SASL PLAIN authenticating with primary domain, but not with virtual domain

Question

Postfix + dovecot and sasl. Works so far with 1 domain.

Added a virtual domain. Incoming mail for this works. Outgoing however has SASL authentication failing.

Why does it fail I don't know.

/etc/sasl2/smtpd.conf looks like:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

postconf -n output:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 40960000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain
mydomain = primary.net
myhostname = mail.primary.net
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination, primary.net, seconddomain.org
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,   
                               permit_mynetworks,        
                               reject_invalid_hostname,        
                               reject_unauth_pipelining,    
                               reject_unauth_destination,   
                               reject_rbl_client sbl-xbl.spamhaus.org,              
                               permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
soft_bounce = no
unknown_local_recipient_reject_code = 550
virtual_alias_domains = mail.seconddomain.org
virtual_alias_maps = hash:/etc/postfix/virtual

The virtual alias domain works. But when I'm trying to authenticate with a virtual domain maillog throws the error:

 SASL PLAIN authentication failed

Any ideas what I should look at?

Update #1:

Following the instructions below I wasn't able to authenticate still, so I installed saslfinger and here is the output:

saslfinger - postfix Cyrus sasl configuration Tue Mar 24 07:23:10 GMT 2015
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.6.6
System: CentOS release 6.5 (Final)

-- smtpd is linked to --
    libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007ff8b9655000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot


-- listing of /usr/lib64/sasl2 --
total 504
drwxr-xr-x.  2 root root  4096 Sep 15  2013 .
dr-xr-xr-x. 43 root root 20480 Jun 20  2014 ..
-rwxr-xr-x.  1 root root 18776 Nov 27  2012 libanonymous.so
-rwxr-xr-x.  1 root root 18776 Nov 27  2012 libanonymous.so.2
-rwxr-xr-x.  1 root root 18776 Nov 27  2012 libanonymous.so.2.0.23
-rwxr-xr-x   1 root root 22936 Nov 27  2012 libcrammd5.so
-rwxr-xr-x   1 root root 22936 Nov 27  2012 libcrammd5.so.2
-rwxr-xr-x   1 root root 22936 Nov 27  2012 libcrammd5.so.2.0.23
-rwxr-xr-x   1 root root 52088 Nov 27  2012 libdigestmd5.so
-rwxr-xr-x   1 root root 52088 Nov 27  2012 libdigestmd5.so.2
-rwxr-xr-x   1 root root 52088 Nov 27  2012 libdigestmd5.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 liblogin.so
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 liblogin.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 liblogin.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 libplain.so
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 libplain.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 libplain.so.2.0.23
-rwxr-xr-x.  1 root root 22784 Nov 27  2012 libsasldb.so
-rwxr-xr-x.  1 root root 22784 Nov 27  2012 libsasldb.so.2
-rwxr-xr-x.  1 root root 22784 Nov 27  2012 libsasldb.so.2.0.23

-- listing of /etc/sasl2 --
total 12
drwxr-xr-x.  2 root root 4096 Sep 20  2013 .
drwxr-xr-x. 93 root root 4096 Mar 22 03:43 ..
-rw-r--r--.  1 root root   70 Mar 24 07:22 smtpd.conf




-- content of /etc/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual

smtps     inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
    -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

-- mechanisms on localhost --
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN

-- end of saslfinger output --

Update #2:

I enabled verbose mode and here is the output after attempting to send an email: Note: I removed timestamp and srv postfix/smtpd[29481]: from every line to make it a bit smaller to look at:

 dict_eval: const  mail
 dict_eval: const  all
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 name_mask: all
 dict_eval: const  mail.mydomain.net
 dict_eval: const  mydomain.net
 dict_eval: const  Postfix
 dict_eval: expand ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name} -> postfix
 dict_eval: const  postfix
 dict_eval: const  postdrop
 dict_eval: expand $myhostname, localhost.$mydomain, localhost, $mydomain,?mail.$mydomain -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net
 dict_eval: expand $myhostname -> mail.mydomain.net
 dict_eval: const  
 dict_eval: const  /usr/libexec/postfix
 dict_eval: const  /var/lib/postfix
 dict_eval: const  /usr/sbin
 dict_eval: const  /var/spool/postfix
 dict_eval: const  pid
 dict_eval: const  all
 dict_eval: const  
 dict_eval: const  double-bounce
 dict_eval: const  nobody
 dict_eval: const  hash:/etc/aliases
 dict_eval: const  20100319
 dict_eval: const  2.6.6
 dict_eval: const  hash
 dict_eval: const  deferred, defer
 dict_eval: const  
 dict_eval: expand $mydestination, mydomain.net, anotherdomain.org -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org
 dict_eval: expand $relay_domains -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org
 dict_eval: const  TZ MAIL_CONFIG LANG
 dict_eval: const  MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
 dict_eval: const  subnet
 dict_eval: const  127.0.0.1
 dict_eval: const  +=
 dict_eval: const  -=+
 dict_eval: const  debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
 dict_eval: const  
 dict_eval: const  bounce
 dict_eval: const  cleanup
 dict_eval: const  defer
 dict_eval: const  pickup
 dict_eval: const  qmgr
 dict_eval: const  rewrite
 dict_eval: const  showq
 dict_eval: const  error
 dict_eval: const  flush
 dict_eval: const  verify
 dict_eval: const  trace
 dict_eval: const  proxymap
 dict_eval: const  proxywrite
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  40960000
 dict_eval: const  2
 dict_eval: const  no
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  3600s
 dict_eval: const  3600s
 dict_eval: const  5s
 dict_eval: const  5s
 dict_eval: const  1000s
 dict_eval: const  1000s
 dict_eval: const  10s
 dict_eval: const  10s
 dict_eval: const  1s
 dict_eval: const  1s
 dict_eval: const  1s
 dict_eval: const  1s
 dict_eval: const  500s
 dict_eval: const  500s
 dict_eval: const  18000s
 dict_eval: const  18000s
 dict_eval: const  1s
 dict_eval: const  1s
 name_mask: subnet
 inet_addr_local: configured 2 IPv4 addresses
 inet_addr_local: configured 2 IPv6 addresses
 been_here: 127.0.0.0/8: 0
 been_here: 77.0.0.0/8: 0
 been_here: [::1]/128: 0
 been_here: [fe80::%eth0]/64: 0
 mynetworks: 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 
 dict_eval: const  127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 
 dict_eval: const  10
 dict_eval: expand ${stress?1}${stress:20} -> 20
 dict_eval: expand ${stress?1}${stress:100} -> 100
 dict_eval: expand ${stress?1}${stress:3} -> 3
 dict_eval: const  550
 dict_eval: expand $myhostname ESMTP $mail_name -> mail.mydomain.net ESMTP Postfix
 dict_eval: const  resource, software
 dict_eval: const  permit_sasl_authenticated
 dict_eval: const  reject_non_fqdn_hostname
 dict_eval: const  reject_unknown_sender_domain
 dict_eval: const  permit_sasl_authenticated,?permit_mynetworks,        reject_invalid_hostname,        reject_unauth_pipelining,?reject_unauth_destination,?reject_rbl_client sbl-xbl.spamhaus.org,           ?permit
 dict_eval: const  
 dict_eval: const  reject_unauth_pipelining
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  postmaster
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  hash:/etc/postfix/virtual
 dict_eval: const  
 dict_eval: const  hash:/etc/aliases
 dict_eval: expand proxy:unix:passwd.byname $alias_maps -> proxy:unix:passwd.byname hash:/etc/aliases
 dict_eval: const  noanonymous
 dict_eval: const  private/auth
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  CONNECT GET POST
 dict_eval: const  <>
 dict_eval: const  
 dict_eval: expand $double_bounce_sender -> double-bounce
 dict_eval: expand $authorized_verp_clients -> 
 dict_eval: const  
 dict_eval: expand $myhostname -> mail.mydomain.net
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: expand ${smtpd_client_connection_limit_exceptions:$mynetworks} -> 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 
 dict_eval: const  permit_inet_interfaces
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: expand $smtpd_sasl_security_options -> noanonymous
 dict_eval: const  
 dict_eval: expand $smtpd_tls_cert_file -> 
 dict_eval: const  
 dict_eval: expand $smtpd_tls_dcert_file -> 
 dict_eval: const  
 dict_eval: expand $smtpd_tls_eccert_file -> 
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  export
 dict_eval: const  medium
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  SSLv3, TLSv1
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  none
 dict_eval: const  md5
 dict_eval: const  
 dict_eval: const  dovecot
 dict_eval: const  
 dict_eval: const  j {daemon_name} v
 dict_eval: const  {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
 dict_eval: const  i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
 dict_eval: const  i {rcpt_addr} {rcpt_host} {rcpt_mailer}
 dict_eval: const  i
 dict_eval: const  i
 dict_eval: const  i
 dict_eval: const  
 dict_eval: const  6
 dict_eval: const  tempfail
 dict_eval: expand $myhostname -> mail.mydomain.net
 dict_eval: expand $mail_name $mail_version -> Postfix 2.6.6
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  defer_if_permit
 dict_eval: expand $reject_tempfail_action -> defer_if_permit
 dict_eval: expand $reject_tempfail_action -> defer_if_permit
 dict_eval: expand $reject_tempfail_action -> defer_if_permit
 dict_eval: expand $reject_tempfail_action -> defer_if_permit
 dict_eval: const  yes
 dict_eval: const  yes
 dict_eval: const  no
 dict_eval: const  yes
 dict_eval: expand ${stress?10}${stress:300}s -> 300s
 dict_eval: expand ${stress?10}${stress:300}s -> 300s
 dict_eval: const  1s
 dict_eval: const  1s
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  3s
 dict_eval: const  3s
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  300s
 dict_eval: const  300s
 dict_eval: const  1000s
 dict_eval: const  1000s
 dict_eval: const  300s
 dict_eval: const  300s
 dict_eval: const  3600s

So, you use sasldb for storing the credentials. Can you try creating password and verifying it by [following these steps](http://www.postfix.org/SASL_README.html#auxprop_sasldb)? — masegaloeh, Feb 25 '15 at 03:26
I created a password ok, but trying to verify with testsaslauthd throws an error: connect() : No such file or directory. What I also don't understand is why with sasldb it says then to login with whole email address, not username, but my primary domain logs in with just the system username, not an email. — willdanceforfun, Feb 25 '15 at 03:48
if you don't use full email address to login, then how you differentiate between user login for foo@example.net and foo@example.com? — masegaloeh, Feb 25 '15 at 03:52
That's a good question. I don't yet, but don't understand why I'm telling it to use sasldb but it is letting me log in with a regular username. i.e. I hadn't previously added a password to sasldb to my knowledge and I've been using email like this for a while. — willdanceforfun, Feb 25 '15 at 03:58
sasldblistusers2 only outputs the email address I just added after your comment, not the username I use to currently access my primary account. — willdanceforfun, Feb 25 '15 at 03:59
Wait... If sasldblistusers2 only outputs recently-added email address, then where is the database of your old primary account? — masegaloeh, Feb 25 '15 at 06:13
@masegaloeh that is what I am trying to also work out. currently the username I'm using is just a system user. I'm using the credentials of the user account. As though it isn't even using sasl, but when I send a mail the maillog shows that there is a sasl login with just a username - but not logging in with an email address! 0.o — willdanceforfun, Feb 25 '15 at 07:18

score 3 · Accepted Answer · edited Apr 13 '17 at 12:14

3

Sorry for misleading comment above. When you use sasldb, then you doesn't need saslauthd running. So you can safely remove it from startup script. You should run saslauthd when you do password checking via system user, LDAP or remote IMAP.

The first step is creating a database for sasldb using saslpasswd2 binary

# saslpasswd2 -c  username@example.com
Password:
Again (for verification):

Please verify it by run sasldblistusers2

# sasldblistusers2
username@example.com: userPassword

This will save the database in sasldb2 file, in my system the file is /etc/sasldb2. Because we need postfix (via SASL library) to read it, then add the change the group of this file so postfix can read it.

# ls -l /etc/sasldb2
-rw-r----- 1 root root 12288 Feb 27 06:09 /etc/sasldb2
# chgrp postfix /etc/sasldb2
# ls -l /etc/sasldb2
-rw-r----- 1 root postfix 12288 Feb 27 06:09 /etc/sasldb2

Your /etc/sasl2/smtpd.conf file above was fine.

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

Then test it

Generate Base64 string of PLAIN credential format

# echo -ne '\000username@example.com\000thepassword' | openssl base64
SomERandOMCharActER

Test the credential

telnet localhost 25
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
EHLO localhost
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN SomERandOMCharActER
235 2.7.0 Authentication successful

Tested in CentOS 6.5 with postfix 2.3.3 and cyrus sasl version 2.1

References:

Postfix SASL Readme
Some useful tutorial by Tom: Authenticated SMTP with Postfix on CentOS, The Easy Way

PS: If you still encounter the problem, please post the output of saslfinger binary

saslfinger -s

You can download it at website of Postfix book author

If your postfix under chroot configuration, then postfix can't access /etc/sasldb2 to authenticated username. To overcome this problem, we have two alternatives:

In master.cf, turn off chroot in submission/smtpd/smtps service or any other service that use smtpd binary
Move sasldb2 to /var/spool/postfix/etc/ like this post. You can also symlink /var/spool/postfix/etc/sasldb2/ to /etc/sasldb2.
```
ln -sf /var/spool/postfix/etc/sasldb2 /etc/
```

edited Apr 13 '17 at 12:14

Community

1

answered Feb 27 '15 at 11:22

masegaloeh

17,978
9
56
104

Thanks a lot for that extensive instructions! I think I followed your instructions exactly. When you generate Base64 credentials, do you leave in the three 0's? e.g. \000myemail@domain.com\000mypassword? I've tried a couple ways but still get authentication failed, but now it does appear to at least try the sasldb you helped me create. I've updated the post with the saslfinger -s output - is there anything you can see there that is a problem? – willdanceforfun Mar 24 '15 at 07:32
Yes, triple 0 was mentioned in postfix SASL readme. Anyway looks like the culprit was `smtpd_sasl_type`. You should leave it as [default (cyrus)](http://www.postfix.org/postconf.5.html#smtpd_sasl_type) instead configure it as `dovecot` – masegaloeh Mar 24 '15 at 08:56
I made it default now, but still when I authenticate it gives the same error. I looked at maillog when I send an email using the sasl credentials and I get the error: ``warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: Not a directory``. If I do sasldblistusers2 it appears to be working correctly. It looks normal to me: ``[root@srv etc]# ls -l /etc/sasldb2 -rw-r----- 1 root postfix 12288 Mar 24 03:48 /etc/sasldb2`` Why does it expect sasldb2 to be a directory? – willdanceforfun Mar 25 '15 at 05:28
Hmmm that's strange. Can you enable verbose mode of postfix by following [this tutorial](http://www.postfix.org/DEBUG_README.html#debug_peer) ? Try it and post the log – masegaloeh Mar 25 '15 at 11:14
I did add verbose mode, it really outputs a lot of new information - I will update the post above. Otherwise, when I send an email here is what maillog outputs ``Mar 26 06:11:36 srv postfix/smtpd[29466]: connect from unknown[xx.xx.xx.xx] Mar 26 06:11:37 srv postfix/smtpd[29466]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: Not a directory Mar 26 06:11:37 warning: SASL authentication failure: no secret in database Mar 26 06:11:37 srv postfix/smtpd[29466]: warning: unknown[xx.xx.xx.xx]: SASL LOGIN authentication failed: authentication failure`` – willdanceforfun Mar 26 '15 at 06:19
Looks like your `submission` service in `master.cf` still under chroot setting. The reason why you see **Not a directory** error is there are no `/etc` directory inside `/var/spool/postfix`. See my update above – masegaloeh Mar 26 '15 at 06:44
Really appreciate the help! I think it is working now – willdanceforfun Mar 26 '15 at 08:35
Good :) Which option did you try? un-`chroot` option or move `/etc/sasldb2` option? – masegaloeh Mar 26 '15 at 08:45
Actually, I first did a symlink, reloaded and nothing was different. I then removed that, and moved sasldb2 instead. Reloaded, and still didn't work. So I changed master.cf to not allow chroot for submission. It still didn't work! I then rebooted the whole server and it worked. So I'm not sure exactly which one solved it. :) But I'm happy it worked – willdanceforfun Mar 26 '15 at 18:11

SASL PLAIN authenticating with primary domain, but not with virtual domain

1 Answers1

Linked