SASL fine from iPhone, not from Nokia?

Tue, 13 Oct 2009 06:53:21 -0700

I have a postfix 2.3.3 server, and I *think* I have SASL set up right. The reason I think it is right is that I have an iphone that connects fine to Postfix, and sends emails fine through port 587 with the following logs:
Oct 13 23:33:21 server04 postfix/smtpd[988]: connect from unknown[120.155.207.95] Oct 13 23:33:21 server04 postfix/smtpd[988]: setting up TLS connection from unknown[120.155.207.95] Oct 13 23:33:22 server04 postfix/smtpd[988]: TLS connection established from unknown[120.155.207.95]: TLSv1 with cipher AES128-SHA (128/128 bits) Oct 13 23:33:22 server04 postfix/smtpd[988]: DDB8C57522: client=unknown[120.155.207.95], sasl_method=PLAIN, sasl_username=simon 


It seems to be authing against SASL fine, uses PLAIN as its mech, but  
as it is TLS encrypted that's fine, and verifies me against LDAP.


My /usr/lib64/sasl2/smtpd.conf reads:

pwcheck_method: saslauthd
saslauthd_version: 2
mech_list: plain login cram-md5

saslauthd is configured to use LDAP.


I can testsaslauthd -u simon -p password with no problems, and it hits  
my LDAP server.



Now my wife has just got a Nokia E51. When it tries to send using SMTP  
to the same port 587, it tries to use CRAM-MD5, and the send fails:



Oct 13 23:35:37 server04 postfix/smtpd[988]: setting up TLS connection  
from unknown[58.171.251.169]
Oct 13 23:35:38 server04 postfix/smtpd[988]: TLS connection  
established from unknown[58.171.251.169]: TLSv1 with cipher AES256-SHA  
(256/256 bits)
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL  
authentication problem: unable to open Berkeley db /etc/sasldb2:  
Permission denied
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL  
authentication problem: unable to open Berkeley db /etc/sasldb2:  
Permission denied
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning: SASL  
authentication failure: no secret in database
Oct 13 23:35:39 server04 postfix/smtpd[988]: warning:  
unknown[58.171.251.169]: SASL CRAM-MD5 authentication failed:  
authentication failure



It establishes the TLS fine, but then tries to use sasldb2 instead of  
saslauthd which is configured to go to LDAP. There is nothing IN  
sasldb2, no secrets etc as it says - it's not supposed to be using it.



One thing I note is that "telnet mail.simonandkate.net 587" does not  
return AUTH in the list offered:


220 mail.simonandkate.net ESMTP Postfix
EHLO simon.whatever
250-mail.simonandkate.net
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


So it would appear that SASL is *not* setup right... but why do I get  
log entries saying the iPhone is sending email as sasl_method=PLAIN,  
sasl_username=simon?



So can anyone tell me what I have done wrong? Why does SASL appear to  
be (possibly) working for PLAIN (iPhone) but not for the Nokia  
(CRAM-MD5), and why is the server not advertising the AUTH methods?


Postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_template_file = /etc/postfix/bounce.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
delay_warning_time = 2h
disable_vrfy_command = yes
html_directory = no
mailbox_transport = cyrus
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man

masquerade_domains = !system.simonandkate.net, simonandkate.net,  
simonandkate.lan

message_size_limit = 26214400

mydestination = $myhostname, localhost.$mydomain, localhost,  
$mydomain, localhost.localdomain, simonandkate.net,  
system.simonandkate.net, howiesue.net

myhostname = mail.simonandkate.net
mynetworks = 127.0.0.0/8, 192.168.1.0/24
myorigin = simonandkate.net
newaliases_path = /usr/bin/newaliases.postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions =
smtpd_data_restrictions = reject_unauth_pipelining      permit
smtpd_helo_required = yes
smtpd_helo_restrictions =

smtpd_recipient_restrictions = permit_mynetworks,        
permit_sasl_authenticated,      reject_unauth_destination,        
reject_unauth_pipelining,      reject_invalid_helo_hostname,    
reject_non_fqdn_helo_hostname,   
reject_non_fqdn_sender,reject_unknown_sender_domain,     
reject_non_fqdn_recipient,      reject_unknown_recipient_domain,        
 check_sender_access hash:/etc/postfix/sender_access,        
reject_rbl_client zen.spamhaus.org,       reject_rbl_client  
bl.spamcop.net,       check_policy_service unix:postgrey/socket,  
check_policy_service unix:private/policy        permit

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/simonandkate.net-cert.pem
smtpd_tls_key_file = /etc/pki/tls/private/simonandkate.net-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

Any help would be appreciated... :)
--
Simon Wilson
www.simonandkate.net






















					Reply via email to