2

So I've read a variety of tutorials and how-to's and I'm struggling to make sense of how to get SMTP auth working with virtual mailboxes in Postfix. I used this Ubuntu tutorial to get set up. I'm using Courier-IMAP and POP3 for reading mail which seems to be working without issue.

However, the credentials used to read a mailbox are not working for SMTP. I can see from /var/log/auth.log that PAM is being used, does this require a UNIX user account to work? As I'm using virtual mailboxes to avoid creating user accounts.

li305-246 saslauthd[22856]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
li305-246 saslauthd[22856]: do_auth         : auth failure: [user=fred] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]

/var/log/mail.log

li305-246 postfix/smtpd[27091]: setting up TLS connection from mail-pb0-f43.google.com[209.85.160.43]
li305-246 postfix/smtpd[27091]: Anonymous TLS connection established from mail-pb0-f43.google.com[209.85.160.43]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
li305-246 postfix/smtpd[27091]: warning: SASL authentication failure: Password verification failed
li305-246 postfix/smtpd[27091]: warning: mail-pb0-f43.google.com[209.85.160.43]: SASL PLAIN authentication failed: authentication failure

I've created accounts in userdb as per this tutorial. Does Postfix also use authuserdb?

What debug information is needed to help diagnose my issue?

main.cf:

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# SMTP parameters

smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

/etc/default/saslauthd

START=yes

PWDIR="/var/spool/postfix/var/run/saslauthd"
PARAMS="-m ${PWDIR}"
PIDFILE="${PWDIR}/saslauthd.pid"
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

/etc/courier/authdaemonrc

authmodulelist="authuserdb"

I've only modified one line in authdaemonrc and restarted the service as per this tutorial. I've added accounts to /etc/courier/userdb via userdb and userdbpw and run makeuserdb as per the tutorial.

SOLVED

Thanks to Jenny D for suggesting use of rimap to auth against localhost IMAP server (which reads userdb credentials).

I updated /etc/default/saslauthd to start saslauthd correctly (this page was useful)

MECHANISMS="rimap"
MECH_OPTIONS="localhost"
THREADS=0
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

After doing this I got the following error in /var/log/auth.log:

li305-246 saslauthd[28093]: auth_rimap: unexpected response to auth request: * BYE [ALERT] Fatal error: Account's mailbox directory is not owned by the correct uid or gid: 
li305-246 saslauthd[28093]: do_auth         : auth failure: [user=fred] [service=smtp] [realm=] [mech=rimap] [reason=[ALERT] Unexpected response from remote authentication server]

This blog post detailed a solution by setting IMAP_MAILBOX_SANITY_CHECK=0 in /etc/courier/imapd.

Then restart your courier and saslauthd daemons for config changes to take effect.

sudo /etc/init.d/courier-imap restart
sudo /etc/init.d/courier-authdaemon restart
sudo /etc/init.d/saslauthd restart

Watch /var/log/auth.log while trying to send email. Hopefully you're good!

Greg K
  • 169
  • 3
  • 12
  • 1
    What does your saslauthd config look like? And why are you mentioning Dovecot and Courier-IMAP? They *should* be irrelevant to SMTP auth. – womble Jul 08 '12 at 11:13
  • I was explaining that reading email is working but I'm confused if sasl is used for POP3/IMAP auth, is the same resource not also used for SMTP auth? – Greg K Jul 08 '12 at 11:20
  • Without seeing your Courier config files, it's rather hard to tell if SASL is used for POP3/IMAP auth. – womble Jul 08 '12 at 11:24

1 Answers1

3

This is actually more of a sasl question than a Postfix question. You've got postfix set up to talk to sasl - so far, so good. Now you need to tell saslauthd where to find your usernames and password. If you don't give it any arguments, it will default to treating them as local users, which is what you're seeing in your auth.log.

As far as I know (which may not be very far when it comes to SASL), it doesn't use the same database as your virtual user for pop3. But there's an option for saslauthd to try to login to the IMAP server with the same credentials - that should do what you want, I think.

To do this, you start saslauthd like this:

saslauthd -a rimap -O myimap.server.com

You should be able to test the authentication with the program testsaslauthd which should come with your sasl installation. Good luck!

Jenny D
  • 27,358
  • 21
  • 74
  • 110
  • Will this work if I don't have `rimap` in my saslauthd `MECHANISMS` list? Currently I have `MECHANISMS="pam"` – Greg K Jul 08 '12 at 11:35
  • Since you want to use rimap instead of pam, I certainly suggest editing the config file to reflect that. – Jenny D Jul 08 '12 at 12:48
  • Thanks, this pointed me in the right direction. I'll update my question with information on what I had to configure to get rimap auth working. – Greg K Jul 08 '12 at 20:17