我正在将各种 Debian 6 服务器升级到 Debian 7。存在一些小问题,但这个问题是最严重的。
在 Debian 上,Postfix 在 chrooted 环境中运行。该环境设置正确(在 Debian6 上运行良好)。
我只使用 Debian 存储库中稳定版本的软件
相关配置(部分)(匿名):
在/etc/default/saslauthd中:
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="ldap"
MECH_OPTIONS=""
THREADS=5
PARAMS=" -m /var/spool/postfix/run/saslauthd -O /etc/saslauthd.conf"
OPTIONS=" -m /var/spool/postfix/run/saslauthd -O /etc/saslauthd.conf"
PIDFILE="/var/spool/postfix/run/saslauthd/saslauthd.pid"
在/etc/saslauthd.conf中:
# With multiple servers, separate URIs with a space
ldap_servers: ldaps://my.ldap.server
# Don't use SASL to connect to LDAP!! (Use SSL)
#ldap_version: 3
ldap_use_sasl: no
ldap_bind_dn: uid=courier,ou=roles,dc=mydomain,dc=tld
#watch out for trailing whitespace after the pasword!
ldap_bind_pw: #######
ldap_timeout: 10
ldap_time_limit: 10
ldap_scope: sub
ldap_search_base: ou=people,dc=mydomain,dc=tld
ldap_auth_method: bind
ldap_filter: (mail=%u)
#ldap_filter: (mail=%u@%r)
ldap_debug: 1
ldap_verbose: off
ldap_referrals: yes
# Settings below are needed for ldaps URIs
ldap_ssl: yes
ldap_start_tls: no
ldap_tls_cacert_file: /etc/ssl/certs/allcacerts.pem
ldap_tls_cert: /etc/ssl/certs/myserver.mydomain.tld.crt
ldap_tls_key: /etc/ssl/private/myserver.mydomain.tld.key
在 /etc/postfix/sasl/smtpd.conf 中:
#global parameters
log_level: 5
# WARNING !!! POSTFIX runs in a chrooted jail!!
# Need to adjust paths to get the socket available!
# adjust this in /etc/defaults/saslauthd
# eg: PARAMS=/var/spool/postfix/run/saslauthd/
# real saslauthd_path: /var/spool/postfix/run/saslauthd/mux
pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux
mech_list: PLAIN LOGIN
auxprop_plugin: ldapdb
#allow_plaintext: true
#the database used is /var/spool/postfix/etc/sasldb2
在 /etc/postfix/main.cf 中
#sasl configuration
smtpd_sasl_auth_enable = yes
smtpd_sasl_path= smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
#broken_sasl_auth_clients = yes
# TLS configuration
smtpd_use_tls = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_key_file = /etc/ssl/private/myserver.mydomain.tld.key
#smtpd_tls_cert_file = /etc/ssl/certs/myserver.mydomain.tld.crt
smtpd_tls_cert_file = /etc/ssl/certs/myserver.mydomain.tld.pem
tls_random_source = dev:/dev/urandom
# CAfile is read BEFORE entering chroot jail
smtpd_tls_CAfile = /etc/ssl/certs/allcacerts.pem
# CApath is used withIN chroot jail
#smtpd_tls_CApath = /usr/share/ssl/certs/
Cyrus SASL 有插座/var/spool/postfix/run/saslauthd/mux
我测试的是:
testsaslauthd -s smtpd -f /var/spool/postfix/run/saslauthd/mux -u [email protected] -p PASSWD
给出:0: OK "Success."
仅供参考:如果凭证不正确,则会失败:)
根据这些结果,我的结论是 sasl 运行正常。
当我使用“swaks”测试ESMTP Auth时:
swaks -s myserver.mydomain.tld -p 25 -ehlo myclient.mydomain.tld -au [email protected] -ap PASSWD -t [email protected] -f [email protected]
=== Trying myserver.mydomain.tld:25...
=== Connected to myserver.mydomain.tld.
<- 220 ***********************
-> EHLO myclient.mydomain.tld
<- 250-myserver.mydomain.tld
<- 250-PIPELINING
<- 250-SIZE 15360000
<- 250-VRFY
<- 250-ETRN
<- 250-XXXXXXXA
<- 250-AUTH PLAIN LOGIN
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250 DSN
-> AUTH LOGIN
<- 334 VXNlcmgfhgWU6
-> bWFyY2hgh28ubmw=
<- 334 UGFzfghdfmQ6
-> bWFyUzYdfghgfhg==
<** 535 5.7.8 Error: authentication failed: no mechanism available
-> AUTH PLAIN AG1hcmdfhgdfgd1hclM2NW9ndCo=
<** 535 5.7.8 Error: authentication failed: no mechanism available
*** No authentication type succeeded
-> QUIT
<- 221 2.0.0 Bye
=== Connection closed with remote host.
日志中还有:
postfix/smtpd[5646]:auxpropfunc error invalid parameter supplied
postfix/smtpd[5646]:_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb
postfix/smtpd[5646]:anonuserfunc error -7
postfix/smtpd[5646]:_sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
postfix/smtpd[5646]:warning: unknown[192.168.114.69 : SASL LOGIN authentication failed: no mechanism available
postfix/smtpd[5646]:warning: unknown[192.168.114.69 : SASL PLAIN authentication failed: no mechanism available
(IP 是客户端机器的 IP)
postfix 用户是 sasl 组的成员。
我知道 Debian 通过插入三元组改变了库目录结构,使其具有多架构能力。
以前的是:/usr/lib/sasl2
现在是:(/usr/lib/x86_64-linux-gnu/sasl2
适用于 x86 64 位系统)
我确实将 sasl2 目录复制到了各个地方以使库可用,但它并没有改变任何东西。
任何人?
马塞尔
答案1
我解决了!
虽然经过了大量的调试,但使用以下设置后一切都恢复正常:
在 /etc/postfix/smtpd.conf 中:
pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux
mech_list: PLAIN LOGIN
# DO NOT SPECIFY THE AUX_PROP PLUGIN!!
#auxprop_plugin: ldapdb
在 /etc/saslauthd.conf 中:
...
ldap_auth_method: bind
#ldap_filter: (mail=%u)
ldap_filter: (mail=%u@%r)
...
最初我有这个过滤器,但是因为我在 LDAP 日志中看到了 loginattempts [email protected]@
,所以我更改了过滤器(参见我的原始帖子)。
!! 我所需要做的就是注释掉 auxprop_plugin 设置 !!
但请注意,在我的 sasl 设置中,仅有的使用 ldap 后端。
马塞尔
答案2
警告:localhost[127.0.0.1]:SASL PLAIN 身份验证失败:没有可用的机制
我遇到了同样的问题,但我使用mysql。注释掉此行后:#auxprop_plugin
,一切正常!
pwcheck_method: saslauthd
mech_list: plain login cram-md5 digest-md5
allow_plaintext: true
#auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: postfix
sql_passwd: pass
sql_database: postfix
loglevel: 0
sql_select: select password from mailbox where username = '%u@%r'