[olug] hooking up Postifx and SASL

Phil Brutsche phil at brutsche.us
Wed Jul 26 02:29:30 UTC 2006 

Mike Hostetler wrote:
> Has anyone tried to use SASL in Postfix?

Not a big postfix user, but I have it working with Cyrus IMAP and Exim.

> This is the page I found:
> http://www.postfix.org/SASL_README.html
> 
> And this is what I put in my main.cf:
> 
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = smtpd2
> smtpd_sasl_local_domain = $myhostname
> broken_sasl_auth_clients = yes
> smtpd_sasl_security_options = noanonymous

The "broken_sasl_auth_clients" keyword shouldn't be necessary, that's
what put the second AUTH line with "AUTH=PLAIN" in your SMTP dialog. It
should only be necessary with Outlook Express 4.x - there may be other
email clients that use that (broken) syntax, but OE4 is the only one I
know of.

BTW OE4 would also require the LOGIN mechanism.

> And this is what I put in my smtpd2.conf:
> pwcheck_method: pwcheck

IIRC the pwcheck method is unsupported in sasl v2, which I am assume you
are using. If you are indeed using sasl v2 you need to use the
"saslauthd" method instead.

You will need to make sure that saslauthd (usually either
/usr/sbin/saslauthd or /usr/local/sbin/saslauthd) is running. It will
use PAM if you give it the "-a pam" command-line parameters.

You will also need to have PAM configured, and make sure that the named
pipe used by saslauthd (/var/run/saslauthd/mux on my Debian system) is
accessible to the user postfix runs as.

You should also make sure that smtpd2.conf is in the right location -
sasl v2 will *always* look for it in /usr/lib/sasl2/, even if the
binaries are in /usr/local/{lib/sasl2,sbin}.

> But when I test it, I get the following:
> 220 acio-wprhs ESMTP Postfix
> ehlo omahostetlerm
> 250-acio-wprhs
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
> 250-AUTH=PLAIN OTP DIGEST-MD5 CRAM-MD5
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> auth plain bWFpbHVzZXIAbWFpbHVzZXIAbWFpbHVzZXI
> 535 5.7.0 Error: authentication failed: another step is needed in authentication

By default SASL won't do plain-text auth over an insecure channel (ie
without SSL).

Try putting:

minimum_layer: 0

in smtpd2.conf.

> I'm not sure what that error means.  Google gives me no love.
> 
> The link above has the AUTH line different, which is:
> 250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
> 
> But I don't know how to get it that way.  I believe that maybe my problem.

If you put:

mech_list: PLAIN

in smtpd2.conf it will limit you to the PLAIN mechanism. You can list
more than one mechanism, and I *think* you can specify the order the
mechanisms appear in the SMTP dialog like so:

mech_list: DIGEST-MD5 PLAIN CRAM-MD5

BTW Unless you put your user passwords in /etc/sasldb2 (via saslpasswd2)
you won't be able to use the DIGEST-MD5 or CRAM-MD5 mechanisms anyway:
they require a plain-text shared secret - the password - which is
something you usually don't get with system-level accounts.

BTW2 Based on my experience with SASL it won't make a difference.

BTW3 I have yet to hear about an MUA that cares about the order the auth
mechanisms appear in during the SMTP dialog.

> Any insight would be appreciated.

How's this: SASL requires black magic and needs better documentation.
Rubber chicken sacrifices are not optional.

BTDTGTTS

-- 

Phil Brutsche
phil at brutsche.usf

More information about the OLUG mailing list