CentOS 5.5
I read many posts regarding postfix+sasl on the net but no clue. The maillog messages are
Aug 5 07:00:56 host2 postfix/smtpd[10018]: warning: SASL authentication failure: Password verification failed
Aug 5 07:00:56 host2 postfix/smtpd[10018]: warning: localhost.localdomain[127.0.0.1]: SASL PLAIN authentication failed: authentication failure
telnet localhost 25
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 xxx.xxxxxxxxxxx.net ESMTP Postfix
ehlo me
250-xxx.xxxxxxxxxxx.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
/usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
/etc/sysconfig/saslauthd
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/var/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
FLAGS=
postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix-2.6.7-documentation/html
inet_interfaces = all
mail_owner = postfix
mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, yyy.yyyhost.com
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.7-documentation/readme
sample_directory = /etc/postfix
sender_bcc_maps = hash:/etc/postfix/bcc
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
any direction to debug the problem of sasl authentication failure ?
my username creation pattern is username.domain
This server is ran for a few years and guy who managed this server was quit and I could not got much information from other colleagues.
I installed centos 5.8 and virtualmin on a virtual machine, sasl ran properly out of the box without special configuration.
When I compared the configurations files from them. Here are what my findings.
the postfix version is different. The VM is 2.3.3, the production server is 2.6.7
the postconf -n more or less are the same accept two lines production server
alias_database = hash:/etc/postfix/aliasesalias_maps = hash:/etc/postfix/aliases
VM
alias_database = hash:/etc/aliasesalias_maps = hash:/etc/aliases
I just used a utility called saslfinger to list sasl configuration http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
There is a different of master.cf between production and virtual machine box
production
saslfinger -s
saslfinger - postfix Cyrus sasl configuration Sun Aug 5 15:16:53 HKT 2012
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.6.7-20100608
System: CentOS release 5.5 (Final)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x004be000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
-- listing of /usr/lib/sasl2 --
total 3256
drwxr-xr-x 2 root root 4096 Mar 16 2011 .
drwxr-xr-x 88 root root 45056 Jan 17 2011 ..
-rwxr-xr-x 1 root root 884 Mar 17 2010 libanonymous.la
-rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so
-rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2
-rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2.0.22
-rwxr-xr-x 1 root root 870 Mar 17 2010 libcrammd5.la
-rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so
-rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2
-rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2.0.22
-rwxr-xr-x 1 root root 893 Mar 17 2010 libdigestmd5.la
-rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so
-rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2
-rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2.0.22
-rwxr-xr-x 1 root root 933 Mar 17 2010 libgssapiv2.la
-rwxr-xr-x 1 root root 26496 Mar 17 2010 libgssapiv2.so
-rwxr-xr-x 1 root root 26496 Mar 17 2010 libgssapiv2.so.2
-rwxr-xr-x 1 root root 26496 Mar 17 2010 libgssapiv2.so.2.0.22
-rwxr-xr-x 1 root root 856 Mar 17 2010 liblogin.la
-rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so
-rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2
-rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2.0.22
-rwxr-xr-x 1 root root 856 Mar 17 2010 libplain.la
-rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so
-rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2
-rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2.0.22
-rwxr-xr-x 1 root root 930 Mar 17 2010 libsasldb.la
-rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so
-rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2
-rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2.0.22
-rw-r--r-- 1 root root 25 Mar 31 2010 Sendmail.conf
-rw-r--r-- 1 root root 49 Jan 14 2011 smtpd.conf
-- listing of /etc/sasl2 --
total 24
drwxr-xr-x 2 root root 4096 Mar 17 2010 .
drwxr-xr-x 107 root root 12288 Aug 5 14:06 ..
-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
-- mechanisms on localhost --
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
-- end of saslfinger output --
virtual machine box
saslfinger -s
saslfinger - postfix Cyrus sasl configuration Sun Aug 5 15:17:22 HKT 2012
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.3.3
System: CentOS release 5.8 (Final)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00c71000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
-- listing of /usr/lib/sasl --
total 52
drwxr-xr-x 2 root root 4096 Aug 5 11:04 .
drwxr-xr-x 84 root root 45056 Aug 5 11:04 ..
-- listing of /usr/lib/sasl2 --
total 3260
drwxr-xr-x 2 root root 4096 Aug 5 11:04 .
drwxr-xr-x 84 root root 45056 Aug 5 11:04 ..
-rwxr-xr-x 1 root root 884 Mar 17 2010 libanonymous.la
-rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so
-rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2
-rwxr-xr-x 1 root root 14372 Mar 17 2010 libanonymous.so.2.0.22
-rwxr-xr-x 1 root root 870 Mar 17 2010 libcrammd5.la
-rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so
-rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2
-rwxr-xr-x 1 root root 16832 Mar 17 2010 libcrammd5.so.2.0.22
-rwxr-xr-x 1 root root 893 Mar 17 2010 libdigestmd5.la
-rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so
-rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2
-rwxr-xr-x 1 root root 47172 Mar 17 2010 libdigestmd5.so.2.0.22
-rwxr-xr-x 1 root root 933 Mar 17 2010 libgssapiv2.la
-rwxr-xr-x 1 root root 26496 Mar 17 2010 libgssapiv2.so
-rwxr-xr-x 1 root root 26496 Mar 17 2010 libgssapiv2.so.2
-rwxr-xr-x 1 root root 26496 Mar 17 2010 libgssapiv2.so.2.0.22
-rwxr-xr-x 1 root root 856 Mar 17 2010 liblogin.la
-rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so
-rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2
-rwxr-xr-x 1 root root 14752 Mar 17 2010 liblogin.so.2.0.22
-rwxr-xr-x 1 root root 856 Mar 17 2010 libplain.la
-rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so
-rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2
-rwxr-xr-x 1 root root 14848 Mar 17 2010 libplain.so.2.0.22
-rwxr-xr-x 1 root root 930 Mar 17 2010 libsasldb.la
-rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so
-rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2
-rwxr-xr-x 1 root root 905200 Mar 17 2010 libsasldb.so.2.0.22
-rw-r--r-- 1 root root 25 Aug 12 2011 Sendmail.conf
-rw-r--r-- 1 root root 49 Aug 4 15:32 smtpd.conf
-rw-r--r-- 1 root root 49 Aug 4 14:37 smtpd.conf.rpmnew
-- listing of /etc/sasl2 --
total 24
drwxr-xr-x 2 root root 4096 Mar 17 2010 .
drwxr-xr-x 98 root root 12288 Aug 5 15:10 ..
-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
submission inet n - n - - smtpd
smtps inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
-- mechanisms on localhost --
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
-- end of saslfinger output --
As we can see there are options are comment out in master.cf in virtual machine box