The answer is that I had missed a step on the x64.
The Kolab uninstall removed my
/etc/default/saslauthd
file, of which I had to upload a fresh copy from the Raspberry Pi.
If you see something like this:
root@example:/var/run/saslauthd# ps -deaf | grep sasl
root 1559 1 0 Oct05 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root 1560 1559 0 Oct05 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root 1561 1559 0 Oct05 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root 1562 1559 0 Oct05 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root 1563 1559 0 Oct05 ? 00:00:00 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root 21671 21496 0 00:56 pts/1 00:00:00 grep sasl
Note the -a pam, it should be -a sasldb. This is fixed by MECHANISMS="sasldb" in the /etc/default/saslauthd file. I read the instructions and did not follow them closely enough, after trying to repair the damage from the broken Kolab uninstall.
[Edit 07/10/2018 01:56] Additional information for when you get to the next stage:
I have updated the page at https://github.com/Exim/exim/wiki/AuthenticatedSmtpUsingSaslauthd to add the "realm" parameter
server_condition = ${if saslauthd{{${local_part:$auth1}}{$auth2}{}{${domain:$auth1}}}{1}{0}}
since looking at the source for exim in expand.c. This was only documented in the source code:
For virtual mailbox hosting with /etc/default/saslauthd:MECHANISMS="sasldb", with the LOGIN authenticator, and your login names are of the format username@example.com, you will need to extract the domain part and pass it in as the "realm" parameter as follows:
// From the source code comment in expand.c
${if saslauthd {{username}{password}{service}{realm}} {yes}{no}}
You can test with cyrus the username and password on the server shell with e.g.
testsaslauthd -u username -r example.com -p secret
It does not work with
testsaslauthd -u username@example.com -p secret
I now have the problem that the mail is stuck in exim and lmtp is not working.
You should be able to get something like this if you use OpenSSL if you have got this far, to verify it:
root@raspberrypi:/usr/local/src/exim-4.91/src# openssl s_client -starttls smtp -crlf -connect mx.yourbigserver.co.uk:25
CONNECTED(00000003)
depth=0 C = GB, ST = Somewhere, L = Else, O = yourbigserver.co.uk, CN = Your Name, emailAddress = you@yourpersonalemailserver.co.uk
verify error:num=18:self signed certificate
verify return:1
depth=0 C = GB, ST = Somewhere, L = Else, O = yourbigserver.co.uk, CN = Your Name, emailAddress = you@yourpersonalemailserver.co.uk
verify return:1
---
Certificate chain
0 s:/C=GB/ST=Somewhere/L=Else/O=yourbigserver.co.uk/CN=Your Name/emailAddress=you@yourpersonalemailserver.co.uk
i:/C=GB/ST=Somewhere/L=Else/O=yourbigserver.co.uk/CN=Your Name/emailAddress=you@yourpersonalemailserver.co.uk
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID
<snip/>
==
-----END CERTIFICATE-----
subject=/C=GB/ST=Somewhere/L=Else/O=yourbigserver.co.uk/CN=Your Name/emailAddress=you@yourpersonalemailserver.co.uk
issuer=/C=GB/ST=Somewhere/L=Else/O=yourbigserver.co.uk/CN=Your Name/emailAddress=you@yourpersonalemailserver.co.uk
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1776 bytes and written 302 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: xxxxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1538862964
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
250 HELP
EHLO test.com
250-myserver.myprovider.net Hello me.my.example.com [8.8.8.8]
250-SIZE 36700160
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-CHUNKING
250-PRDR
250 HELP
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlcm5hbWVAZXhhbXBsZS5jb20=
334 UGFzc3dvcmQ6
c2VjcmV0
235 Authentication succeeded
mail from:username@example.com
250 OK
rcpt to:username@example.com
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
Hello 2!
.
250 OK id=1g8uZF-00027o-TS
quit
221 myserver.myprovider.net closing connection
closed
root@raspberrypi:/usr/local/src/exim-4.91/src#
And the big GOTCHA with OpenSSL, if you type a capital R, it goes into a renegotiate sequence, which is why in the example above "mail from:" and "rcpt to:" are in lower case.
[Edit 07/10/2018 15:42] The final part of getting this all working is here:
Getting Exim LMTP to Cyrus working
It works like a dream now.
