Alright... I know it's been a few weeks since I last addressed this issue.
I ended up reloading the server because I had screwed up a lot of stuff...
I'm now using the files from the /var/qmail/boot directory for my supervise
scripts, specifically . . .
qmail-pop3d -> /var/qmail/boot/qmail-pop3d
qmail-send -> /var/qmail/boot/qmail
qmail-smtpd -> /var/qmail/boot/qmail-smtpd
it now attempts to query data from the ldap server across the 127.0.0.1
interface when I do SMTP auth. This is one step further than I was
before... Thank you Thomas Kuliavas for pointing me in the right
direction.
But I'm still getting authentication failures, but ONLY with SMTP... I can
do pop3 without a problem, so I dont think its a password problem ...
unless pop3 expects a different encryption algorithm than smtp...
Heres some output when I put smtpd into loglevel 255 and then try to do smtp
auth:
tcpserver: status: 1/50
tcpserver: pid 3870 from 207.179.69.3
tcpserver: ok 3870 mail.mydomain.org:server_ip_address:25
:207.179.69.3::1212
qmail-smtpd 3870: connection from 207.179.69.3 (unknown) to
mail.mydomain.org
qmail-smtpd 3870: enabled options: smtp-auth
qmail-smtpd 3870: remote ehlo: laptop
qmail-smtpd 3870: auth login
qmail-smtpd 3870: authentication failed: authentication failure
qmail-smtpd 3870: quit, closing connection
tcpserver: end 3870 status 0
tcpserver: status: 0/50
Does anyone know what would cause SMTP to reject the password even though
pop3 succeeds with the same password?
Thanks in advance,
-- Jason
----- Original Message -----
From: "Tomas Kuliavas" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Sunday, July 24, 2005 11:34 AM
Subject: Re: smtp auth
Can you reproduce your problem, if you use unmodified startup scripts
provided by qmail-ldap?
Well, Thomas, that takes us one step closer, I suppose.
After making this change, I no longer get the pbscheck errors, but qmail
still isn't querying from ldap as per our expectations. No ldap message
is being sent across the wire, and the SMTP request isn't being
authenticated for relaying. :(
Arrg... this is so frustrating.
Oh well. Thanks for your help guys... If you can think of anything
else, please let me know.
-- Jason
----- Original Message -----
From: "Tomas Kuliavas" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, July 22, 2005 3:28 PM
Subject: Re: smtp auth
:allow,SMTPAUTH="",NOPBS=""
and rebuild tcp.smtp.cdb
Sameer,
You seem to be on to something. Doing the ldaplookup's generated
the expected results.. ie.. it returned the ldap info...
But when I did this
# cd /var/qmail/boot/qmail
# ./run &
# cd /var/qmail/boot/qmail-smtpd
# env LOGLEVEL=255 ./run
It outputs some pbscheck stuff about the controls:
[EMAIL PROTECTED] qmail-smtpd]# env LOGLEVEL=255 ./run
tcpserver: status: 0/50
tcpserver: status: 1/50
tcpserver: pid 5646 from <client_IP>
tcpserver: ok 5646 mail.mydomain.org:<Server_ip>:25
:<Client_IP>::56930
pbscheck unable to read controls tcpserver: end 5646 status 256
It's worth noting that when I run the smtp server like this, my SMTP
client (outlook express) is NOT prompted for username and password
info...
it sends a 554 error and closes the socket as soon as the connection
attempt is made... so I don't know if this test accurately
simulates
the
expierence.
I went ahead and added the following line to the supervise/run script
to test... dunno if this works the way that I think it does though:
#added this line
env LOGLEVEL=255
#this line was already there
exec /usr/local/bin/softlimit -m 4000000 ...... \ ..... \ .....
----- Original Message -----
From: "Sameer N Ingole" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Friday, July 22, 2005 2:29 AM
Subject: Re: smtp auth
Jason Folkens wrote:
Thomas,
I'm running RHEL3... I downloaded and installed djbdns-1.05
before installing qmail, then downloaded qmail-1.03, and patched
it with qmail-ldap-1.03-20050401a.patch... then I modified 3
lines in the makefile (uncommented the MDIRMAKE, HDIRMAKE, and
SHADOWLIBS lines)
and did a "make setup check"
ucspi-tcp-0.88 and daemontools-0.76 were also installed.
Here is the output from your commands:
# ls -l /var/qmail/control/ldappassword
-rw-r----- 1 root nofiles 14 Jul 19 12:55
/var/qmail/control/ldappassword
just to make sure im not crazy, i temporarily set it to
-rw-rw-rw-
1 root nofiles 14 Jul 19 12:55
/var/qmail/control/ldappassword
but in either scenario, it still doesn't pass any ldap requests
across loopback when I do the SMTP auth, and the smtp auth
subsequently fails.
# cat /var/qmail/control/ldaprebind
cat: /var/qmail/control/ldaprebind: No such file or directory
# cat /etc/tcp.smtp
:allow,SMTPAUTH=""
I set it that way so I could test out smtp auth exclusively...
I'll
exclude my lan once I know it works. additionally, every time I
change that file, I do a
# qmailctl cdb
so its running those rules right now as we speak. qmailctl is
almost a direct cut/paste from the one on life-with-qmail website
except I added some extra lines to take care of pop3.
I suggest you stop qmail using qmailctl script and test it like
this...
run following commands manually.. # /var/qmail/boot/qmail/run & # cd
/var/qmail/boot/qmail-smtpd
# env LOGLEVEL=255 ./run
Note that there is no "&" after ./run in above command so it will
output everything on terminal i.e. it will run in foreground. Now
try sending mail and see what it says on the terminal where your
./run is
running...
Also try this command and see if you can get something.
# cd /var/qmail/bin
# ./qmail-ldaplookup -u uid
# ./qmail-ldaplookup -m [EMAIL PROTECTED]
Use both uid and mail address [EMAIL PROTECTED] for the same user
(if
they are different like uid is jason and mail address is
[EMAIL PROTECTED]). If this returns entire ldap entry for the uid
you supplied, your pop3 or imap should work unless you have some
problem elsewhere. If you both return the same result your ldap bind
is okay.
If things work we can look for something else to solve this prob..
----- Original Message ----- From: "Tomas Kuliavas"
<[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, July 21, 2005 2:07 PM
Subject: Re: smtp auth
your qmail-ldap version? if you use older than 20050401 patch
and it is compiled with TLS support and you already configured
TLS
support in qmail-ldap - require TLS for SMTP AUTH.
SMTPAUTH="TLSREQUIRED"
ls -l /var/qmail/control/ldappassword
cat /var/qmail/control/ldaprebind
do you allow anonymous ldap lookups?
have you added SMTPAUTH variable in tcpserver for smtp
environment.
Qmail LDAP provides daemontools startup scripts and you don't
have to write custom startup scripts in most cases.
--
Tomas
Thanks, both Thomas and HyperAxe, for bringing that to my
attention. I'm still confused though.
I've made the permissions changes that you suggested, Thomas.
When I do an ethereal packet capture between the SMTP and
LDAP
servers (actually capturing on loopback) I dont get any
connections to LDAP unless I'm doing pop3 requests... the
SMTP
server denies the incoming relay attempt without even checking
the password with the ldap server.
If pop3 can connect (using the same files in the control
directory for credentials as SMTP), then there has got to be
another problem going on.
Is there any way to trace what files are being accessed
within a given timeframe... kinda like the linux equivalant
of winternals filemon? just to verify that indeed there isn't
a file permissions issue here?
moreover, whenever I attempt to smtpauth, It logs something
like this in /var/log/qmail/smtpd/current:
@4000000042dfba2a0e9832cc tcpserver: status: 1/20
@4000000042dfba2a0f62d5cc tcpserver: pid 12398 from <my-ip>
@4000000042dfba2a0fa3befc tcpserver: ok 12398
mail.mydomain.com:<servers-ip>:25 :<clients-ip>::48418
@4000000042dfba2f14df19fc tcpserver: end 12398 status 256
@4000000042dfba2f14df5494 tcpserver: status: 0/20
is there a way that I can change my qmail-smtpd/run/log or
qmail-smtpd/run script to log more helpful information?
Thanks again. You guys have been ever so helpful!
-- Jason
----- Original Message -----
From: "Tomas Kuliavas" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, July 21, 2005 10:57 AM
Subject: Re: smtp auth
Thanks, HyperAxe. That fixed my immediate problem...
Now it
actually tries to authenticate when I roam... which is
exactly what I wanted. :-)
The new problem is with authentication. It rejects
whatever username/password combo that I put in... I'm
guessing that relates with my failure to configure my
qmail-smtpd/run script correctly.
Life with qmail-ldap book is outdated. Current version of
Qmail-LDAP
does not need extra arguments in qmail-smtpd. Check
/var/qmail/boot/qmail-smtpd/run
Check mailing list history. I think information about
setting smtp auth in qmail-ldap was posted several times.
-----------------
Since 20031001 patch QmailLDAP supports SMTP authentication
protocol (rfc 2554). Use of 20050401 patch or later is
recommended. Only PLAIN authentication schema is supported.
CRAM-MD5 and DIGEST-MD5
authentication schemas are not implemented. CRAM-MD5
requires features that are not enabled in qmail-ldap by
default. DIGEST-MD5 requires
specific user name layout (i think).
SMTP authentication is enabled by adding SMTPAUTH variable
to tcpserver's environment. If you use daemontools
(http://cr.yp.to/daemontools.html)
startup scripts supplied by qmail-ldap 20031101 or later,
you can do that by adding
<pre>
:allow,SMTPAUTH=""
</pre>
to /var/qmail/control/qmail-smtpd.rules and running command
'make' in
/var/qmail/control directory.
If you set SMTPAUTH value to TLSREQUIRED
(SMTPAUTH="TLSREQUIRED"),
then authentication will work only in TLS encrypted
sessions. See information about compiling and installing
qmail ldap with TLS support.
In order to authenticate users, smtp server's user
(normally
qmaild) must be able to validate password entered by user
with information stored in LDAP userPassword field. Access
to this field is usually restricted and qmaild user does not
have enough privileges to access ldap connection
information.
There are two possible solutions to this problem.
First solution is to give read access rights to qmaild user
or nofiles group on /var/qmail/control/ldappassword
configuration file.
<pre>
# chgrp nofiles /var/qmail/control/ldappassword
# chmod 640 /var/qmail/control/ldappassword
</pre>
or
<pre>
# chmod 400 /var/qmail/control/ldappassword
# chown qmaild /var/qmail/control/ldappassword
</pre>
Second solution is to enable ldaprebind in
/var/qmail/control/ldaprebind.
<pre>
# echo 1 > /var/qmail/control/ldaprebind
</pre>
If ldap rebind is used, qmaild user must be able to
retrieve user's dn in anonymous LDAP connection and
authenticate to LDAP server with retrieved user's dn and
password provided by user. Password schema
used in userPassword field must be supported by LDAP
server's authentication system.
--
Tomas
Regards,
--
Sameer N. Ingole
