postfix mit saslauthd und plain-authentifizierung
 

Hi!

Habe mittlerweile 12h mit Google und seinen Ergebnissen verbracht, und bekomme keine wirklich nützlichen Informationen.

Habe akt. Postfix-Version und akt. Cyrus-SASL-Version.

Postfix soll keine Relay-Host werden, und deswegen möchte ich die Benutzer für das Versenden von Mails authentifizieren. Wenn eine ext. Verbindung kommt, welche auf ein internes Konto ein Mail senden will funktioniert das wunderbar.
Wenn ich ein Mail an eine interne Adresse sende auch, aber wenn die Adresse bzw. die Domain der Adresse nicht auf meinem Server liegt wird mir von Postfix immer mitgeteilt:
postfix/smtpd[2804]: NOQUEUE: reject: RCPT from
unknown[192.168.0.5]: 554 <testkonto@anywhere.tld>:
Relay access denied; from=<mein-lokales-konto@mein-server.tld>
to=<testkonto@anywhere.tld>
proto=ESMTP helo=<[192.168.0.5]>

Meine Authentifizierung findet statt mit Hilfe des saslauthd, welcher sich an pam wendet um auf eine MySQL-DB zuzugreifen. Bei Cyrus-IMAPD funktioniert das auch tadellos.
Das witzige ist allerdings, dass bei der SMTP-Authentifizierung AUTH PLAIN [Base-64-kodierte UN-PW-Kombination] der SMTP-Server mit AUTHENTICATION SUCCESSFUL antwortet, and danach trotzdem "Relay access denied" schreit.

[smtpd.conf]:
-------------
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

[main.cf - auth-teil]:
----------------------
# SMTP Authentication with SASL and PAM
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

Ich wäre sehr dankbar, wenn mir jemand helfen könnte, denn ich bin mittlerweile schon sehr müde und habe eigentlich auch noch andere Dinge zu erledigen, wie seit 1 WOCHE (täglich 8h) fast nur damit zu verbringen Fehler von POSTFIX und CYRUS zu finden. *newb*

Also bitte rettet mich, danke im voraus

lg groissi

Hallo,

2 Punkte, die mir aufgefallen sind:

- smtpd_sasl_local_domain ist nicht ausgefüllt. Sollte aber nicht machen.

- Ich vermute mal, du speicherst deine Passwörter in der MYSQL Tabelle verschlüsselt ab, oder?
Wenn dies der Fall ist, so benötigt cyrus-sasl einen Patch.
Näheres kannst du gerne in meiner Dokumentation nachlesen, welche zwar Distributions spezifisch ist, allerdings überall funktionieren müsste. Den Hinweis über den Patch findest du im Abschnitt Cyrus-SASL 2 Install:

Ich hoffe geholfen zu haben :)

Postfix läuft in einer Chainroot.
Link setzen von der sasl auf /var/spool/postfix/var/run/saslauthd/

Sloter

Quatsch. Das MUSS bei Cyrus-SASL-2.x sogar leer sein!

Wie schauts den mit testsaslauthd aus? Funktioniert deine User/Pass Kombination da?
Läuft der smtp chrooted (das siehst du in der master.cf)?

hi!

Danke für eure Antworten.
Das mit dem SASL-Patch stimmt nicht, da es schon dabei ist. Für den MySQL-Zugriff musst ihn vielleicht patchen, ist bei mir aber nicht notwendig, da ich über das pam_mysql-Modul darauf zugreife.
Die ganze Sache für den Cyrus-IMAPD ja auch funktioniert.
Die Passwörter sind shadow-kompatibel in der MySQL-DB abgespcihert.

Mit testsaslauth funzt die Authentifizierung genau so gut, wie wenn ich es über einen Client mache, da kann ich mir beim Netzwerktraffic (oder in der log) auch ansehen, dass die Authentifizierung erfolgreich ist.
Das ist ja das große Problem, welches ich nicht nachvollziehen kann.

Wenn ich das richtig sehe, dann läuft er in keiner chroot-Umgebung.

lg groissi

Dann kann der Fehler eigentlich nur in der Postfix Konfig selbst liegen.

Mal ganz andere Frage funktioniert es überhaupt wenn du SASL deaktivierts und von localhost Mails verchickst?
Wenn das schon nicht geht, dann dürften vermutlich mynetworks oder mynetworks_style nicht passen.

Poste eventuell mal die Ausgabe von postconf.

Hi m@rio!

Danke für deine Antworten, bin wirklich schon am verzweifeln.

Ich brauche SASL nicht deaktivieren, denn wenn ich von localhost versende dann lässt er mich auch ohne Authentifizierung senden da die loopback-adresse in mynetworks eingetragen ist.

danke für deine antworten.

lg groissi

[postconf-ausgabe - Teil I]:
----------------------------
2bounce_notice_recipient = postmaster
access_map_reject_code = 554
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = postmaster
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_mail_to_commands = alias, forward
allow_mail_to_files = alias, forward
allow_min_user = no
allow_percent_hack = yes
allow_untrusted_routing = no
append_at_myorigin = yes
append_dot_mydomain = yes
application_event_drain_time = 100s
backwards_bounce_logfile_compatibility = yes
berkeley_db_create_buffer_size = 16777216
berkeley_db_read_buffer_size = 131072
best_mx_transport =
biff = yes
body_checks =
body_checks_size_limit = 51200
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
bounce_service_name = bounce
bounce_size_limit = 50000
broken_sasl_auth_clients = yes
canonical_maps =
cleanup_service_name = cleanup
command_directory = /usr/sbin
command_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ
command_time_limit = 1000s
config_directory = /etc/postfix
content_filter = smtp-amavis:127.0.0.1:10025
daemon_directory = /usr/libexec/postfix
daemon_timeout = 18000s
debug_peer_level = 2
debug_peer_list =
default_database_type = hash
default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason}
default_recipient_limit = 10000
default_transport = smtp
default_verp_delimiters = +=
defer_code = 450
defer_service_name = defer
defer_transports =
delay_notice_recipient = postmaster
delay_warning_time = 0h
deliver_lock_attempts = 20
deliver_lock_delay = 1s
dont_remove = 0
double_bounce_sender = double-bounce
duplicate_filter_limit = 1000
empty_address_recipient = MAILER-DAEMON
enable_errors_to = no
enable_original_recipient = yes
error_notice_recipient = postmaster
error_service_name = error
expand_owner_alias = no
export_environment = TZ MAIL_CONFIG
fallback_relay =
fallback_transport =
fast_flush_domains = $relay_domains
fast_flush_purge_time = 7d
fast_flush_refresh_time = 12h
fault_injection_code = 0
flush_service_name = flush
fork_attempts = 5
fork_delay = 1s
forward_expansion_filter = 1234567890!@%-_=+:,./abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ
forward_path = $home/.forward${recipient_delimiter}${extension}, $home/.forward
hash_queue_depth = 1
hash_queue_names = incoming, active, deferred, bounce, defer, flush, hold, trace
header_address_token_limit = 10240
header_checks =
header_size_limit = 102400
helpful_warnings = yes
home_mailbox =
hopcount_limit = 50
html_directory = no
ignore_mx_lookup_error = no
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY
in_flow_delay = 1s
inet_interfaces = 192.168.0.13, 127.0.0.1
initial_destination_concurrency = 5
invalid_hostname_reject_code = 501
ipc_idle = 100s
ipc_timeout = 3600s
ipc_ttl = 1000s
line_length_limit = 2048
$default_destination_concurrency_limit
$default_destination_recipient_limit
local_command_shell =
local_destination_concurrency_limit = 2
local_destination_recipient_limit = 1
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
local_transport = local:$myhostname
luser_relay =
mail_name = Postfix
mail_owner = postfix
mail_release_date = 20040915
mail_spool_directory = /var/mail
mail_version = 2.1.5
mailbox_command =
mailbox_command_maps =
mailbox_delivery_lock = fcntl, dotlock
mailbox_size_limit = 51200000
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maps_rbl_domains =
maps_rbl_reject_code = 554
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions =
max_idle = 100s
max_use = 100
maximal_backoff_time = 4000s
maximal_queue_lifetime = 5d
message_size_limit = 51200
mime_boundary_length_limit = 2048
mime_header_checks = pcre:/etc/postfix/body_checks
mime_nesting_limit = 100
minimal_backoff_time = 1000s
multi_recipient_bounce_reject_code = 550
mydestination = localhost.$mydomain, localhost, meine-domain.tld
mydomain = meine-domain.tld
myhostname = mail.meine-domain.tld
mynetworks = 127.0.0.1/8
mynetworks_style = subnet
myorigin = $mydomain
nested_header_checks = $header_checks
newaliases_path = /usr/bin/newaliases.postfix
non_fqdn_reject_code = 504
notify_classes = resource, software
owner_request_special = yes
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,perm it_mx_backup_networks,qmqpd_authorized_clients,rel ay_domains,smtpd_access_maps
permit_mx_backup_networks =
pickup_service_name = pickup
prepend_delivered_header = command, file, forward
process_id_directory = pid
propagate_unmatched_extensions = canonical, virtual
proxy_interfaces =
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks

[postconf-ausgabe - Teil II]:
-----------------------------
queue_directory = /var/spool/postfix
queue_file_attribute_count_limit = 100
queue_minfree = 0
queue_run_delay = 1000s
queue_service_name = qmgr
rbl_reply_maps =
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
receive_override_options =
recipient_bcc_maps =
recipient_canonical_maps =
recipient_delimiter =
reject_code = 554
relay_clientcerts =
relay_destination_concurrency_limit = $default_destination_concurrency_limit
relay_destination_recipient_limit = $default_destination_recipient_limit
relay_domains = $mydestination
relay_domains_reject_code = 554
relay_recipient_maps =
relay_transport = relay
relayhost =
relocated_maps =
require_home_directory = no
resolve_dequoted_address = yes
resolve_null_domain = no
rewrite_service_name = rewrite
sample_directory = /usr/share/doc/postfix-2.1.5/samples
sender_based_routing = no
sender_bcc_maps =
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
sendmail_path = /usr/sbin/sendmail
service_throttle_time = 60s
setgid_group = postdrop
show_user_unknown_table_name = yes
showq_service_name = showq
smtp_always_send_ehlo = yes
smtp_helo_name = $myhostname
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = $var_smtp_sasl_opts
smtp_sasl_tls_verified_security_options = $var_smtp_sasl_tls_opts
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_limit_exceptions = $mynetworks
smtpd_client_connection_rate_limit = 0
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_delay_reject = yes
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = 100
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, permit_mynetworks, reject_unauth_destination, reject_rbl_client zombie.dnsbl.sorbs.net, reject_rbl_client relays.ordb.org, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, permit
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes =
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_login_maps =
smtpd_sender_restrictions =
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file =
smtpd_tls_cipherlist =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
soft_bounce = no
stale_lock_time = 500s
strict_7bit_headers = no
strict_8bitmime = no
strict_8bitmime_body = no
strict_mime_encoding_domain = no
strict_rfc821_envelopes = no
sun_mailtool_compatibility = no
swap_bangpath = yes
syslog_facility = mail
syslog_name = postfix
tls_daemon_random_bytes = 32
tls_daemon_random_source =
tls_ipv6_version = 1.26
tls_random_bytes = 32
tls_random_exchange_name = ${config_directory}/prng_exch
tls_random_prng_update_period = 60s
tls_random_reseed_period = 3600s
tls_random_source =
trace_service_name = trace
transport_maps =
transport_retry_time = 60s
trigger_timeout = 10s
undisclosed_recipients_header = To: undisclosed-recipients:;
unknown_address_reject_code = 450
unknown_client_reject_code = 450
unknown_hostname_reject_code = 450
unknown_local_recipient_reject_code = 550
unknown_relay_recipient_reject_code = 550
unknown_virtual_alias_reject_code = 550
unknown_virtual_mailbox_reject_code = 550
unverified_recipient_reject_code = 450
unverified_sender_reject_code = 450
verp_delimiter_filter = -=+
virtual_alias_domains = $virtual_alias_maps
virtual_alias_expansion_limit = 1000
virtual_alias_maps = hash:/etc/postfix/virtual, mysql:/etc/postfix/mysql-virtual.cf
virtual_alias_recursion_limit = 1000
virtual_destination_concurrency_limit = $default_destination_concurrency_limit
virtual_destination_recipient_limit = $default_destination_recipient_limit
virtual_gid_maps =
virtual_mailbox_base =
virtual_mailbox_domains = $virtual_mailbox_maps
virtual_mailbox_limit = 51200000
virtual_mailbox_lock = fcntl
virtual_mailbox_maps =
virtual_minimum_uid = 100
virtual_transport = virtual
virtual_uid_maps =

Ich glaub da könnte das Problem liegen.

Da sollte statt permit wahrscheinlich permit_sasl_authenticated stehen.

Probiers zum testen eventuell mal so
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

Problem gelöst
 

Hi @ll!

Danke für eure tolle Mithilfe, hab' das Problem nun endlich gelöst.

Ich habe nämlich die smtpd_recipient_restrictions 2-mal vergeben, und anscheinend fügt postfix die enthaltenen Parameter nicht zusammen, sondern beim 2. Einlesen der smtpd_recipient_restrictions dürften die Werte vom 1. Einlesen überschrieben werden.

Danke,

lg groissi