Postfix and SASL (Debian)
Today I wanted to configure one of my postfix boxes to use SASL. This time I decided to use saslauthd instead of pwcheck, as I always did before.
Let’s start with the easy part… installing the packages (it’s a debian sarge server):
apt-get install postfix-tls sasl2-bin libsasl2 libsasl2-modules
Now edit /etc/default/saslauthd:
START=yes MECHANISMS="pam"
saslauthd is not started after package installation (we’ll do it later)!
Next file to edit is /etc/postfix/sasl/smtpd.conf (you have to create it):
pwcheck_method: saslauthd
Ok, let’s add some lines in /etc/postfix/main.cf to enable SASL:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination
postfix does a chroot so it can’t communicate with saslauthd. This is the tricky part:
rm -r /var/run/saslauthd/ mkdir -p /var/spool/postfix/var/run/saslauthd ln -s /var/spool/postfix/var/run/saslauthd /var/run chgrp sasl /var/spool/postfix/var/run/saslauthd adduser postfix sasl
Now restart postfix and start saslauthd
/etc/init.d/postfix restart /etc/init.d/saslauthd start
Finally we test it using telnet. We need perl to generate the string for the SASL authentication
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
e.g.
perl -MMIME::Base64 -e 'print encode_base64("jimmy\0jimmy\0real-secret");'
amltbXkAamltbXkAcmVhbC1zZWNyZXQ=
Then use telnet:
jimmy@reptile:~$ telnet jimmy.co.at 25 Trying 80.237.145.96... Connected to jimmy.co.at. Escape character is '^]'. 220 kitana.jimmy.co.at ESMTP Mailserver ehlo reptile.g-tec.co.at 250-kitana.jimmy.co.at 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250 8BITMIME AUTH PLAIN amltbXkAamltbXkAcmVhbC1zZWNyZXQ= 235 Authentication successful
If it doesn’t work check you logfiles. If you get something like this: “warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied”, then check the permissions in /var/spool/postfix/var/run/saslauthd.
Thank you for this crystal-clear article !
I had problems to generate the encoding because of a quote problem, so I change this line :
perl -MMIME::Base64 -e ‘print encode_base64(”jimmyjimmyreal-secret”);’
by this
perl -MMIME::Base64 -e ‘print encode_base64(“jimmyjimmyreal-secret”);’
Simply awesome.
I went to the official websites of the various packages involved in this.
I read blogs, HOWTOs and FAQs
Everyone was demanding that I become an expert in everything they created, before I’d really be allowed to use it
You instead wrote perfectly clear documentation. Congratulations… the lack of information like this is holding Linux back from even more popular acceptance (I’m not a newb, I started with Linux 1.0 or something like that, and have been on the net since there was a net)… but clear technical writing is lacking in our world generally.
Great research, great writeup. Thank you.
Thank you guys for the nice feedback. That keeps me motivated to blog such things
It also removed the between username and password.
About the quoting: I’m not sure why you had to change it, maybe it was another shell. Hint for other readers: Arnaud replaced the two single quotes with double quotes. I think it’s hard to see, thanks to my blogging software
Thank You for creating this HowTo.
But I still have a problem when I want to create the encrypted passwort
perl -MMIME::Base64 -e ‘print encode_base64(”usernameusernamepassword”);’
this makes a
Backslash found where operator expected at -e line 1, near “username\”
Bareword found where operator expected at -e line 1, near “0username”
(Missing operator before username?)
Backslash found where operator expected at -e line 1, near “username\”
Bareword found where operator expected at -e line 1, near “0password”
(Missing operator before password?)
syntax error at -e line 1, near “username\”
Execution of -e aborted due to compilation errors.
And I have also a problem with the saslauthd socket
I made it up the same way as you (and a lot of others) describe it, but I always get a
warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
This is also the case when I made a chmod -R 777 on /var/spool/postfix/var/run/saslauthd
Axel, use double quotes instead of single quotes. I think that should work.
About the saslauthd: Looks like a very specific problem. Feel free to mail me about that.
About chroot…
You can avoid moving directories /var/run, etc.
1)Just add the following line in /etc/default/saslauthd :
PARAMS=”-m /var/spool/postfix/var/run/saslauthd”
2) edit /etc/init.d/postfix on line 43 or so, add “etc/sasldb2″
This way, postfix will copy sasldb2 on startup to the chroot directory
Axel
“cannot connect to saslauthd server: Permission denied” can mean a few things:
1. Is saslauthd running?
2. If you run smtpd in chroot (check master.cf for smtp and smtps) make sure saslauthd had the correct PARAMS (see post 6.) You can see the params in the ps tree.
3. If you do not run smtpd in chroot then dont set the params.
You guys ROCK!
The whole article helped me check my work in 2 seconds and the suggestions for the “permission denied” error in comment 6 worked like a charm!
Thanks! Your is the first howto I ran across that even mentions having to start saslauthd by editing /etc/defaults/saslauthd.
Jimmy, looks like you have used pwcheck with sasl and postfix in the past. I am trying to get pwcheck working on my solaris box. My main.cf looks much the same as yours, but my smtpd.conf has pwcheck_method: pwcheck. I can see pwcheck running in the background (I just started it manually for now), and I can see it created a socket at /var/pwcheck/pwcheck. I ran a telnet session like your example, using the same perl script to generate the encoded user/pass. But I get authentication error. I notice in the syslog that sasl has correctly extracted the username (it does not print the password in syslog) but then says ‘Userid not found’ or similar. Any clues ? I do notice in the pwcheck source code that it seems to log to syslog, but I dont know how to configure syslog.conf to turn this on.
I will appreciate any tips of wisdom you may have on this.
Thank you, thank you. This model of clarity resolved a days-old bottleneck on my lastest Debian server (a migration from Redhat). The key was the symlink in /var/run.
Very useful walk-thru. I’m running a setup like this on debian etch, and wanted to mention that after the latest sasl upgrades (package dated around 2006/09/17, I think), I had to rmdir /var/run/saslauthd and then create a symlink to the chrooted saslauthd directly from /var/run.
This is an obvious one, but make sure _every_ directory in the path /var/spool/postfix/var/run/saslauthd has permissions sufficient for smtpd to access (and keep checking them). At some point earlier today I accidently created a symlink from /var/run/saslauthd to /var/spool/postfix/var/run (note the missing saslauthd on the latter path). The saslauthd init script kindly changed the permissions on the ‘run’ directory, so after I corrected the path issue, smtpd could no longer access /var/spool/postfix/var/run/saslauthd/mux even though the permissions on that file and its immediate parent looked fine. Phew!
Also of use, if your situation is Really Bad ™, setup a debugger on smtpd:
in main.cf:
debugger_command =
PATH=/usr/bin
strace -o /tmp/$process_name -p $process_id & sleep 5
in master.cf, add the ‘-D’ option to the smtpd process responsible for receiving mail from clients
Restart postfix, try to send a message from your client, and check out /tmp/smtpd.
Good luck! (Thanks for the good tutorial, btw.)
Thank you so much. Reading all the HOWTOs gave me a thumping headache, and of course I still had problems. But this worked!
I don’t usually believe in censorship but all the other howtos should be banned. I’m another victim of spending days trying to make this work and yours resolved everything in about an hour.
This from the Postfix website http://www.postfix.org/SASL_README.html:
“..To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble…”
I actually just removed the chroot ( in the master.cf file).
Security should to breach the principle of sticking to the author’s recommendations!!!
Bestest
Great work !!
This so clear article was crucial for me for taking this thing working after 4 hours asking Mr. Google for responses.
Thank you
This is really useful, many thanks to you. I wasted much of time on reading out-of-date docs before I found this site.
Very useful, thanks!
Postfix is such a joy. Goodbye, sendmail.
About “warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied” problem read: zless /usr/share/doc/sasl2-bin/README.Debian.gz
Part about:
To place the saslauthd socket inside the Postfix chroot, edit
/etc/default/saslauthd and set OPTIONS like this (you may omit -c):
OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd”
To set the run directory using dpkg-statoverride, run this command as root:
dpkg-statoverride –add root sasl 710 /var/spool/postfix/var/run/saslauthd
Finally, to add the postfix user to the sasl group:
adduser postfix sasl
This is the same setup as we have. The only issue with it is, that CRAM-MD5 authentication is not working. Other schemas are working well, but not MD5. Try it, and you will see.
Excellent! Very helpful post and comments.
I cannot get it to work, I still get:
postfix/smtpd[13689]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
Thank you timor (comment number 20), those commands worked for my permission denied errors after upgrading Ubuntu. (and also thanks to Jimmy for this blog)
Wow, thanks for the great article.
I had previously been struggling with this but thanks to your article it is now a snap on my new servers.
Cheers and keep up the good work
Thanks for the great web site. I was struggling to get this working correctly. I looked at a few different web sites and none were as easy to follow and correct as yours.
Thanks again!
Great help in figuring out why things weren’t working for me. At 4 AM when I can’t figure out what’s wrong, I also appreciate the high contrast page and clear writing of what to edit in key files.
“warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied””
Only way I solved this was by making /var/run/saslauthd world read-execute (chmod a+rx).
Postfix is not run chroot’d and there is no group for saslauthd on my setup.
Thanks again for a great page.
Great Article, tests telnet Ok.
But using the client, I can send messages with “SMTP Server Authentication required” flag unchecked. Is this a normal behavior? AFAIK, the server should deny the connection, or not?
Tks for help
PinheiroRJ
That depends on the configuration, especially “smtpd_recipient_restrictions”. In many cases “permit_mynetworks” is used (also in my example). So hosts from the inside LAN can send without SMTP Authentication.
greets Jimmy
Thanks. I had the permission issue outlined at the very end of the post. Quite frustrating trying to figure it out – just to find out it’s something as simple as it was.
Thanks!
I could not get this working because of the following situation:
postfix/smtpd[29658]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
postfix/smtpd[29658]: warning: SASL authentication failure: Password verification failed
postfix/smtpd[29658]: warning: localhost[127.0.0.1]: SASL LOGIN authentication failed
Two articles were of some help with this:
http://enc.com.au/myscripts/postfixmysql.html (very dated, now, so not much use in resolving the problem but contains some useful information)
http://www.kloopy.com/344_Postfix__SASL2__unable_to_open_Berkeley_db (I could not create a file where suggested and symlinking caused a “too many levels” error message, so ultimately this did fix the problem, either)
…so, the actual solution that worked for me:
/etc/default/saslauthd (make sure that the relevant part of this file contains the following (without the top and bottom leader dots) – but leave the rest of the file contents alone!)
…
# Example: MECHANISMS=”pam”
MECHANISMS=”pam”
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=”-a pam -O /etc/pam.d”
…
/etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
The smtpd.conf entries are acually as recommended by Postfix and don’t mean that your information will be unencrypted (if using a certificate, whether self-signed or not). The man pages on your machine (man obviously short for manual) should help you if you want to play with the mechs or mech options.
Finally, for self-signed certificates signing without a load of expense: cacert.org or (£10!) 123-reg for their own branded Globalsign certs with sever side extras that will work for your email and a multitude of things that require a certificate on your server.
…and don’t forget about (Debian package) lsof (lsof -i :465, lsof -i :995, etc.) and tail -f /var/log/mail (CTRL+c to break out of it) to give you a blow-by-blow show of what’s happening when you are trying to test whether your latest email configuration works…
Also, if using Outlook, make the mail server lines correspond with the CN (canonical name) on the certificate if you want to get rid of that certificate cannot be trusted error box.
ie: if your certificate is made out to domain.tld, your mailserver lines would need to look something like: [Incoming Mail Server] domain.tld [Outgoing Mail Server (SMTP)] domain.tld
This also works for certificates with the CN as http://www.domain.tld
Finally, it is possible that 123-reg branded certificates won’t have the server side extensions that the more expensive non-branded certificates have, so check first if this is your preference over cacert.org (and no, I don’t work for 123-reg or Globalsign!).
Jim, this page is the *only* site on the Net to clearly point out the postfix-sasl requirements and the consequences of the chroot.
Thanks a lot.
Thank you very much! Helped me solve my SMTP problems. Goodbye relay access denied errors
Just spent 3 hours bouncing from site to site trying to sort out SMTP auth. All had small snippets of the info above – even had to transalate a few from German.
Within 30 seconds of finding this page I had managed to send some mail
Thanks heaps!
Cogsy
hi .. i want to have
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
listed in below:
[root@b postfix]# telnet localhost 25
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
220 mail.monk.com ESMTP Postfix
ehlo mail.monk.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
it’s not there. And there’s no smtpd.conf anywhere. so i created one in
/etc/sasl,
/usr/lib/sasl
/etc/postfix/sasl
in smtpd.conf i added:
pwcheck_method: saslauthd
mech_list: plain login
restarted everything and still i don’t see 250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
postfix ver: 2.4.5 centos 5.2
thanks.
thanks, you helped me a lot in just few minutes! thanks!
Some people have to make a selection between dissertation writing service and custom thesis writing services to purchase dissertation international about this good topic.
In addition, the following settings in /etc/postfix/main.cf may be useful:
smtpd_sasl_type = cyrus
cyrus_sasl_config_path = /etc/postfix/sasl
Specifically the last one when added got rid of my Permission Denied errors.
Excellent. Works fine!
Good job. Thats all i needed
Solved My SMTP problem. Cheers
Thanks for the write-up. It really helped a lot. On my Ubuntu system, however, every time I restarted sasl-authd, the /var/spool/postfix/var/run/saslauthd directory would get changed back to being owned by root, and the ‘permission denied’ problem would reoccur. I found that in the /etc/init.d/sasl-authd script, there’s a line:
create root sasl 710 $RUN_DIR
I had to change that line to
createdir postfix sasl 710 $RUN_DIR
and now when it restarts and recreates the saslauthd directory, it recreates it properly.
You are the Man.
Cheers
It’s very useful, thanks.
I’m still getting “warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied”. Here’s the permissions in /var/spool/postfix/var/run/saslauthd:
root@foo:~# ls -l /var/spool/postfix/var/run/saslauthd
total 940
drwx–x— 2 root sasl 4096 Aug 19 17:08 ./
drwx—— 3 root root 4096 Aug 17 18:41 ../
-rw——- 1 root root 0 Aug 19 17:08 cache.flock
-rw——- 1 root root 945152 Aug 19 17:08 cache.mmap
srwxrwxrwx 1 root root 0 Aug 19 17:08 mux=
-rw——- 1 root root 0 Aug 19 17:08 mux.accept
-rw——- 1 root root 6 Aug 19 17:08 saslauthd.pid
Should all files in this dir belong to the sasl group? If so, how do I make this happen?
friend i really really thank you for this tutorial!!
ah ha!
Finally, to add the postfix user to the sasl group:
adduser postfix sasl
fixed my permission denied problem!
thanks!
Thank you for all. It’s very good help !
Thank you very much… wasted so many hours with this…
I have to say that the information here was the most complete that I found anywhere. I am definitely bookmarking this to come back and read later
Great great article. Very simple. Hope you don’t mind, I did a little translatation to spanish of your article for one of our how to’s in our webpage. http://pmssa.com.ar/postfix-and-sasl-debian/
Thanks!