Impossible de faire du SMTP authentifié. Malgré le contrôle des droits, j'ai un "warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory" systématique. Pleins de doc en parlent, mais leur application ne donne pas le résultat escompté.
Il y a visiblement quelque chose que je ne vois pas...
Si une bonne âme pouvait trouver le hic.
Ma conf :
Main.cf (du classique avec amavis et TLS) :
myorigin = xxxx.org
mydomain = xxxx.org
myhostname = labruyere
#smtpd_banner = $myhostname ESMTP $mail_name
smtpd_banner = ns123456.ip-178-99-999.eu ESMTP - Nice to meet you
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
# PARAMETRES TLS :
# pour reception mails (serveur SMTP)
smtpd_use_tls=yes
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5, LOW, MEDIUM, NULL, RC4, 3DES, eNULL, DHE_EXPORT
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = medium
smtpd_tls_cert_file=/etc/letsencrypt/live/smtp.xxxx.org/cert.pem
smtpd_tls_key_file=/etc/letsencrypt/live/smtp.xxxx.org/privkey.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
# pour envoi mails (client SMTP)
smtp_use_tls=yes
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_exclude_ciphers = aNULL, MD5, LOW, MEDIUM, NULL, RC4, 3DES, eNULL, DHE_EXPORT
smtp_tls_mandatory_ciphers = high
smtp_tls_ciphers = medium
smtp_tls_cert_file=/etc/letsencrypt/live/smtp.xxxx.org/cert.pem
smtp_tls_key_file=/etc/letsencrypt/live/smtp.xxxx.org/privkey.pem
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# PARAMETRES LDAP
alias_maps = ldap:/etc/postfix/ldap-aliases.cf
virtual_alias_maps = hash:/etc/aliases
# adresses canoniques en entree (contact)
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
# AUTHENTIFICATION SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_path = smtpd
smtpd_sasl_local_domain =
# On notera que seul localhost est identifié. Les autres clients devront s'authentifier
#mynetworks = 127.0.0.0/8
mynetworks = 127.0.0.0/8
inet_interfaces = all
mydestination = localhost,xxxx.org
# Agent de transport local : CYRUS
recipient_delimiter = +
local_transport = cyrus
cyrus_destination_recipient_limit = 1
local_recipient_maps =
notify_classes = 2bounce
#2bounce_notify_recipient = toto@alter-oueb.net
unknown_virtual_alias_reject_code = 550
# Agent de filtrage : AMAVIS
content_filter = smtp-amavis:[127.0.0.1]:10024
# Agent de transport special
transport_maps = hash:/etc/postfix/transport
# Restrictions
disable_vrfy_command = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
reject_invalid_helo_hostname,
reject_unauth_destination,
check_recipient_access hash:/etc/postfix/sender_access
#check_policy_service inet:[127.0.0.1]:60000,
#reject_rbl_client dul.dnsbl.sorbs.net,
#reject_rbl_client zen.spamhaus.org
# Limitations
message_size_limit = 10662310
body_checks = regexp:/etc/postfix/body_checks
header_checks = regexp:/etc/postfix/header_checks
# Slow transports
slow_destination_concurrency_limit = 2
slow_destination_recipient_limit = 20
slow_destination_rate_delay = 2s
yahoo_initial_destination_concurrency = 1
yahoo_destination_concurrency_limit = 4
yahoo_destination_recipient_limit = 2
yahoo_destination_rate_delay = 1s
default_destination_concurrency_limit = 10
Marster.cf
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
#smtp inet n - - - - smtpd
smtp inet n - - - - smtpd -v
-o content_filter=spamassassin
submission inet n - - - - smtpd -v
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_authenticated_header=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o content_filter=smtp-amavis:[127.0.0.1]:10026
-o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - - - - qmqpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - - 300 1 oqmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
# ajout 2016/03/18 pour limitations d'envois (slow transport)
slow unix - - n - 5 smtp
yahoo unix - - n - 5 smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - - - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
#CLAMAV-AMAVIS
smtp-amavis unix - - y - 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.1
-o strict_rfc821_envelopes=yes
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop unix - n n - - pipe
# flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp unix - n n - - pipe
# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
#ifmail unix - n n - - pipe
# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#bsmtp unix - n n - - pipe
# flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
#scalemail-backend unix - n n - 2 pipe
# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
#mailman unix - n n - - pipe
# flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
# ${nexthop} ${user}
cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/sbin/cyrdeliver -r $sender -m $extension $user
spamassassin unix - n n - - pipe
flags=Rq user=debian-spamd argv=/etc/postfix/spamassassin.sh -oi -f ${sender} ${recipient}
/etc/saslauthd.conf
LDAP_SERVERS: ldap://localhost:389
LDAP_BIND_DN: cn=admin,dc=xxxx
LDAP_BIND_PW: xxxxxxxxxxxxxxx
LDAP_SEARCH_BASE: dc=xxxx
LDAP_FILTER: uid=%u
/etc/default/saslauthd
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="ldap"
PARAMS="-O /etc/saslauthd.conf"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -V -m /var/run/saslauthd"
Ca fonctionne puisque
testsaslauthd -u sam -p xxxxxx
0: OK "Success."
j'ai bien veillé à ajouter postfix au groupe sasl :
groups postfix
postfix : postfix sasl
les droits sur /var/run/saslauthd sont corrects :
drwxr-xr-x 2 root sasl 140 déc. 13 08:51 saslauthd
et les process qui tournent :
root 3227 0.0 0.0 65616 1796 ? Ss 08:51 0:00 /usr/sbin/saslauthd -a ldap -c -V -m /var/run/saslauthd -n 5
root 3232 0.0 0.0 67712 5020 ? S 08:51 0:00 /usr/sbin/saslauthd -a ldap -c -V -m /var/run/saslauthd -n 5
root 3233 0.0 0.0 65616 868 ? S 08:51 0:00 /usr/sbin/saslauthd -a ldap -c -V -m /var/run/saslauthd -n 5
root 3234 0.0 0.0 65616 868 ? S 08:51 0:00 /usr/sbin/saslauthd -a ldap -c -V -m /var/run/saslauthd -n 5
root 3235 0.0 0.0 67712 5020 ? S 08:51 0:00 /usr/sbin/saslauthd -a ldap -c -V -m /var/run/saslauthd -n 5
ceux de postfix non chrootés :
root 7483 0.0 0.0 36168 4032 ? Ss 10:10 0:00 /usr/lib/postfix/master
postfix 9649 0.0 0.0 38232 3920 ? S 10:53 0:00 pickup -l -t fifo -u -c
postfix 9650 0.0 0.0 38280 3912 ? S 10:53 0:00 qmgr -l -t fifo -u
postfix 9652 0.0 0.0 42460 5500 ? S 10:53 0:00 tlsmgr -l -t unix -u -c
Le problème :
lors d'un telnet :
EHLO toto.net
250-labruyere
250-PIPELINING
250-SIZE 10662310
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AGFsdGVyLWNvbnNvAG9zbjBjcjN0bEE=
535 5.7.8 Error: authentication failed: generic failure
dans les logs, ca donne :
Dec 13 10:54:13 Labruyere postfix/smtpd[9651]: xsasl_cyrus_server_first: sasl_method PLAIN, init_response AGFsdGVyLWNvbnNvAG9zbjBjcjN0bEE=
Dec 13 10:54:13 Labruyere postfix/smtpd[9651]: xsasl_cyrus_server_first: decoded initial response
Dec 13 10:54:13 Labruyere postfix/smtpd[9651]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
Dec 13 10:54:13 Labruyere postfix/smtpd[9651]: warning: SASL authentication failure: Password verification failed
Problème classique de droits, pour lesquels je ne trouve pas de réponse.
Visiblement, Postfix ne va pas sur /var/run/saslauthd/mux ... J'ai testé plein de choses, sans avancer..
Merci à l'observateur perspicace !
Dernière modification par Alter-Oueb (14-12-2017 17:17:49)