On Tue, Aug 26, 2014 at 06:42:04PM +0000, Viktor Dukhovni wrote:
> > # cat sasl_pw
> > [upstreamrelay]:25 user01:xxxxxxxxxxx
>
> Is the nexthop relay (relayhost in main.cf or transport
> nexthop) specified as:
>
> 1. upstreamrelay
> 2. [upstreamrelay]
> 3. upstreamrelay:25
> 4. [upstreamrelay]:25
>
> Anything other than "4" will not match the sasl_pw table.
>
> Sure looks no attempt to authenticate. Almost certainly because
> the nexthop is not *verbatim* what is in the sasl_pw table.
>
That helped a lot, thank you. It now attempts to authenticate. Almost!
I get these errors about "no worthy mechs found", and next "no mechanism
available".
Aug 29 20:19:06 xxxxxxxx mail:info postfix/qmgr[26149056]: DD6821002F:
from=<x...@xxx.com>, size=330, nrcpt=1 (queue active)
Aug 29 20:19:06 xxxxxxxx mail:info postfix/smtp[7602316]: Verified TLS
connection established to upstreamrelay[xx.xx.xx.xx]:25: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Aug 29 20:19:06 xxxxxxxx mail:warn|warning postfix/smtp[7602316]: warning: SASL
authentication failure: No worthy mechs found
Aug 29 20:19:06 xxxxxxxx mail:info postfix/smtp[7602316]: DD6821002F:
to=<myself@xxxx>, relay=upstreamrelay[xx.xx.xx.xx]:25, delay=210369,
delays=210368/0.06/0.3/0, dsn =4.7.0, status=deferred (SASL authentication
failed; cannot authenticate to server upstreamrelay[xx.xx.xx.xx]: no mechanism
available)
This host I'm trying to setup has the peculiar setup that it is not the
primary network interface card which can connect to the upstream relay, so I
can not just telnet port 25 and debug from there (and unfortunately the
openssl binary cannot use another IP address as source address (and I cannot
manage to combine netcat with openssl to do that either...)). But from another
machine, that IS possible, and this is what it looks like:
openssl s_client -starttls smtp -crlf -connect upstreamrelay:25
[...]
EHLO upstreamrelay
250-upstreamrelay
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250 8BITMIME
So it supports LOGIN and PLAIN. And I can send email using SASL and TLS, "by
hand", from this other machine. So I am quite confident my SASL username and
password works.
This is sasl part of my configuration:
# postconf -n|grep sasl
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = btree:/etc/postfix/sasl/sasl_pw
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_auth_enable = no
I read that if /usr/lib/sasl2 does not contain libplain and liblogin, it would
give those errors. But those files are there
# ls -al
total 3944
drwxr-xr-x 2 root system 4096 Aug 27 09:27 .
drwxr-xr-x 5 root system 256 Aug 27 09:27 ..
-rw-r--r-- 1 root system 186241 Aug 27 09:27 libanonymous.a
-rwxr-xr-x 1 root system 617 Aug 27 09:27 libanonymous.la
-rw-r--r-- 1 root system 193237 Aug 27 09:27 libcrammd5.a
-rwxr-xr-x 1 root system 611 Aug 27 09:27 libcrammd5.la
-rw-r--r-- 1 root system 302704 Aug 27 09:27 libdigestmd5.a
-rwxr-xr-x 1 root system 626 Aug 27 09:27 libdigestmd5.la
-rw-r--r-- 1 root system 186375 Aug 27 09:27 liblogin.a
-rwxr-xr-x 1 root system 605 Aug 27 09:27 liblogin.la
-rw-r--r-- 1 root system 283733 Aug 27 09:27 libotp.a
-rwxr-xr-x 1 root system 608 Aug 27 09:27 libotp.la
-rw-r--r-- 1 root system 186343 Aug 27 09:27 libplain.a
-rwxr-xr-x 1 root system 605 Aug 27 09:27 libplain.la
-rw-r--r-- 1 root system 351181 Aug 27 09:27 libsasldb.a
-rwxr-xr-x 1 root system 617 Aug 27 09:27 libsasldb.la
-rw-r--r-- 1 root system 275287 Aug 27 09:27 libscram.a
-rwxr-xr-x 1 root system 614 Aug 27 09:27 libscram.la
#
This is how I build sasl:
cd cyrus-sasl-2.1.26
./configure --enable-plain --enable-login --enable-digest --enable-anon
make
make install
and postfix:
cd postfix-2.10.3
make tidy
make makefiles CCARGS="-DUSE_TLS -DHAS_DB -DUSE_SASL_AUTH -DUSE_CYRUS_SASL
-I/usr/local/include -I/usr/include/db4" AUXLIBS="-L/usr/local/lib
-L/usr/lib -lsasl2 -ldb -lssl -lcrypto"
make
make install
So ... any idea why it says it cannot find a worth mech and that no mechanisms
are available?
Thanks
