# postfix + sasl problem

## Emperor

Im trying to setup virtual mail.

I did all the things described in this excellent document: http://www.gentoo.org/doc/en/virt-mail-howto.xml

But i seem to have run into a snag.

The imap part works great. I can send mails to my virtual account using an other mail server, and read it off the imap server.

But i cant send mails using that server.

The logs:

```

Feb  3 01:55:48 [postfix/smtpd] < cc21338-a.ensch1.ov.home.nl[212.120.127.131]: AUTH LOGIN

Feb  3 01:55:48 [postfix/smtpd] smtpd_sasl_authenticate: sasl_method LOGIN

Feb  3 01:55:48 [postfix/smtpd] smtpd_sasl_authenticate: uncoded challenge: Username:

Feb  3 01:55:48 [postfix/smtpd] > cc21338-a.ensch1.ov.home.nl[212.120.127.131]: 334 VXNlcm5hbWU6

Feb  3 01:55:48 [postfix/smtpd] < cc21338-a.ensch1.ov.home.nl[212.120.127.131]: bmllbHNARG9taW5hdGluZ0J5dGVzRGVzaWduL

mRl

Feb  3 01:55:48 [postfix/smtpd] smtpd_sasl_authenticate: decoded response: <removed for privacy, account name is correct>

Feb  3 01:55:48 [postfix/smtpd] smtpd_sasl_authenticate: uncoded challenge: Password:

Feb  3 01:55:48 [postfix/smtpd] > cc21338-a.ensch1.ov.home.nl[212.120.127.131]: 334 UGFzc3dvcmQ6

Feb  3 01:55:48 [postfix/smtpd] < cc21338-a.ensch1.ov.home.nl[212.120.127.131]: <removed for privacy>

Feb  3 01:55:48 [postfix/smtpd] smtpd_sasl_authenticate: decoded response: <removed for privacy, password is correct :p>

Feb  3 01:55:48 [postfix/smtpd] warning: SASL authentication problem: unknown password verifier

Feb  3 01:55:48 [postfix/smtpd] warning: cc21338-a.ensch1.ov.home.nl[212.120.127.131]: SASL LOGIN authentication fail

ed

Feb  3 01:55:48 [postfix/smtpd] > cc21338-a.ensch1.ov.home.nl[212.120.127.131]: 535 Error: authentication failed

```

So the problem seems to be with sasl and something about "unknown password verifier"

Can anyone help me?

----------

## Emperor

OK after a days research i fixed my own problem :p

they key seems to be to edit  /usr/lib/sasl2/smtpd.conf  and change 

pwcheck_method: pam

to 

pwcheck_method: saslauthd

----------

## profit

I just did a big upgrade and it undid this fix....why is a config file in /usr/lib being used by default and unprotected by the sandbox?

----------

## profit

Grrrr. Just did an emerge update. Broke my config again. Gotta keep this thread handy for next time I update my system.

----------

## Genone

Well, the sandbox is not to blame for this, it's the fact that CONFIG_PROTECT doesn't include /usr/lib. Only files/dirs in CONFIG_PROTECT are not overwritten automatical. There are some other programs affected by this, one of my favourite editors (joe) for example. I have to remind myself for filing a bug for this. Maybe you should do so for cyrus-sasl.

----------

## profit

Yes.

The problem is either the CONFIG_PROTECT setting. Or that the software in question isn't keeping it's pref files in /etc/ where they belong. No way the sandbox can protect everything....

p.s. I probably will end up filing a bug on this. It's just going to take me being annoyed by my system breaking a few more times. So far it takes me 5 minutes to figure out how to fix the problem (including swearing time). But I'm intimidated by bugzilla, don't want to mess around with registering a username and recording a password in my safe password storage for another website. And then writing up a standalone description of the problem is another 15 minutes. And it doesn't sound like any fun. Dang! I sure am shallow sometimes.

----------

## MoonWalker

 *Emperor wrote:*   

> Im trying to setup virtual mail. 
> 
> I did all the things described in this excellent document: http://www.gentoo.org/doc/en/virt-mail-howto.xml
> 
> 

 

I have question regarding this setup. I'm concider to use it as I move my mail handling to an other box. Just before the setup of Squirrelmail the doc states

```
Now, if all went well, you should have a functioning mailhost. Users should be able to authenticate against the sql database, using their full email address, for pop3, imap, and smtp. 
```

Does this mean users use the full emailaddress in mail client 'account' field in the mail settings instead of username? Also if this is the case, if anyone know if it's possible to setup just the none users of box this way and let users auth with just their username?

An other thing regarding the passwords in mysql, is it possible to put them in as MD5 hashed to avoid a global password change on all current users?

----------

## Genone

OK, it seems that for your problem there are already two bug reports, namely 19882 and 15252.

----------

## Woody2143

After a recently installing dev-libs/cyrus-sasl I found I could no longer send email... I came accross this thread and it helped, as well as double checking my configs against those in the How-To...

#1 - When you installed a new version of dev-libs/cyrus-sasl what USE_FLAGS did you have set? Don't know if the "-mysql" is required, but since the How-To mentions it I do it anyway... 

#2 - Check your configs

/usr/lib/sasl2/smtp.conf should be:

```
pwcheck_method: saslauthd

mech_list: LOGIN PLAIN
```

I bring this up because I too had pwcheck_method: pam

/etc/conf.d/saslauthd is a funny one. I did the following:

```
# Config file for /etc/init.d/saslauthd

# Authentications mechanism (for list see saslauthd -v)

SASL_AUTHMECH="pam"

# Tack the above options together

[ -n ${SASL_AUTHMECH} ] && \

        SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"
```

I commented out everything but those lines because every time I went to start /etc/init.d/saslauthd it would do the following:

```
/etc/init.d/saslauthd start  

 * Starting saslauthd...        

/usr/sbin/saslauthd: invalid option -- H
```

Just my $0.02  

-Woody

----------

## mach.82

For /etc/conf.d/saslauthd, I did the following:

```
 # Tack the above options together

[ -n ${SASL_AUTHMECH} ] && \

   SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"

[ -n ${SASL_RIMAP_HOSTNAME} ] && \

   SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O ${SASL_RIMAP_HOSTNAME}"

[ -n ${SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS} ] && \

   SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -T"
```

I changed the H to O and so far it seems to work!

Please also take a look at https://forums.gentoo.org/viewtopic.php?t=60112&highlight=saslauthd+invalid+option

----------

