1

PS(SOLVED: Solution for Alpine Linux as of Mar 2021, the fix in cyrus-sasl 2.1.27-r12 is in edge branch. 3.13 only has cyrus-sasl 2.1.27-r10.

PS: I know there are similar posts but they are very dated like 2015. My issue is 2021 and was working last year.

I use postfix with sasldb2 inside alpine:edge docker container. But recently(Jan 2021) I discovered it stop working. Situation is strange because the same /etc/sasl2/sasldb2 file work with saslauthd, but not if I use auxprop setup.

Use sasldb2(not working)

/etc/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN

Postfix log:

Jan 17 07:46:07 johnsiu postfix/smtpd[108]: connect from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Couldn't fetch entry from /etc/sasl2/sasldb2
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Password verification failed
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: mail-ej1-x635.google.com[2a00:1450:4864:20::635]: SASL PLAIN authentication failed: generic failure
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: lost connection after AUTH from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: disconnect from mail-ej1-x635.google.com[2a00:1450:4864:20::635] ehlo=2 starttls=1 auth=0/1 commands=3/4

Use saslauthd(working)

/etc/sasl2/smtpd.conf    
pwcheck_method: saslauthd
mech_list: PLAIN

Run saslauthd mannually:

saslauthd -a sasldb -d

Output:

saslauthd[125] :num_procs : 5
saslauthd[125] :mech_option: NULL
saslauthd[125] :run_path : /run/saslauthd
saslauthd[125] :auth_mech : sasldb
saslauthd[125] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[125] :master pid is: 0
saslauthd[125] :listening on socket: /run/saslauthd/mux
saslauthd[125] :using process model
saslauthd[125] :forked child: 126
saslauthd[125] :forked child: 127
saslauthd[125] :forked child: 128
saslauthd[125] :forked child: 129
saslauthd[125] :acquired accept lock

saslauthd[125] :released accept lock
saslauthd[129] :acquired accept lock
saslauthd[125] :auth success: [user=test] [service=smtp] [realm=example.org] [mech=sasldb]
saslauthd[125] :response: OK

Postfix log:

Jan 17 07:48:41 johnsiu postfix/smtpd[120]: connect from mail-ej1-x631.google.com[2a00:1450:4864:20::631]
Jan 17 07:48:42 johnsiu postfix/smtpd[120]: disconnect from mail-ej1-x631.google.com[2a00:1450:4864:20::631] ehlo=2 starttls=1 auth=1 quit=1 commands=5

OS Version

# cat /etc/os-release

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.13.0_alpha20201218
PRETTY_NAME="Alpine Linux edge"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

Installed Packages

apk list -I|sort

WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/community: No such file or directory
alpine-baselayout-3.2.0-r8 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.2-r0 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.12.0-r3 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
ca-certificates-bundle-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
cyrus-sasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-crammd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-digestmd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gs2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gssapiv2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-login-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-ntlm-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-scram-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
gdbm-1.19-r0 x86_64 {gdbm} (GPL-3.0-or-later) [installed]
heimdal-libs-7.7.0-r4 x86_64 {heimdal} (BSD-3-Clause) [installed]
icu-libs-67.1-r2 x86_64 {icu} (MIT ICU Unicode-TOU) [installed]
krb5-conf-1.0-r2 x86_64 {krb5-conf} (MIT) [installed]
libc-utils-0.7.2-r3 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
libcom_err-1.45.6-r1 x86_64 {e2fsprogs} (GPL-2.0-or-later AND LGPL-2.0-or-later AND BSD-3-Clause AND MIT) [installed]
libcrypto1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libgcc-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libsasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
libssl1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libstdc++-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libtls-standalone-2.9.1-r1 x86_64 {libtls-standalone} (ISC) [installed]
lmdb-0.9.27-r0 x86_64 {lmdb} (OLDAP-2.8) [installed]
musl-1.2.2_pre6-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.2_pre6-r0 x86_64 {musl} (MIT BSD GPL2+) [installed]
ncurses-libs-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
ncurses-terminfo-base-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
postfix-3.5.8-r0 x86_64 {postfix} (IPL-1.0 EPL-2.0) [installed]
readline-8.1.0-r0 x86_64 {readline} (GPL-2.0-or-later) [installed]
scanelf-1.2.6-r1 x86_64 {pax-utils} (GPL-2.0-only) [installed]
sqlite-libs-3.34.0-r1 x86_64 {sqlite} (Public-Domain) [installed]
ssl_client-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
tzdata-2020f-r0 x86_64 {tzdata} (Public-Domain) [installed]
zlib-1.2.11-r3 x86_64 {zlib} (Zlib) [installed]

I am not sure if this is alpine distro issue, a postfix issue or a cyrus-sasl issue.

My docker container: https://hub.docker.com/repository/docker/jsiu/postfix

Issue still exit after updating to postfix 3.5.9-r0.

testsaslauthd result:

/ # ls -lh /run/saslauthd/
total 4K
srwxrwxrwx    1 root     root           0 Feb 18 02:36 mux
-rw-------    1 root     root           0 Feb 18 02:36 mux.accept
-rw-------    1 root     root           4 Feb 18 02:36 saslauthd.pid

Following syntax works:

/ # testsaslauthd -f /run/saslauthd/mux -r **** -u **** -p ****

But following doesn't work:

/ # testsaslauthd -f /run/saslauthd/mux -s"smtpd" -u"****@****" -p"****"
0: NO "authentication failed"

Tried single quote, double quote, no quote, space, for the password but same result.

Output from 'saslauthd -a sasldb -d' for the failed attempt:

/etc/postfix # saslauthd -a sasldb -d
saslauthd[195] :num_procs  : 5
saslauthd[195] :mech_option: NULL
saslauthd[195] :run_path   : /run/saslauthd
saslauthd[195] :auth_mech  : sasldb
saslauthd[195] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[195] :master pid is: 0
saslauthd[195] :listening on socket: /run/saslauthd/mux
saslauthd[195] :using process model
saslauthd[195] :forked child: 196
saslauthd[196] :acquired accept lock
saslauthd[195] :forked child: 197
saslauthd[195] :forked child: 198
saslauthd[195] :forked child: 199


saslauthd[198] :acquired accept lock
saslauthd[196] :released accept lock
saslauthd[196] :auth failure: [user=****@****] [service=smtpd] [realm=] [mech=sasldb] [reason=Unknown]
saslauthd[196] :response: NO
John Siu
  • 3,577
  • 2
  • 15
  • 23

3 Answers3

2

It's a bug. The errno for the fetch call gets clobbered by another call. See: https://github.com/cyrusimap/cyrus-sasl/pull/554

Alpine fix: https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/18576

EDIT: merged and released as 2.1.27-r12 into Alpine Edge as of 2021-03-10.

Flygsand
  • 66
  • 4
  • Thank you! Will accept once fix is available for deployment. – John Siu Feb 21 '21 at 18:28
  • On the other hand, why one syntax work and the other doesn't? – John Siu Feb 21 '21 at 19:31
  • 1
    Not sure exactly what you mean, but in your example you're using two different check methods. In any case, the fix has now been merged and released as 2.1.27-r12 into Alpine Edge. – Flygsand Mar 12 '21 at 16:31
  • Never mind the syntax, I forced a rebuild of my docker postfix and it is working now!! Thank you!! – John Siu Mar 13 '21 at 01:21
1

Like you suggest, it's important to pinpoint the issue. Your authentication chain goes like this: postfix => (Cyrus) saslauthd => /etc/sasldb2

I suggest you test SASL using the testsaslauthd command:

testsaslauthd -f /run/saslauthd/mux -s"smtp" -u"test@example.org" -p"yourpass"
testsaslauthd -f /run/saslauthd/mux -s"smtp" -r"example.org" -u"test" -p"yourpass"

If the above doesn't work, please post the output here.

If the above works, you will get

0: OK "Success."

and we will have to look further than SASL.

Bjorn
  • 21
  • 2
  • Thank you for response. I added 'testsaslauthd result' section at the end of my post. Basically the first syntax failed, the 2nd syntax works. – John Siu Feb 20 '21 at 21:57
0

I have the same kind of issue.

After updating from Alpine container 3.12.3 to 3.13.3 my postfix with sasl did not work. First it could not read my sasldb2 file at all - I had to recreate it with saslpasswd2. sasldblistusers2 then worked.

But postfix does not work with this. I get this error message:

SASL authentication failure: Couldn't fetch entry from /etc/sasl2/sasldb2

I had to go back to 3.12.3 and rebuild the container because I did not find any suitable solution for this.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
Frank Ansari
  • 1
  • 3.13 only has cyrus-sasl 2.1.27-r10. You need to use the edge branch to get cyrus-sasl 2.1.27-r12 for the fix. I updated that on the top of my post now. – John Siu Mar 27 '21 at 17:28