On Fri, Apr 24, 2020 at 11:27:58AM +0000, Bandaru, Vamsi wrote:
> I am sorry if this query doesn't belong here , but I am trying to
> configure Cyrus SASL on Postfix to use our LDAP servers for
> authentication.
To be clear, it sounds like you want to use LDAP bind as a "password
oracle", that is the PLAIN (or LOGIN) SASL credentials of submissio
users are verified by making an LDAP connection with the provided
credentials. Is that right?
> The moment I turn on SASL auth on main.cf, telnet to the system on
> port 25 starts to fail,
Firstly, you should generally limit SASL support to just ports 587
and/or 465, and of course only when TLS is enabled. SASL on port 25 is
unnecessarily, and just invites abuse.
> I see the below errors in maillog :
> Apr 24 11:07:09 XXXXXXXX postfix/smtpd[19352]: xsasl_cyrus_server_create:
> SASL service=smtp, realm=(null)
> Apr 24 11:07:09 xxxxxxxxxx postfix/smtpd[19352]: name_mask: noanonymous
> Apr 24 11:07:09 xxxxxxxxxx postfix/smtpd[19352]: name_mask: noplaintext
> Apr 24 11:07:09 xxxxxxxxxx postfix/smtpd[19352]: warning:
> xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms
> Apr 24 11:07:09 xxxxxxxxxx postfix/smtpd[19352]: fatal: no SASL
> authentication mechanisms
What are your setting of:
smtpd_sasl_mechanism_filter
smtpd_sasl_security_options
smtpd_sasl_tls_security_options
This would be a good time to post your "postconf -nf" and "postconf -Mf"
output, if you've done that already upthread.
> My smtpd.conf file :
>
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb
> mech_list: PLAIN LOGIN
> ldapdb_uri: ldaps://xxxxxxxxxxx:636
> ldapdb_id: uid=xxxxx,ou=people,ou=xxx,o=World
> ldapdb_pw: xxxxxxxxxx
> #ldapdb_mech: DIGEST-MD5
You only enable PLAIN and LOGIN, but perhaps you have:
smtpd_sasl_security_options = noanonymous, noplaintext
which leaves no mechanisms available. Instead, set:
main.cf:
smtpd_sasl_auth_enable = no
smtpd_tls_auth_only = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_mechanism_filter = plain, login
master.cf:
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
which enables SASL only for submission, and only over TLS, with
plaintext mechanisms not disabled.
--
Viktor.
