢谢〜
答案1
我已经通过更新 libpam-mysql 修复了这个问题,因为 ubuntu 16.04 中的软件包版本太低了。
从以下位置手动下载 libpam-mysqlhttps://packages.ubuntu.com/zesty/libpam-mysql,然后安装。
请注意,此版本尚未在 16.04 中测试,因此不建议用于生产。