[olug] hooking up Postifx and SASL
Phil Brutsche
phil at brutsche.us
Wed Jul 26 02:29:30 UTC 2006
Mike Hostetler wrote:
> Has anyone tried to use SASL in Postfix?
Not a big postfix user, but I have it working with Cyrus IMAP and Exim.
> This is the page I found:
> http://www.postfix.org/SASL_README.html
>
> And this is what I put in my main.cf:
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = smtpd2
> smtpd_sasl_local_domain = $myhostname
> broken_sasl_auth_clients = yes
> smtpd_sasl_security_options = noanonymous
The "broken_sasl_auth_clients" keyword shouldn't be necessary, that's
what put the second AUTH line with "AUTH=PLAIN" in your SMTP dialog. It
should only be necessary with Outlook Express 4.x - there may be other
email clients that use that (broken) syntax, but OE4 is the only one I
know of.
BTW OE4 would also require the LOGIN mechanism.
> And this is what I put in my smtpd2.conf:
> pwcheck_method: pwcheck
IIRC the pwcheck method is unsupported in sasl v2, which I am assume you
are using. If you are indeed using sasl v2 you need to use the
"saslauthd" method instead.
You will need to make sure that saslauthd (usually either
/usr/sbin/saslauthd or /usr/local/sbin/saslauthd) is running. It will
use PAM if you give it the "-a pam" command-line parameters.
You will also need to have PAM configured, and make sure that the named
pipe used by saslauthd (/var/run/saslauthd/mux on my Debian system) is
accessible to the user postfix runs as.
You should also make sure that smtpd2.conf is in the right location -
sasl v2 will *always* look for it in /usr/lib/sasl2/, even if the
binaries are in /usr/local/{lib/sasl2,sbin}.
> But when I test it, I get the following:
> 220 acio-wprhs ESMTP Postfix
> ehlo omahostetlerm
> 250-acio-wprhs
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
> 250-AUTH=PLAIN OTP DIGEST-MD5 CRAM-MD5
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> auth plain bWFpbHVzZXIAbWFpbHVzZXIAbWFpbHVzZXI
> 535 5.7.0 Error: authentication failed: another step is needed in authentication
By default SASL won't do plain-text auth over an insecure channel (ie
without SSL).
Try putting:
minimum_layer: 0
in smtpd2.conf.
> I'm not sure what that error means. Google gives me no love.
>
> The link above has the AUTH line different, which is:
> 250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
>
> But I don't know how to get it that way. I believe that maybe my problem.
If you put:
mech_list: PLAIN
in smtpd2.conf it will limit you to the PLAIN mechanism. You can list
more than one mechanism, and I *think* you can specify the order the
mechanisms appear in the SMTP dialog like so:
mech_list: DIGEST-MD5 PLAIN CRAM-MD5
BTW Unless you put your user passwords in /etc/sasldb2 (via saslpasswd2)
you won't be able to use the DIGEST-MD5 or CRAM-MD5 mechanisms anyway:
they require a plain-text shared secret - the password - which is
something you usually don't get with system-level accounts.
BTW2 Based on my experience with SASL it won't make a difference.
BTW3 I have yet to hear about an MUA that cares about the order the auth
mechanisms appear in during the SMTP dialog.
> Any insight would be appreciated.
How's this: SASL requires black magic and needs better documentation.
Rubber chicken sacrifices are not optional.
BTDTGTTS
--
Phil Brutsche
phil at brutsche.usf
More information about the OLUG
mailing list