[tech] SMTP Auth Failure
trs80 at ucc.gu.uwa.edu.au
trs80 at ucc.gu.uwa.edu.au
Thu Aug 2 00:04:36 AWST 2018
On Wed, 1 Aug 2018, gozzarda at ucc.asn.au wrote:
> For a while now I have been unable to authenticate when trying to
> connect via SMTP.
> I finally had a chance to dig in a bit today to try figure this out and
> found that my auth attempt is getting as far as saslauthd, which is
> reporting that it is failing to connect to the LDAP server.
> I am somewhat uninformed about the details of our migration to AD, and
> even less so about specifically how it is wired into SASL auth, but this
> error seems particularly indirect to me.
> My best uneducated guess is that it is failing through to some old
> wiring to try hit LDAP, and should not even be getting that far, but I
> am at a loss for what to poke next.
> Suggestions for pokable targets are much appreciated, as is background
> information on how we have wired SMTP auth in general.
saslauthd is set to use PAM (mooneye:/etc/default/saslauthd). There isn't
an /etc/pam.d/saslauthd file so I'm not sure how it works. I came across
https://wiki.debian.org/PostfixAndSASL but I don't know how relevant it is
these days. It does mention the useful "saslfinger -s" command which hangs
at "-- mechanisms on localhost --". Further investigation shows it hangs
because it's grepping for AUTH which is not presented. OK that's because
we have this in main.cf:
# asclepius means we can only use ssl anyway
smtpd_tls_auth_only = yes
and it does show up when I do
$ openssl s_client -connect mooneye.ucc.gu.uwa.edu.au:587 -starttls smtp
and EHLO localhost:
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
Trying to auth plain gives this in mail.log
warning: SASL authentication failure: Password verification failed
stracing the smtpd process while it's authing me shows:
connect(29, {sa_family=AF_UNIX, sun_path="/var/run/saslauthd/mux"}, 110) = 0
it then sends my password and receives
read(29, "\0\21", 2) = 2
read(29, "NO PAM auth error", 17) = 17
auth.log has
Aug 1 23:47:45 mooneye saslauthd[1420]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=trs80
Aug 1 23:47:45 mooneye saslauthd[1420]: pam_ldap(smtp:auth): Authentication failure; user=trs80
Aug 1 23:47:47 mooneye saslauthd[1420]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Aug 1 23:47:47 mooneye saslauthd[1420]: : auth failure: [user=trs80] [service=smtp] [realm=mooneye.ucc.gu.uwa.edu.au] [mech=pam] [reason=PAM auth error]
Further stracing saslauthd shows it's only talking to nslcd.conf, ie LDAP
on mussel and mostugo, which of course isn't running, not AD.
But /etc/nsswitch.conf has
passwd: files ldap winbind
(really it should be winbind ldap) so it should be talking to both. But also
$ ls -l /etc/nsswitch.conf
-rw-r--r-- 1 root root 536 Feb 27 08:22 /etc/nsswitch.conf
vs
$ ps xua|grep saslauth
root 1419 0.0 0.1 14212 2184 ? Ss Feb26 0:29 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root 1420 0.0 0.1 14212 2180 ? S Feb26 0:29 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root 1421 0.0 0.1 14212 2228 ? S Feb26 0:29 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root 1422 0.0 0.1 14212 2184 ? S Feb26 0:29 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
root 1423 0.0 0.1 14212 2196 ? S Feb26 0:29 /usr/sbin/saslauthd -a pam -c -m /var/run/saslauthd -n 5
So it's unlikely that saslauthd read in a version os nsswitch.conf that
included winbind when it started. I invite you to restart saslauthd and
see if it then works.
However as a shortcut you might be interested in line 117 of
mooneye:/etc/postfix/master.cf which I won't quote here but should also
solve your problem.
--
# TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \
# UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best |
[ "There's nobody getting rich writing ]| -- Collect and hide your |
[ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 /
More information about the tech
mailing list