Postfix - SASL Cyrus saslauthd 身份验证失败

Postfix - SASL Cyrus saslauthd 身份验证失败

目标:配置 smtpd 使用 postfix、cyrus、saslauthd、pam 和 mysql 来验证连接。

调查

使用 mysql 通过 courier-pop3 和 courier-imap 进行身份验证

saslauthd 似乎运行正常, testsaslauthd -u "me@examplecom" -p "password" -r "example.com" -s smtp 返回 0: OK "Success."

在上述情况下,查询出现在mysql.log中:

758 Connect postfix@localhost on postfix
758 Init DB postfix
758 Query   SELECT password FROM mailbox WHERE username = '[email protected]'
758 Query   SELECT password FROM mailbox WHERE username = '[email protected]'
758 Quit    
759 Connect postfix@localhost on postfix
759 Init DB postfix
759 Query   SELECT 0, password FROM mailbox WHERE username = '[email protected]'
759 Quit    

但是,当我尝试通过 smtp 进行身份验证时,mysql.log 不包含查询,这使我怀疑 SASL 配置存在错误。

我尝试使用 pwcheck_method auxprop 和 authdaemond,但没有成功。

日志文件

这是在调试开启的情况下从 mail.log 中提取的。用户名和密码与预期值匹配。我无法找到有关身份验证失败原因的更多详细信息。

postfix/smtpd[26153]: connect from client.example.com[10.0.0.1]
postfix/smtpd[26153]: smtp_stream_setup: maxtime=300 enable_deadline=0
postfix/smtpd[26153]: match_hostname: client.example.com ~? all
postfix/smtpd[26153]: match_hostaddr: 10.0.0.1 ~? all
postfix/smtpd[26153]: match_list_match: client.example.com: no match
postfix/smtpd[26153]: match_list_match: 10.0.0.1: no match
postfix/smtpd[26153]: send attr request = connect
postfix/smtpd[26153]: send attr ident = smtp:10.0.0.1
postfix/smtpd[26153]: private/anvil: wanted attribute: status
postfix/smtpd[26153]: input attribute name: status
postfix/smtpd[26153]: input attribute value: 0
postfix/smtpd[26153]: private/anvil: wanted attribute: count
postfix/smtpd[26153]: input attribute name: count
postfix/smtpd[26153]: input attribute value: 1
postfix/smtpd[26153]: private/anvil: wanted attribute: rate
postfix/smtpd[26153]: input attribute name: rate
postfix/smtpd[26153]: input attribute value: 1
postfix/smtpd[26153]: private/anvil: wanted attribute: (list terminator)
postfix/smtpd[26153]: input attribute name: (end)
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 220 server.example.com ESMTP Postfix (Ubuntu)
postfix/smtpd[26153]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null)
postfix/smtpd[26153]: name_mask: noanonymous
postfix/smtpd[26153]: watchdog_pat: 0x7f93f9fd1a20
postfix/smtpd[26153]: < client.example.com[10.0.0.1]: ehlo client.example.com
postfix/smtpd[26153]: match_list_match: client.example.com: no match
postfix/smtpd[26153]: match_list_match: 10.0.0.1: no match
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-server.example.com
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-PIPELINING
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-SIZE 40960000
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-VRFY
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-ETRN
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-STARTTLS
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-AUTH DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-AUTH=DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-ENHANCEDSTATUSCODES
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250-8BITMIME
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 250 DSN
postfix/smtpd[26153]: watchdog_pat: 0x7f93f9fd1a20
postfix/smtpd[26153]: < client.example.com[10.0.0.1]: auth login
postfix/smtpd[26153]: xsasl_cyrus_server_first: sasl_method login
postfix/smtpd[26153]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username:
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 334 VXNlcm5hbWU6
postfix/smtpd[26153]: < client.example.com[10.0.0.1]: md5encoded
postfix/smtpd[26153]: xsasl_cyrus_server_next: decoded response: [email protected]
postfix/smtpd[26153]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password:
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 334 UGFzc3dvcmQ6
postfix/smtpd[26153]: < client.example.com[10.0.0.1]: md5encoded
postfix/smtpd[26153]: xsasl_cyrus_server_next: decoded response: password
postfix/smtpd[26153]: warning: client.example.com[10.0.0.1]: SASL login authentication failed: authentication failure
postfix/smtpd[26153]: > client.example.com[10.0.0.1]: 535 5.7.8 Error: authentication failed: authentication failure
postfix/smtpd[26153]: watchdog_pat: 0x7f93f9fd1a20

萨斯芬格

saslfinger - postfix Cyrus sasl configuration
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.9.6
System: Ubuntu 12.04.5 LTS \n \l

-- smtpd is linked to --
    libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f0f4de7f000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes


-- listing of /usr/lib/sasl2 --
total 28
drwxr-xr-x  2 root root  4096 Jan  9 23:05 .
drwxr-xr-x 60 root root 12288 Jan  8 17:05 ..
-rw-r--r--  1 root root     4 Jan  8 18:33 berkeley_db.active
-rw-r--r--  1 root root     4 Jan 28  2020 berkeley_db.txt
-rw-r--r--  1 root root    63 Jan 10 22:42 smtpd.conf

-- listing of /etc/postfix/sasl --
total 16
drwxr-xr-x 2 root root 4096 Jan 10 22:42 .
drwxr-xr-x 3 root root 4096 Jan 10 18:56 ..
-rw-r--r-- 1 root root   63 Jan 10 22:42 smtpd.conf
-rw-r--r-- 1 root root  493 Jan 10 16:19 smtpd.conf~




-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
log_level: 7
mech_list: plain login


-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
log_level: 7
mech_list: plain login


-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
log_level: 7
mech_list: plain login



-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -   n   n   -   2   pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

-- mechanisms on localhost --
250-AUTH DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN
250-AUTH=DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN


-- end of saslfinger output --

问题 我很感激关于如何查找更多调试信息的建议。

答案1

主要问题是错误值smtpd_sasl_path在 中/etc/postfix/main.cf,我有这样一行:

smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2

smtpd_sasl_path = smtpd

更多详细信息请参阅@weynhamz 的回答Postfix smtpd_sasl_path 不起作用

第二个问题是域名未包含在 pam_mysql 中

谢谢postfix 省略域名@Mehran,我找到了解决方案

添加/etc/default/saslauthd以包含-r域名OPTIONS

调试注意事项

  • /etc/pam.d/smtp,我添加了debug sqllog=1 verbose=1显示附加信息auth.log
  • 在 中/etc/postfix/main.cf,我添加了smtpd_tls_loglevel = 1debug_peer_list=10.0.0.1
  • 在 中/etc/postfix/sasl/smtpd.conf,我添加了log_level: 7(默认为 1 = 错误)。条目显示为 saslauthdauth.log
  • /etc/mysql/my.cnf,我改变了general_log = 1(从 0 开始)

相关内容