Jimmy’s weblog

12/5/2005

Postfix and SASL (Debian)

Filed under: — jimmy @ 5:30 am

Today I wanted to configure one of my postfix boxes to use SASL. This time I decided to use saslauthd instead of pwcheck, as I always did before.
Let’s start with the easy part… installing the packages (it’s a debian sarge server):

apt-get install postfix-tls sasl2-bin libsasl2 libsasl2-modules

Now edit /etc/default/saslauthd:

START=yes
MECHANISMS="pam"

saslauthd is not started after package installation (we’ll do it later)!
Next file to edit is /etc/postfix/sasl/smtpd.conf (you have to create it):

pwcheck_method: saslauthd

Ok, let’s add some lines in /etc/postfix/main.cf to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination

postfix does a chroot so it can’t communicate with saslauthd. This is the tricky part:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

Now restart postfix and start saslauthd

/etc/init.d/postfix restart
/etc/init.d/saslauthd start

Finally we test it using telnet. We need perl to generate the string for the SASL authentication

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
e.g.
perl -MMIME::Base64 -e 'print encode_base64("jimmy\0jimmy\0real-secret");'
amltbXkAamltbXkAcmVhbC1zZWNyZXQ=

Then use telnet:

jimmy@reptile:~$ telnet jimmy.co.at 25
Trying 80.237.145.96...
Connected to jimmy.co.at.
Escape character is '^]'.
220 kitana.jimmy.co.at ESMTP Mailserver
ehlo reptile.g-tec.co.at
250-kitana.jimmy.co.at
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
AUTH PLAIN amltbXkAamltbXkAcmVhbC1zZWNyZXQ=
235 Authentication successful

If it doesn’t work check you logfiles. If you get something like this: “warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied”, then check the permissions in /var/spool/postfix/var/run/saslauthd.

53 Responses to “Postfix and SASL (Debian)”

  1. Arnaud DA COSTA says:

    Thank you for this crystal-clear article !

    I had problems to generate the encoding because of a quote problem, so I change this line :

    perl -MMIME::Base64 -e ‘print encode_base64(”jimmyjimmyreal-secret”);’

    by this

    perl -MMIME::Base64 -e ‘print encode_base64(“jimmyjimmyreal-secret”);’

  2. Jim says:

    Simply awesome.

    I went to the official websites of the various packages involved in this.
    I read blogs, HOWTOs and FAQs

    Everyone was demanding that I become an expert in everything they created, before I’d really be allowed to use it

    You instead wrote perfectly clear documentation. Congratulations… the lack of information like this is holding Linux back from even more popular acceptance (I’m not a newb, I started with Linux 1.0 or something like that, and have been on the net since there was a net)… but clear technical writing is lacking in our world generally.

    Great research, great writeup. Thank you.

  3. jimmy says:

    Thank you guys for the nice feedback. That keeps me motivated to blog such things :-)
    About the quoting: I’m not sure why you had to change it, maybe it was another shell. Hint for other readers: Arnaud replaced the two single quotes with double quotes. I think it’s hard to see, thanks to my blogging software :-( It also removed the between username and password.

  4. Axel says:

    Thank You for creating this HowTo.
    But I still have a problem when I want to create the encrypted passwort
    perl -MMIME::Base64 -e ‘print encode_base64(”usernameusernamepassword”);’
    this makes a
    Backslash found where operator expected at -e line 1, near “username\”
    Bareword found where operator expected at -e line 1, near “0username”
    (Missing operator before username?)
    Backslash found where operator expected at -e line 1, near “username\”
    Bareword found where operator expected at -e line 1, near “0password”
    (Missing operator before password?)
    syntax error at -e line 1, near “username\”
    Execution of -e aborted due to compilation errors.

    And I have also a problem with the saslauthd socket
    I made it up the same way as you (and a lot of others) describe it, but I always get a
    warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
    This is also the case when I made a chmod -R 777 on /var/spool/postfix/var/run/saslauthd

  5. jimmy says:

    Axel, use double quotes instead of single quotes. I think that should work.
    About the saslauthd: Looks like a very specific problem. Feel free to mail me about that.

  6. Arnaud DA COSTA says:

    About chroot…

    You can avoid moving directories /var/run, etc.

    1)Just add the following line in /etc/default/saslauthd :

    PARAMS=”-m /var/spool/postfix/var/run/saslauthd”

    2) edit /etc/init.d/postfix on line 43 or so, add “etc/sasldb2″

    This way, postfix will copy sasldb2 on startup to the chroot directory

  7. SunDevil says:

    Axel
    “cannot connect to saslauthd server: Permission denied” can mean a few things:
    1. Is saslauthd running?
    2. If you run smtpd in chroot (check master.cf for smtp and smtps) make sure saslauthd had the correct PARAMS (see post 6.) You can see the params in the ps tree.
    3. If you do not run smtpd in chroot then dont set the params.

  8. Ryan says:

    You guys ROCK!

    The whole article helped me check my work in 2 seconds and the suggestions for the “permission denied” error in comment 6 worked like a charm!

  9. oscar says:

    Thanks! Your is the first howto I ran across that even mentions having to start saslauthd by editing /etc/defaults/saslauthd.

  10. murray says:

    Jimmy, looks like you have used pwcheck with sasl and postfix in the past. I am trying to get pwcheck working on my solaris box. My main.cf looks much the same as yours, but my smtpd.conf has pwcheck_method: pwcheck. I can see pwcheck running in the background (I just started it manually for now), and I can see it created a socket at /var/pwcheck/pwcheck. I ran a telnet session like your example, using the same perl script to generate the encoded user/pass. But I get authentication error. I notice in the syslog that sasl has correctly extracted the username (it does not print the password in syslog) but then says ‘Userid not found’ or similar. Any clues ? I do notice in the pwcheck source code that it seems to log to syslog, but I dont know how to configure syslog.conf to turn this on.
    I will appreciate any tips of wisdom you may have on this.

  11. J Oshibko says:

    Thank you, thank you. This model of clarity resolved a days-old bottleneck on my lastest Debian server (a migration from Redhat). The key was the symlink in /var/run.

  12. Tony Mancill says:

    Very useful walk-thru. I’m running a setup like this on debian etch, and wanted to mention that after the latest sasl upgrades (package dated around 2006/09/17, I think), I had to rmdir /var/run/saslauthd and then create a symlink to the chrooted saslauthd directly from /var/run.

  13. This is an obvious one, but make sure _every_ directory in the path /var/spool/postfix/var/run/saslauthd has permissions sufficient for smtpd to access (and keep checking them). At some point earlier today I accidently created a symlink from /var/run/saslauthd to /var/spool/postfix/var/run (note the missing saslauthd on the latter path). The saslauthd init script kindly changed the permissions on the ‘run’ directory, so after I corrected the path issue, smtpd could no longer access /var/spool/postfix/var/run/saslauthd/mux even though the permissions on that file and its immediate parent looked fine. Phew!

    Also of use, if your situation is Really Bad ™, setup a debugger on smtpd:

    in main.cf:

    debugger_command =
    PATH=/usr/bin
    strace -o /tmp/$process_name -p $process_id & sleep 5

    in master.cf, add the ‘-D’ option to the smtpd process responsible for receiving mail from clients

    Restart postfix, try to send a message from your client, and check out /tmp/smtpd.

    Good luck! (Thanks for the good tutorial, btw.)

  14. Richard Guy says:

    Thank you so much. Reading all the HOWTOs gave me a thumping headache, and of course I still had problems. But this worked! :-)

  15. Ron says:

    I don’t usually believe in censorship but all the other howtos should be banned. I’m another victim of spending days trying to make this work and yours resolved everything in about an hour.

  16. Treelife says:

    This from the Postfix website http://www.postfix.org/SASL_README.html:

    “..To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble…”

    I actually just removed the chroot ( in the master.cf file).

    Security should to breach the principle of sticking to the author’s recommendations!!!

    Bestest

  17. Bitelxux says:

    Great work !!
    This so clear article was crucial for me for taking this thing working after 4 hours asking Mr. Google for responses.

    Thank you

  18. Tony says:

    This is really useful, many thanks to you. I wasted much of time on reading out-of-date docs before I found this site.

  19. ryan woodrum says:

    Very useful, thanks!

    Postfix is such a joy. Goodbye, sendmail.

  20. timor says:

    About “warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied” problem read: zless /usr/share/doc/sasl2-bin/README.Debian.gz
    Part about:

    To place the saslauthd socket inside the Postfix chroot, edit
    /etc/default/saslauthd and set OPTIONS like this (you may omit -c):
    OPTIONS=”-c -m /var/spool/postfix/var/run/saslauthd”

    To set the run directory using dpkg-statoverride, run this command as root:
    dpkg-statoverride –add root sasl 710 /var/spool/postfix/var/run/saslauthd

    Finally, to add the postfix user to the sasl group:
    adduser postfix sasl

  21. Nepto says:

    This is the same setup as we have. The only issue with it is, that CRAM-MD5 authentication is not working. Other schemas are working well, but not MD5. Try it, and you will see.

  22. Chris says:

    Excellent! Very helpful post and comments.

  23. Olaf says:

    I cannot get it to work, I still get:
    postfix/smtpd[13689]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory

  24. Jimbo says:

    Thank you timor (comment number 20), those commands worked for my permission denied errors after upgrading Ubuntu. (and also thanks to Jimmy for this blog)

  25. Andrew says:

    Wow, thanks for the great article.
    I had previously been struggling with this but thanks to your article it is now a snap on my new servers.

    Cheers and keep up the good work

  26. CoolTexan says:

    Thanks for the great web site. I was struggling to get this working correctly. I looked at a few different web sites and none were as easy to follow and correct as yours.

    Thanks again!

  27. asdf says:

    Great help in figuring out why things weren’t working for me. At 4 AM when I can’t figure out what’s wrong, I also appreciate the high contrast page and clear writing of what to edit in key files.

    “warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied””

    Only way I solved this was by making /var/run/saslauthd world read-execute (chmod a+rx).

    Postfix is not run chroot’d and there is no group for saslauthd on my setup.

    Thanks again for a great page.

  28. PinheiroRJ says:

    Great Article, tests telnet Ok.
    But using the client, I can send messages with “SMTP Server Authentication required” flag unchecked. Is this a normal behavior? AFAIK, the server should deny the connection, or not?
    Tks for help
    PinheiroRJ

  29. jimmy says:

    That depends on the configuration, especially “smtpd_recipient_restrictions”. In many cases “permit_mynetworks” is used (also in my example). So hosts from the inside LAN can send without SMTP Authentication.

    greets Jimmy

  30. nux says:

    Thanks. I had the permission issue outlined at the very end of the post. Quite frustrating trying to figure it out – just to find out it’s something as simple as it was.

    Thanks!

  31. John says:

    I could not get this working because of the following situation:

    postfix/smtpd[29658]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
    postfix/smtpd[29658]: warning: SASL authentication failure: Password verification failed
    postfix/smtpd[29658]: warning: localhost[127.0.0.1]: SASL LOGIN authentication failed

    Two articles were of some help with this:

    http://enc.com.au/myscripts/postfixmysql.html (very dated, now, so not much use in resolving the problem but contains some useful information)

    http://www.kloopy.com/344_Postfix__SASL2__unable_to_open_Berkeley_db (I could not create a file where suggested and symlinking caused a “too many levels” error message, so ultimately this did fix the problem, either)

    …so, the actual solution that worked for me:

    /etc/default/saslauthd (make sure that the relevant part of this file contains the following (without the top and bottom leader dots) – but leave the rest of the file contents alone!)


    # Example: MECHANISMS=”pam”
    MECHANISMS=”pam”

    # Additional options for this mechanism. (default: none)
    # See the saslauthd man page for information about mech-specific options.
    MECH_OPTIONS=”-a pam -O /etc/pam.d”

    /etc/postfix/sasl/smtpd.conf

    pwcheck_method: saslauthd
    mech_list: PLAIN LOGIN

    The smtpd.conf entries are acually as recommended by Postfix and don’t mean that your information will be unencrypted (if using a certificate, whether self-signed or not). The man pages on your machine (man obviously short for manual) should help you if you want to play with the mechs or mech options.

    Finally, for self-signed certificates signing without a load of expense: cacert.org or (£10!) 123-reg for their own branded Globalsign certs with sever side extras that will work for your email and a multitude of things that require a certificate on your server.

    …and don’t forget about (Debian package) lsof (lsof -i :465, lsof -i :995, etc.) and tail -f /var/log/mail (CTRL+c to break out of it) to give you a blow-by-blow show of what’s happening when you are trying to test whether your latest email configuration works…

  32. John says:

    Also, if using Outlook, make the mail server lines correspond with the CN (canonical name) on the certificate if you want to get rid of that certificate cannot be trusted error box.

    ie: if your certificate is made out to domain.tld, your mailserver lines would need to look something like: [Incoming Mail Server] domain.tld [Outgoing Mail Server (SMTP)] domain.tld

    This also works for certificates with the CN as http://www.domain.tld

    Finally, it is possible that 123-reg branded certificates won’t have the server side extensions that the more expensive non-branded certificates have, so check first if this is your preference over cacert.org (and no, I don’t work for 123-reg or Globalsign!).

  33. Yves says:

    Jim, this page is the *only* site on the Net to clearly point out the postfix-sasl requirements and the consequences of the chroot.

    Thanks a lot.

  34. Anonymous says:

    Thank you very much! Helped me solve my SMTP problems. Goodbye relay access denied errors :D

  35. Cogsy says:

    Just spent 3 hours bouncing from site to site trying to sort out SMTP auth. All had small snippets of the info above – even had to transalate a few from German.

    Within 30 seconds of finding this page I had managed to send some mail :)

    Thanks heaps!

    Cogsy

  36. jass says:

    hi .. i want to have
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN

    listed in below:
    [root@b postfix]# telnet localhost 25
    Trying 127.0.0.1…
    Connected to localhost.
    Escape character is ‘^]’.
    220 mail.monk.com ESMTP Postfix
    ehlo mail.monk.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN

    it’s not there. And there’s no smtpd.conf anywhere. so i created one in
    /etc/sasl,
    /usr/lib/sasl
    /etc/postfix/sasl

    in smtpd.conf i added:
    pwcheck_method: saslauthd
    mech_list: plain login

    restarted everything and still i don’t see 250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN

    postfix ver: 2.4.5 centos 5.2
    thanks.

  37. marco says:

    thanks, you helped me a lot in just few minutes! thanks!

  38. Some people have to make a selection between dissertation writing service and custom thesis writing services to purchase dissertation international about this good topic.

  39. James Light says:

    In addition, the following settings in /etc/postfix/main.cf may be useful:
    smtpd_sasl_type = cyrus
    cyrus_sasl_config_path = /etc/postfix/sasl

    Specifically the last one when added got rid of my Permission Denied errors.

  40. Peter N says:

    Excellent. Works fine! :)

  41. Gawrion says:

    Good job. Thats all i needed :)

  42. Diet says:

    Solved My SMTP problem. Cheers

  43. Thanks for the write-up. It really helped a lot. On my Ubuntu system, however, every time I restarted sasl-authd, the /var/spool/postfix/var/run/saslauthd directory would get changed back to being owned by root, and the ‘permission denied’ problem would reoccur. I found that in the /etc/init.d/sasl-authd script, there’s a line:

    create root sasl 710 $RUN_DIR

    I had to change that line to

    createdir postfix sasl 710 $RUN_DIR

    and now when it restarts and recreates the saslauthd directory, it recreates it properly.

  44. You are the Man. :) Cheers

  45. It’s very useful, thanks.

  46. TM says:

    I’m still getting “warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied”. Here’s the permissions in /var/spool/postfix/var/run/saslauthd:

    root@foo:~# ls -l /var/spool/postfix/var/run/saslauthd
    total 940
    drwx–x— 2 root sasl 4096 Aug 19 17:08 ./
    drwx—— 3 root root 4096 Aug 17 18:41 ../
    -rw——- 1 root root 0 Aug 19 17:08 cache.flock
    -rw——- 1 root root 945152 Aug 19 17:08 cache.mmap
    srwxrwxrwx 1 root root 0 Aug 19 17:08 mux=
    -rw——- 1 root root 0 Aug 19 17:08 mux.accept
    -rw——- 1 root root 6 Aug 19 17:08 saslauthd.pid

    Should all files in this dir belong to the sasl group? If so, how do I make this happen?

  47. eleos says:

    friend i really really thank you for this tutorial!!

  48. Rob Ray says:

    ah ha!

    Finally, to add the postfix user to the sasl group:
    adduser postfix sasl

    fixed my permission denied problem!

    thanks!

  49. Bruno says:

    Thank you for all. It’s very good help !

  50. Matthias says:

    Thank you very much… wasted so many hours with this…

  51. I have to say that the information here was the most complete that I found anywhere. I am definitely bookmarking this to come back and read later

  52. Joe says:

    Great great article. Very simple. Hope you don’t mind, I did a little translatation to spanish of your article for one of our how to’s in our webpage. http://pmssa.com.ar/postfix-and-sasl-debian/
    Thanks!

Leave a Reply