Cyrus sasl 错误 — Debian 9 上的“0：无身份验证失败”

答案是我错过了 x64 上的一步。

Kolab 卸载删除了我的

/etc/default/saslauthd 

文件，我必须从 Raspberry Pi 上传该文件的一个新副本。

如果你看到类似这样的内容：

root@example:/var/run/saslauthd# ps -deaf | grep sasl
root      1559     1  0 Oct05 ?        00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root      1560  1559  0 Oct05 ?        00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root      1561  1559  0 Oct05 ?        00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root      1562  1559  0 Oct05 ?        00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root      1563  1559  0 Oct05 ?        00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root     21671 21496  0 00:56 pts/1    00:00:00 grep sasl

注意-帕姆， 它应该是-a 数据库。 /etc/default/saslauthd 文件中的 MECHANISMS="sasldb" 修复了这个问题。我阅读了说明，但在尝试修复损坏的 Kolab 卸载造成的损害后，没有仔细遵循说明。

[编辑 07/10/2018 01:56] 当您进入下一阶段时，请提供以下附加信息：

我已经更新了页面https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingSaslauthd添加“realm”参数

server_condition = ${if saslauthd{{${local_part:$auth1}}{$auth2}{}{${domain:$auth1}}}{1}{0}}

因为查看了 expand.c 中 exim 的源代码。这仅在源代码中记录：

对于使用 /etc/default/saslauthd:MECHANISMS="sasldb" 的虚拟邮箱托管，使用 LOGIN 身份验证器，您的登录名格式为[电子邮件保护]，您需要提取域部分并将其作为“realm”参数传入，如下所示：

// From the source code comment in expand.c
${if saslauthd {{username}{password}{service}{realm}}  {yes}{no}}

您可以使用 cyrus 在服务器 shell 上测试用户名和密码，例如

testsaslauthd -u username -r example.com -p secret

它不适用于

testsaslauthd -u [email protected] -p secret

我现在遇到的问题是邮件卡在 exim 中，而 lmtp 无法工作。

如果你已经做到这一步，使用 OpenSSL 你应该能够得到类似这样的结果，来验证它：

root@raspberrypi:/usr/local/src/exim-4.91/src# openssl s_client -starttls smtp -crlf -connect mx.yourbigserver.co.uk:25
CONNECTED(00000003)
depth=0 C = GB, ST = Somewhere, L = Else, O = yourbigserver.co.uk, CN = Your Name, emailAddress = [email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 C = GB, ST = Somewhere, L = Else, O = yourbigserver.co.uk, CN = Your Name, emailAddress = [email protected]
verify return:1
---
Certificate chain
 0 s:/C=GB/ST=Somewhere/L=Else/O=yourbigserver.co.uk/CN=Your Name/[email protected]
   i:/C=GB/ST=Somewhere/L=Else/O=yourbigserver.co.uk/CN=Your Name/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID
<snip/>
==
-----END CERTIFICATE-----
subject=/C=GB/ST=Somewhere/L=Else/O=yourbigserver.co.uk/CN=Your Name/[email protected]
issuer=/C=GB/ST=Somewhere/L=Else/O=yourbigserver.co.uk/CN=Your Name/[email protected]
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1776 bytes and written 302 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: xxxxxxxxxxxxxxxxxxxx
    Session-ID-ctx: 
    Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1538862964
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
250 HELP
EHLO test.com
250-myserver.myprovider.net Hello me.my.example.com [8.8.8.8]
250-SIZE 36700160
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250-PRDR
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlcm5hbWVAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
c2VjcmV0
235 Authentication succeeded
mail from:[email protected]
250 OK
rcpt to:[email protected]
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
Hello 2!
.
250 OK id=1g8uZF-00027o-TS
quit
221 myserver.myprovider.net closing connection
closed
root@raspberrypi:/usr/local/src/exim-4.91/src# 

OpenSSL 有一个大问题，如果你输入大写字母 R，它就会进入重新协商序列，这就是为什么上例中的“mail from:”和“rcpt to:”都是小写的。

[编辑 07/10/2018 15:42] 让这一切正常运转的最后部分如下：

让 Exim LMTP 到 Cyrus 正常运行

现在它就像梦一样运行。