Re: A question about Postfix and virus scanning
Stan, Thank you a lot for all these valuable information. Your reply proved that there exists some circumstances where nothing can help but experience. Thanks again. Regarding the points which had mentioned in your mail, I would like to ask a question concerning what Wietse proposed. Does the usage of milter help? I mean, is the milter architecture considered as a way to kill spam load _before_ piping inbound connections to AS/AV content filter daemons? Or, achieving that goal is just through configuring Postfix itself? Thanks again Stan. Warm Regards Ali Majdzadeh Kohbanani 2009/12/1 Stan Hoeppner s...@hardwarefreak.com Ali Majdzadeh put forth on 12/1/2009 12:25 AM: Dear friends, Thanks for this nice discussion. Actually, as a project, we are going to deliver an e-mail architecture which supports over 100 users. We use Postfix, courier-imap, amavisd-new, spamassassin and clamav and of course the tools needed to balance the load between multiple instances of the mentioned tools. We use specmail to test our architecture. Recently, we have introduced our intended e-mail filtering platform consisting amavisd-new, spamassassin and clamav to the architecture and we have observed significant delivery time decrease regarding Postifx. As a way out, we thought of the ways which made it possible to do offline virus scanning, but actually we have found that amavisd-new together with it's filtering tools is a serious performance bottleneck. I really appreciate suggestions regarding this scenario. Hi Ali, First off, this is an edge solution, correct? These Postfix servers are MX hosts? If so... I humbly, but seriously, suggest you hire Victor or another highly qualified Postfix engineer to assist you with architecting your 1 million user solution. Also, SpecMail 2009 is not a valid test of what your real world mail stream will be once you go live. You absolutely cannot rely on this benchmark to give you realistic feedback on the performance of your architecture. It doesn't, and cannot, simulate real spam streams. And spam attempts will be 50-90% of your real world connection load. Summary: SPECmail2009 The SPECmail2009 benchmark measures the ability of corporate e-mail systems to meet today's demanding e-mail users over fast corporate local area networks (LAN). The SPECmail2009 benchmark simulates corporate mail server workloads that range from 250 to 10,000 or more users, using industry standard SMTP and IMAP4 protocols. This e-mail server benchmark creates client workloads based on a 40,000 user corporation, and uses folder and message MIME structures that include both traditional office documents and a variety of rich media content. The benchmark also adds support for encrypted network connections using industry standard SSL v3.0 and TLS 1.0 technology. SPECmail2009 replaces all versions of SPECmail2008, first released in August 2008. The results from the two benchmarks are not comparable. With the availability of SPECmail2009, SPEC has retired the SPECmail2008 benchmark. SPEC will stop accepting new SPECmail2008 results as of the submission deadline on June 12, 2009. For a 1 million user system, you absolutely need to kill 90%+ of your spam load _before_ piping inbound connections to your AS/AV content filter daemons. You are seeing why already with the results of this synthetic benchmark pumping only _legit_ mail through your system. Of your inbound spam, you should be able to kill on the order of 50-80% or more, with merely the following, _BEFORE_ piping to SpamAssassin, clamav, or amavisd-new: smtpd_client_restrictions = reject_unknown_client_hostname reject_unauth_pipelining smtpd_sender_restricions = reject_non_fqdn_sender smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname reject_unknown_helo_hostname smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination reject_unlisted_recipient reject_rbl_client zen.spamhaus.org check_policy_service inet:127.0.0.1:6 For a 1 million user site, you'll need to make arrangements with Spamhaus to get access to the Data Feed Service. The above usage example is for smaller sites with low query rates. You'd need to run rbldnsd on your postfix servers or mirror the Spamhaus zone(s) on a local dns server. That's beyond the scope of this email. The policy service above is the Postfix greylisting daemon called postgrey. It is very effective against residential broadband infected PCs, or botnets. It will kill a ton of spam without consuming near the resources or content filters. The bulk of efficient spam blocking is performed based on the following: 1. Client IP address reputation (think dnsbl, local block lists) 2. Client FCrDNS (PTR name), lack thereof or generic (think dsl/cable) 3. Improper HELO
Re: A question about Postfix and virus scanning
Wietse, Hi Thanks for your reply. I recall that I had read about another filtering option available in Postfix which was called smtpd_proxy_filter (if I spell it correctly) and which filtered messages before queuing. So, is there any difference between the so-called method and using Milter? Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/12/1 Wietse Venema wie...@porcupine.org Ali Majdzadeh: question concerning what Wietse proposed. Does the usage of milter help? I mean, is the milter architecture considered as a way to kill spam load _before_ piping inbound connections to AS/AV content filter daemons? Or, Milter is a way to inspect or update message content without making extra copies of the message. It has some scaling issues 1) it processes mail before-queue, which some will find a feature and 2) all requests are handled by one Milter process; the latter may be addressed by using a third-party multiplexer that spreads requests across multiple milter process instances. As a general rule, the earlier you can block mail, the better. In some countries, the inbound SMTP session is the only place where you can block incoming mail, because mail cannot be discarded. The postscreen program (www.postfix.org/wip.html) takes this a little further by keeping the bots away from the SMTP server. Unfortunately, I can't be of much further help here. 1M users is a thousand times beyond my first-hand experience, and that was before SPAM became a problem. Wietse
Re: A question about Postfix and virus scanning
Wietse, Thanks for all these useful points. I will inform the list about the results of our tests regarding the issue. Warm Regards Ali Majdzadeh Kohbanani 2009/12/1 Wietse Venema wie...@porcupine.org Ali Majdzadeh: Wietse, Hi Thanks for your reply. I recall that I had read about another filtering option available in Postfix which was called smtpd_proxy_filter (if I spell it correctly) and which filtered messages before queuing. So, is there any difference between the so-called method and using Milter? Thanks again. Both Milter and smtpd_proxy_filter process mail before it is queued. The smtpd_proxy_filter approach is more general (it uses SMTP instead of the Milter protocol). I haven't done performance comparisons. If your performance is inadequate, I suggest that you do a detailed system performance analysis to find out if the limit is CPU, memory, file I/O or perhaps some trivial DNS configuration problem. Wietse
Re: A question about Postfix and virus scanning
Stan, Hi Thanks for your detailed response. Actually, the main reason which drove us toward performing virus scanning as an offline process was performance. As we deal with large amounts of e-mails, we found the way amavisd-new or other filtering management tools performing filtering too slow. We intended to somehow decrease the amount of load which amavisd-new or similar tools impose on the architecture. Kind Regards Ali Majdzadeh Kohbanani 2009/11/30 Stan Hoeppner s...@hardwarefreak.com Ali Majdzadeh put forth on 11/30/2009 12:28 AM: Hello all, I do not know whether here is the right place to ask this question or not, but I would like to know if it is a good idea to perform offline e-mail virus scanning. By offline, I mean a scenario in which e-mail filtering management tools (like amavisd-new) do not hand out received e-mails to virus scanners (like clamav), instead, virus scanning is performed on mailboxes as regular files on the file system. Does anyone have any experiences regarding this scenario? Is at all this scenario sane or applicable? Why would you ever want to write a virus to a user mailbox and then scan it later? Unless you have a flawless realtime virus scanner daemon that checks every file as it's written to the file system, you open up the possibility that a user will open that mail file containing the virus before the system quarantines or deletes it. Why would you not want to identify a viral payload as soon as it hits your MTA, and delete it immediately? This is analogous to waiting until the home invaders have entered your childrens' bedroom to call the police, instead of calling the police when you heard the front door being kicked down. Back in the day (maybe still) virus scanner plugins for Microsoft Exchange worked in a similar fashion. And on occasion, disaster struck as a result of it, with a user's Outlook client pulling the viral email before the A/V plugin was able to scan it. IIRC, the reason for this was two fold: First, Microsoft had no interface to allow third party scanners to look at queue files directly, because doing so would literally break Exchange. Second, because Exchange stores all mail files in a database instead of as individual files, A/V vendors were required to write SQL like queries to scan the records within the database. Exchange is anything but a realtime database. Because of this architecture, and the potentially large time delays created by a loaded system, it was impossible to guarantee anything close to realtime scanning of inbound mail. I believe MS has since changed the architecture to allow A/V scanning of mail whilst it's in the inbound queue. It's been a long time since I dealt with Exchange, the above architectural short sightedness being one of the reasons for that. In summary, scan the mail as it enters the edge MTA, and deal with viri at that point in time. There may be extreme border cases for very large orgs where a tiered mail delivery approach and downstream A/V scanning is desirable, but I'm guessing your org doesn't fit in such a case. -- Stan
Re: A question about Postfix and virus scanning
Dear friends, Thanks for this nice discussion. Actually, as a project, we are going to deliver an e-mail architecture which supports over 100 users. We use Postfix, courier-imap, amavisd-new, spamassassin and clamav and of course the tools needed to balance the load between multiple instances of the mentioned tools. We use specmail to test our architecture. Recently, we have introduced our intended e-mail filtering platform consisting amavisd-new, spamassassin and clamav to the architecture and we have observed significant delivery time decrease regarding Postifx. As a way out, we thought of the ways which made it possible to do offline virus scanning, but actually we have found that amavisd-new together with it's filtering tools is a serious performance bottleneck. I really appreciate suggestions regarding this scenario. Warm Regards Ali Majdzadeh Kohbanani 2009/12/1 Thomas Harold thomas-li...@nybeta.com On 11/30/2009 3:11 AM, Ali Majdzadeh wrote: Stan, Hi Thanks for your detailed response. Actually, the main reason which drove us toward performing virus scanning as an offline process was performance. As we deal with large amounts of e-mails, we found the way amavisd-new or other filtering management tools performing filtering too slow. We intended to somehow decrease the amount of load which amavisd-new or similar tools impose on the architecture. Did you only try virus filtering within amavisd-new, or did you also try using the clamav-milter at SMTP time? How much are you blocking at SMTP time and how much is getting through to amavisd for scoring? (On a side note, I'm curious whether the new clamav milter in ClamAV 0.95 is faster and better then letting the messages reach amavisd-new. I use the clamav-milter and have disabled virus scanning on the amavisd-new side.)
A question about Postfix and virus scanning
Hello all, I do not know whether here is the right place to ask this question or not, but I would like to know if it is a good idea to perform offline e-mail virus scanning. By offline, I mean a scenario in which e-mail filtering management tools (like amavisd-new) do not hand out received e-mails to virus scanners (like clamav), instead, virus scanning is performed on mailboxes as regular files on the file system. Does anyone have any experiences regarding this scenario? Is at all this scenario sane or applicable? Kind Regards Ali Majdzadeh Kohbanani
Re: A question about Postfix and virus scanning
Egoitz, Hi Thanks for your mail. I have used amavisd-new but unfortunately it can not handle e-mail scanning in offline mode. Anyway, thanks a lot. Kind Regards Ali Majdzadeh Kohbanani 2009/11/30 ego...@ramattack.net Hi Ali, The scenario you're describing is not a good idea because you don't know when you're users are going to check they're mail accounts. If you want a scalable email checking system and after queue for avoiding slow responses from you're smtpd daemons try amavisd-new. Bye!! Hello all, I do not know whether here is the right place to ask this question or not, but I would like to know if it is a good idea to perform offline e-mail virus scanning. By offline, I mean a scenario in which e-mail filtering management tools (like amavisd-new) do not hand out received e-mails to virus scanners (like clamav), instead, virus scanning is performed on mailboxes as regular files on the file system. Does anyone have any experiences regarding this scenario? Is at all this scenario sane or applicable? Kind Regards Ali Majdzadeh Kohbanani
Re: A question about plain and cram-md5 authentication mechanisms
Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Magnus Bäck mag...@dsek.lth.se On Wed, November 11, 2009 8:16 am, Ali Majdzadeh said: Thanks for your mail. I use the following options in smtpd.conf: Reply to the list, not to me. I'm setting the Reply-To header for a reason. -- Magnus Bäck mag...@dsek.lth.se
Re: A question about plain and cram-md5 authentication mechanisms
Suomi, Thanks for your mail. I do not use LDAP, instead I use PAM and I want to have the following authentication mechanisms together: PLAIN (over PAM, pam_krb5.so and saslauthd) GSSAPI CRAM-MD5 Currently, two of these work fine together; plain and gssapi, but I am not able to get cram-md5 working. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Ali Majdzadeh ali.majdza...@gmail.com Suomi, Thanks for your mail. I do not use LDAP, instead I use PAM and I want to have the following authentication mechanisms together: PLAIN (over PAM, pam_krb5.so and saslauthd) GSSAPI CRAM-MD5 Currently, two of these work fine together; plain and gssapi, but I am not able to get cram-md5 working. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 suomi post...@ayni.com Hi Ali i had problems using login, plain, cram-md5 and digest-md5 (all toghether) through saslauthd. At this site, all mail parameters are in LDAP, so i had to tell saslauthd to get the authentication parameters from LDAP. For the tests, i had inserted the passwords in plaintext into LDAP. But as soon as saslauthd saw, that it had to go via LDAP, it asked for /etc/sasldb2 and wanted to go via auxprop. i did not test eny further then and went back to using auxprop with /etc/sasldb2. See also my submission dated 9/24/2009 suomi On 2009-11-11 08:51, Ali Majdzadeh wrote: Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de mailto:p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com mailto:ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: A question about plain and cram-md5 authentication mechanisms
Patrick, Thanks for your reply. So if I have concluded correctly, the following configuration is the one which should bring together gssapi, plain and cram-md5 authentication mechanisms: pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb But, you say that currently this does not work. True? What about ldapdb? I mean, is there actually anyway to achieve such a setup? Is it possible to use ldapdb in a way that eliminates the need to duplicate the credentials? Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? Sorry, but no. saslauthd is unable to handle shared-secret mechanisms. You could, theoretically, tell libsasl to query different pwcheck_methods like this: pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb libsasl would first try verification using saslauthd and if that fails it would turn to auxprop sasldb. This backend COULD provide cram-md5, but you would have to provide credentials in your kerberos backend AND in sasldb, which IMHO is a pain to support and somehow renders all the security efforts for GSSAPI and kerberos useless, because you store the same credentials in plaintext in a local database file. By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. AFAIK this in not possible at the moment. p...@rick Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: A question about plain and cram-md5 authentication mechanisms
Patrick, Thanks a lot for your help. I will test the mentioned configuration and will post the results to the list. I hope it works. Unfortunately, I do not have so much knowledge about LDAP, but I do know that it is possible to store Kerberos principals in an LDAP structure. Well, I don't know whether that is useful or not. Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11, Patrick Ben Koetter p...@state-of-mind.de: * Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Thanks for your reply. So if I have concluded correctly, the following configuration is the one which should bring together gssapi, plain and cram-md5 authentication mechanisms: It should. I have never done this myself. pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb But, you say that currently this does not work. True? It does not work, if you use saslauthd alone. You need an auxprop_plugin to get access to shared-secret mechs. What about ldapdb? I mean, is there actually anyway to achieve such a setup? ldapdb gives access to OpenLDAP. If (!) you store the userpassword values in plaintext, then you can use shared-secret mechanisms, such as CRAM-MD5 (and also DIGEST-MD5 and NTLM). Is it possible to use ldapdb in a way that eliminates the need to duplicate the credentials? AFAIK you still need to run ldapdb - OpenLDAP and Kerberos in parallel. Single entry password maintainance should be possible using an OpenLDAP overlay, which IIRC changes passwords in OpenLDAP and kerberos at the same time. I don't remember the overlays name, though. Maybe its best to ask the openldap mailing list how you can use kerberos and LDAP at the same time and then see how that goes together with SMTP AUTH. p...@rick Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? Sorry, but no. saslauthd is unable to handle shared-secret mechanisms. You could, theoretically, tell libsasl to query different pwcheck_methods like this: pwcheck_method: saslauthd auxprop mech_list: gssapi plain cram-md5 saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab auxprop_plugin: sasldb libsasl would first try verification using saslauthd and if that fails it would turn to auxprop sasldb. This backend COULD provide cram-md5, but you would have to provide credentials in your kerberos backend AND in sasldb, which IMHO is a pain to support and somehow renders all the security efforts for GSSAPI and kerberos useless, because you store the same credentials in plaintext in a local database file. By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. AFAIK this in not possible at the moment. p...@rick Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: A question about plain and cram-md5 authentication mechanisms
Viktor, Thanks for your attention. You are right, but unfortunately we have got some in-house developed mail clients which are bound to use cram-md5 authentication mechanism. Well, I think I should investigate on integrating LDAP to our architecture and figure out the new opportunities. Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11, Victor Duchovni victor.ducho...@morganstanley.com: On Wed, Nov 11, 2009 at 11:21:33AM +0330, Ali Majdzadeh wrote: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? Why bother? Between GSSAPI and PLAIN, you are offering both ends of the spectrum. Cram-md5 just forces you store plain-text passwords, which is rarely a good idea. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: A question about plain and cram-md5 authentication mechanisms
Patrick, Hi Thanks for your mail. I use the following options in smtpd.conf: mech_list: gssapi plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux keytab: /etc/krb5.keytab and I am able to use GSSAPI and PLAIN (Over PAM using pam_krb5.so) mechanisms. How is it possible to add cram-md5 mechanism? By the way, I do know about sasldb and auxprop, but what I plan to achieve is to have cram-md5 mechanism while supporting plain mechanism using saslauthd, PAM and pam_krb5.so. I have got no problems using native GSSAPI support. Kind Regards Ali Majdzadeh Kohbanani 2009/11/11 Patrick Ben Koetter p...@state-of-mind.de * Ali Majdzadeh ali.majdza...@gmail.com: Hello All Is it possible to have both PLAIN and CRAM-MD5 authentication mechanisms using SASL? Yes. The password must be stored as plaintext. Then plaintext and shared-secret mechanisms will work. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): http://postfix.state-of-mind.de/patrick.koetter/saslfinger/
Re: Problem using Postfix, saslauthd and pam_krb5
Viktor, Thanks a lot, I managed to solve the problem. I can now authenticate users using SASL, saslauthd, PAM and pam_krb5.so (and of cource Kerberos!) Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/11/8 Ali Majdzadeh ali.majdza...@gmail.com Viktor, Thanks a lot. You are very helpful. Kind Regards Ali Majdzadeh Kohbanani 2009/11/8 Victor Duchovni victor.ducho...@morganstanley.com On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote: Viktor, Hi I managed to test the configuration using the sample programs provided by Cyrus. But I can not test the configuration using Postfix. Sample users which are defined as principles are successfully authenticated using PLAIN authentication mechanism, pam_krb5.so and saslauthd, but the similar configuration for Postfix, always fails. Turn up the debug level in saslauthd, and find out what queries it is handling and why it believes the password to be incorrect. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem using Postfix, saslauthd and pam_krb5
Viktor, Sorry about the previous mail. The logs which I sent were incorrect. Actually, there are no log messages just the following one in /var/log/mail.log: Nov 7 11:44:54 client2 postfix/smtpd[13159]: warning: SASL authentication failure: Password verification failed But, as I told you before, I can successfully test the authentication process using sasltestuser. Kind Regards Ali Majdzadeh Kohbanani 2009/11/7 Ali Majdzadeh ali.majdza...@gmail.com Viktor, Hi I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log: Nov 7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied Nov 7 11:14:51 client2 saslauthd[2882]: do_auth : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Do you have any ideas about these? Kind Regards Ali Majdzadeh Kohbanani 2009/11/2 Ali Majdzadeh ali.majdza...@gmail.com Victor, Hello Thanks a lot for your help. I am going to test your solutions. Thanks again. Warm Regards Ali Majdzadeh Kohbanani 2009/11/2 Victor Duchovni victor.ducho...@morganstanley.com On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote: I have configured saslauthd to use pam for password verification and I want to use pam_krb5 as the authentication back-end. I have set the following options in /etc/postfix/sasl/smtpd.conf: log_level: 3 pwcheck_method: saslauthd mech_list: plain login Also, I have entered the following lines in /etc/pam.d/smtp authsufficient /lib/security/pam_krb5.so minimum_uid=1000 session required/lib/security/pam_krb5.so minimum_uid=1000 account required/lib/security/pam_krb5.so minimum_uid=1000 passwordsufficient /lib/security/pam_krb5.so minimum_uid=1000 When I use testsaslauthd as testsaslauthd -u user -p pass -s smtp -f /var/run/saslauthd/mux, it can successfully authenticate the user which has a corresponding principal in my kerberos configuration. But, when I want to use telnet to actually test the smtp server, the authentication fails. By the way, what should be provided to the server when the desired authentication mechanism is plain? (Is that something like: perl -MMIME::Base64 -e 'print encode_base64(user\0pass)')? No. You need a leading \0 for an empty authzid. \0user\0pass -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem using Postfix, saslauthd and pam_krb5
Viktor, Hi I managed to test the configuration using the sample programs provided by Cyrus. But I can not test the configuration using Postfix. Sample users which are defined as principles are successfully authenticated using PLAIN authentication mechanism, pam_krb5.so and saslauthd, but the similar configuration for Postfix, always fails. Kind Regards Ali Majdzadeh Kohbanani 2009/11/7 Ali Majdzadeh ali.majdza...@gmail.com Viktor, Sorry about the previous mail. The logs which I sent were incorrect. Actually, there are no log messages just the following one in /var/log/mail.log: Nov 7 11:44:54 client2 postfix/smtpd[13159]: warning: SASL authentication failure: Password verification failed But, as I told you before, I can successfully test the authentication process using sasltestuser. Kind Regards Ali Majdzadeh Kohbanani 2009/11/7 Ali Majdzadeh ali.majdza...@gmail.com Viktor, Hi I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log: Nov 7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied Nov 7 11:14:51 client2 saslauthd[2882]: do_auth : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Do you have any ideas about these? Kind Regards Ali Majdzadeh Kohbanani 2009/11/2 Ali Majdzadeh ali.majdza...@gmail.com Victor, Hello Thanks a lot for your help. I am going to test your solutions. Thanks again. Warm Regards Ali Majdzadeh Kohbanani 2009/11/2 Victor Duchovni victor.ducho...@morganstanley.com On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote: I have configured saslauthd to use pam for password verification and I want to use pam_krb5 as the authentication back-end. I have set the following options in /etc/postfix/sasl/smtpd.conf: log_level: 3 pwcheck_method: saslauthd mech_list: plain login Also, I have entered the following lines in /etc/pam.d/smtp authsufficient /lib/security/pam_krb5.so minimum_uid=1000 session required/lib/security/pam_krb5.so minimum_uid=1000 account required/lib/security/pam_krb5.so minimum_uid=1000 passwordsufficient /lib/security/pam_krb5.so minimum_uid=1000 When I use testsaslauthd as testsaslauthd -u user -p pass -s smtp -f /var/run/saslauthd/mux, it can successfully authenticate the user which has a corresponding principal in my kerberos configuration. But, when I want to use telnet to actually test the smtp server, the authentication fails. By the way, what should be provided to the server when the desired authentication mechanism is plain? (Is that something like: perl -MMIME::Base64 -e 'print encode_base64(user\0pass)')? No. You need a leading \0 for an empty authzid. \0user\0pass -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem using Postfix, saslauthd and pam_krb5
Viktor, Thanks a lot. You are very helpful. Kind Regards Ali Majdzadeh Kohbanani 2009/11/8 Victor Duchovni victor.ducho...@morganstanley.com On Sat, Nov 07, 2009 at 11:11:36PM +0330, Ali Majdzadeh wrote: Viktor, Hi I managed to test the configuration using the sample programs provided by Cyrus. But I can not test the configuration using Postfix. Sample users which are defined as principles are successfully authenticated using PLAIN authentication mechanism, pam_krb5.so and saslauthd, but the similar configuration for Postfix, always fails. Turn up the debug level in saslauthd, and find out what queries it is handling and why it believes the password to be incorrect. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem using Postfix, saslauthd and pam_krb5
Viktor, Hi I hope that you are still following this thread. After a couple of testing, I saw the following error in auth.log: Nov 7 11:14:51 client2 saslauthd[2882]: DEBUG: auth_pam: pam_authenticate failed: Permission denied Nov 7 11:14:51 client2 saslauthd[2882]: do_auth : auth failure: [user=rana] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error] Do you have any ideas about these? Kind Regards Ali Majdzadeh Kohbanani 2009/11/2 Ali Majdzadeh ali.majdza...@gmail.com Victor, Hello Thanks a lot for your help. I am going to test your solutions. Thanks again. Warm Regards Ali Majdzadeh Kohbanani 2009/11/2 Victor Duchovni victor.ducho...@morganstanley.com On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote: I have configured saslauthd to use pam for password verification and I want to use pam_krb5 as the authentication back-end. I have set the following options in /etc/postfix/sasl/smtpd.conf: log_level: 3 pwcheck_method: saslauthd mech_list: plain login Also, I have entered the following lines in /etc/pam.d/smtp authsufficient /lib/security/pam_krb5.so minimum_uid=1000 session required/lib/security/pam_krb5.so minimum_uid=1000 account required/lib/security/pam_krb5.so minimum_uid=1000 passwordsufficient /lib/security/pam_krb5.so minimum_uid=1000 When I use testsaslauthd as testsaslauthd -u user -p pass -s smtp -f /var/run/saslauthd/mux, it can successfully authenticate the user which has a corresponding principal in my kerberos configuration. But, when I want to use telnet to actually test the smtp server, the authentication fails. By the way, what should be provided to the server when the desired authentication mechanism is plain? (Is that something like: perl -MMIME::Base64 -e 'print encode_base64(user\0pass)')? No. You need a leading \0 for an empty authzid. \0user\0pass -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Problem using Postfix, saslauthd and pam_krb5
Victor, Hello Thanks a lot for your help. I am going to test your solutions. Thanks again. Warm Regards Ali Majdzadeh Kohbanani 2009/11/2 Victor Duchovni victor.ducho...@morganstanley.com On Sun, Nov 01, 2009 at 04:30:21PM +0330, Ali Majdzadeh wrote: I have configured saslauthd to use pam for password verification and I want to use pam_krb5 as the authentication back-end. I have set the following options in /etc/postfix/sasl/smtpd.conf: log_level: 3 pwcheck_method: saslauthd mech_list: plain login Also, I have entered the following lines in /etc/pam.d/smtp authsufficient /lib/security/pam_krb5.so minimum_uid=1000 session required/lib/security/pam_krb5.so minimum_uid=1000 account required/lib/security/pam_krb5.so minimum_uid=1000 passwordsufficient /lib/security/pam_krb5.so minimum_uid=1000 When I use testsaslauthd as testsaslauthd -u user -p pass -s smtp -f /var/run/saslauthd/mux, it can successfully authenticate the user which has a corresponding principal in my kerberos configuration. But, when I want to use telnet to actually test the smtp server, the authentication fails. By the way, what should be provided to the server when the desired authentication mechanism is plain? (Is that something like: perl -MMIME::Base64 -e 'print encode_base64(user\0pass)')? No. You need a leading \0 for an empty authzid. \0user\0pass -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix-SASL-GSSAPI question
Viktor, Hello Thanks a lot for your help. I managed to solve the problem. By the way, have you got any experiences about using kerberos as a pam module? Kind Regards Ali Majdzadeh Kohbanani 2009/10/30 Ali Majdzadeh ali.majdza...@gmail.com Viktor, Hi Thanks for your guidance. Would please keep an eye on this thread? I am going to test the configuration using a properly configured GSSAPI client. Possibly, there will be much more questions to ask ;) Thank you so much. Kind Regards Ali Majdzadeh Kohbanani 2009/10/29 Victor Duchovni victor.ducho...@morganstanley.com On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote: Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is so, would you please describe the procedure? According to your previous mail, I figured out that since I use telnet to test the configuration, I should know about the exact handshake process. The GSSAPI handshake is too complex for hand-tests with telnet. Use a real GSSAPI client, e.g. a suitably configured Postfix client. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Problem using Postfix, saslauthd and pam_krb5
Hello all I have configured saslauthd to use pam for password verification and I want to use pam_krb5 as the authentication back-end. I have set the following options in /etc/postfix/sasl/smtpd.conf: log_level: 3 pwcheck_method: saslauthd mech_list: plain login Also, I have entered the following lines in /etc/pam.d/smtp authsufficient /lib/security/pam_krb5.so minimum_uid=1000 session required/lib/security/pam_krb5.so minimum_uid=1000 account required/lib/security/pam_krb5.so minimum_uid=1000 passwordsufficient /lib/security/pam_krb5.so minimum_uid=1000 When I use testsaslauthd as testsaslauthd -u user -p pass -s smtp -f /var/run/saslauthd/mux, it can successfully authenticate the user which has a corresponding principal in my kerberos configuration. But, when I want to use telnet to actually test the smtp server, the authentication fails. By the way, what should be provided to the server when the desired authentication mechanism is plain? (Is that something like: perl -MMIME::Base64 -e 'print encode_base64(user\0pass)')? And the last questions, are all those configuration file names (and definitely) their content correct? I mean, /etc/postfix/smtpd.conf and /etc/pam.d/smtp? Kind Regards Ali Majdzadeh Kohbanani
Re: Postfix-SASL-GSSAPI question
Viktor, Hi Thanks for your guidance. Would please keep an eye on this thread? I am going to test the configuration using a properly configured GSSAPI client. Possibly, there will be much more questions to ask ;) Thank you so much. Kind Regards Ali Majdzadeh Kohbanani 2009/10/29 Victor Duchovni victor.ducho...@morganstanley.com On Thu, Oct 29, 2009 at 07:11:54PM +0330, Ali Majdzadeh wrote: Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is so, would you please describe the procedure? According to your previous mail, I figured out that since I use telnet to test the configuration, I should know about the exact handshake process. The GSSAPI handshake is too complex for hand-tests with telnet. Use a real GSSAPI client, e.g. a suitably configured Postfix client. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix-SASL-GSSAPI question
Viktor, Hello Thanks for your mail. Do you test the configuration using mail clients like Thunderbird or something like that? If not, what do you actually use in order to test the configuration? Kind Regards Ali Majdzadeh Kohbanani 2009/10/28 Victor Duchovni victor.ducho...@morganstanley.com On Wed, Oct 28, 2009 at 05:11:33PM +0330, Ali Majdzadeh wrote: ehlo example.com auth gssapi base 64 encoded userid The GSSAPI handshake does not work this way. When I monitor the logs, I see the following failure messages: warning: SASL authentication failure: GSSAPI Error: Invalid token was supplied (No error) What does the above line mean? Where do I go wrong in the process? A base64 encoded username is not a valid GSSAPI token. Test with an actual GSSAPI client. FWIW, Postfix works just fine with GSSAPI here. As in your configuration, the server uses a keytab and KRB5_KTNAME is set in the server environment (import_environment=...). The server keytab belongs to the postfix ($mail_owner) user. In our case the client (sending) system also has a keytab, but it is not used directly, rather a cron job runs periodically, and uses kinit -t to refresh the client credential cache. The client main.cf also has import_environment=... with a setting for KRB5_CCNAME. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: Postfix-SASL-GSSAPI question
Viktor, Hi Thanks for your mail. Among your experiences with Postfix, GSSAPI and probably SASL, have you ever tested your configuration using telnet? If it is so, would you please describe the procedure? According to your previous mail, I figured out that since I use telnet to test the configuration, I should know about the exact handshake process. Thanks again. Kind Regards Ali Majdzadeh Kohbanani 2009/10/29 Victor Duchovni victor.ducho...@morganstanley.com On Thu, Oct 29, 2009 at 02:26:54PM +0330, Ali Majdzadeh wrote: Thanks for your mail. Do you test the configuration using mail clients like Thunderbird or something like that? If not, what do you actually use in order to test the configuration? I have successfully performed GSSAPI authenticated SMTP submission to Postfix with Thunderbird, Mail.app (MacOSX native email client), mutt and a GSSAPI-capable Postfix client. All work. Not much testing these days, it all just works. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Postfix-SASL-GSSAPI question
Hello All I have installed cyrus-SASL libraries to do GSSAPI-based authentication when interacting with Postfix. I have also installed and tested Kerberos. I can successfully test GSSAPI authentication using samples provided by SASL (sample-server and sample-client). I have created a service principal for Postfix as smtp/client2.domain@domain.net http://domain.net/ and I have put the corresponding keytab file in /etc/krb5.keytab. Also, I have set the KRB5_KTNAME environment variable to point to the keytab file. Using kadmin.local and ktadd -k, I import smtp's keytab and I can verify it by issuing klist -k. Under /etc/postfix/sasl, I have created smtp.conf with the following contents: keytab: /etc/smtp.keytab mech_list: gssapi Before testing Postfix, I use kinit to authenticate the user who wants to authenticate to Postfix. Then, I use telnet to test GSSAPI authentication: # telnet client2.domain.net 25 ... ehlo example.com auth gssapi base 64 encoded userid When I monitor the logs, I see the following failure messages: warning: SASL authentication failure: GSSAPI Error: Invalid token was supplied (No error) What does the above line mean? Where do I go wrong in the process? Kind Regards Ali Majdzadeh Kohbanani