On Sun, Apr 26, 2020 at 10:35:58PM +0000, Bandaru, Vamsi wrote:
> After your recommendation this is what I have done :
>
> 1. commented out smtp service for inbound
>
> #smtp inet n - n - 200 smtpd -vv
Not sure why you did that. Is this a submission only MTA? Inbound mail
is handled somewhere else?
> 2. Configured Submission service as suggested , with few limitations (
> I am running mail_version of 2.10.1 , and few of the suggested
> parameters aren't available)
You're mistaken about "unavailable" parameters. Custom parameters
can be used that are not pre-defined in Postfix.
> master.cf:
> submission inet n - n - - smtpd
> -o syslog_name=postfix/submission
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_tls_auth_only=yes
> -o smtpd_reject_unlisted_recipient=no
> -o smtpd_client_restrictions=$mua_client_restrictions
( mua_client / helo / sender _restrictions , also not available under the
version I am using )
These default to empty, but you can set them to appropriate values if
you wish, but the idea is to not break submission mail when you
customise the restrictions for port 25 in main.cf.
> -o smtpd_helo_restrictions=$mua_helo_restrictions
> -o smtpd_sender_restrictions=$mua_sender_restrictions
> -o smtpd_recipient_restrictions=
> -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> -o milter_macro_daemon_name=ORIGINATING
The suggested settings are correct as written.
> Under main.cf , this parameter isn't available : smtpd_sasl_mechanism_filter
Here you're right, I overlooked the fact that we only have a mechanism
filter for the client side. Ignore that one suggestion.
> on port 587 ( responds )
> [no plaintext SASL as expected]
>
> Connect to server on port 587 via openssl_client
>
> < openssl s_client -debug -starttls smtp -crlf -connect x.x.x.x:587 >
>
> 250 DSN
> ehlo localhost
> write to 0xa04550 [0xa1fc13] (45 bytes => 45 (0x2D))
> read from 0xa04550 [0xa1b6c8] (190 bytes => 190 (0xBE))
> 250- < hostname >
> 250-PIPELINING
> 250-SIZE 36700160
> 250-AUTH DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
Great, now the server actually offers a non-empty mechanism list.
You'll probably want to narrow that down in your SASL config.
> AUTH LOGIN
> 334 VXNlcm5hbWU6 ( prompts for username )
> 435 4.7.8 Error: authentication failed: authentication failure
>
> The auth.log under /var/log records this :
>
> postfix/submission/smtpd[94812]: _sasl_plugin_load failed on
> sasl_auxprop_plug_init for plugin: ldapdb
> postfix/submission/smtpd[94812]: _sasl_plugin_load failed on
> sasl_canonuser_init for plugin: ldapdb
> postfix/submission/smtpd[95522]: _sasl_plugin_load failed on
> sasl_auxprop_plug_init for plugin: ldapdb
> postfix/submission/smtpd[95522]: _sasl_plugin_load failed on
> sasl_canonuser_init for plugin: ldapdb
> postfix/submission/smtpd[96590]: _sasl_plugin_load failed on
> sasl_auxprop_plug_init for plugin: ldapdb
> postfix/submission/smtpd[96590]: _sasl_plugin_load failed on
> sasl_canonuser_init for plugin: ldapdb
You'll need to install that plugin.
> *************************************
>
> This is my : /etc/saslauthd.conf file
>
> ldap_servers: ldaps://x.x.x:636
> ldap_version: 3
> ldap_auth_method: bind
> ldap_search_base: ou=xx,ou=xx,o=xx
> ldap_scope: sub
> ldap_bind_dn: uid=xxxx,ou=xx,ou=xx,o=xx
> ldap_bind_pw: xx
> ldap_filter: ShortName=%U
> auxprop_plugin: ldapdb
>
> This is my smtpd.conf file setting : @ /etc/sasl2/smtpd.conf
>
> pwcheck_method: auxprop
> auxprop_plugin: ldapdb
> mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
You should probably remove everything other than PLAIN and LOGIN.
> ldapdb_uri: ldaps://x.x.x:636
> ldapdb_id: uid=xxx,ou=xx,ou=xx,o=xx
> ldapdb_pw: xx
> ldapdb_mech: LOGIN
> ldap_version: 3
> ldap_auth_method: bind
Now you just need an LDAP auxprop plugin. Did you install it?
At this point your Postfix issues are largely resolved, you now
need to properly configure Cyrus SASL.
--
Viktor.
