# [SOLVED] Cyrus-SASL + Postfix + Auth plain

## Weejoker

Hi all,

I've been trying for sometime now to get my Postfix secured again with SSL via Cyrus-SASL. It has worked before, but for some reason it has stopped working recently...  :Sad: 

The main issue is that even the basic authentication methods (AUTH PLAIN) are failing like this:

```
[postfix/smtpd] < a.localnet[192.168.0.2]: auth plain <encoded username/password>     

[postfix/smtpd] smtpd_sasl_authenticate: sasl_method plain, init_response <encoded username/password>

[postfix/smtpd] smtpd_sasl_authenticate: decoded initial response <cleartext username>

[postfix/smtpd] warning: SASL authentication failure: Can only find author/en (no password)

[postfix/smtpd] warning: a.localnet[192.168.0.2]: SASL plain authentication failed
```

Now the SASL sublayer I am using is definitely working, as it works with testsaslauthd, so my suspicion moves to the smtpd.conf files I have (within /etc/sasl2/ & /usr/lib/sasl2/) and the postfix setup:

```
# /etc/sasl2/smtpd.conf

pwcheck_method: saslauthd

mech_list: plain login
```

```
# /etc/postfix/main.cf

...

# SASL stuff

smtpd_sasl_auth_enable = yes

smtpd_sasl_application_name = smtpd

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = $myhostname

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated, reject
```

And thats it really - I just want the SASL stuff to authenticate me, as I can build on the rest of the encryption stuff. What really confuses me is that the saslauth daemon IS working correctly, so there must be something wrong/stupid/missing in the above config files surely?  :Embarassed: 

If anyone can help me, I'll be very appreciative.  :Smile: 

JohnLast edited by Weejoker on Sat Nov 06, 2004 5:06 pm; edited 1 time in total

----------

## langthang

post your /etc/conf.d/saslauthd and /etc/pam.d/saslauthd (mask username, password, etc)

----------

## Weejoker

Hi langthang,  :Very Happy: 

Here is my /etc/conf.d/saslauthd and /etc/pam.d/saslauthd (untouched). I have tested 'testsaslauthd' successfully, but maybe thats thrown me off a bit. Anyway:

/etc/conf.d/saslauthd

```
SASLAUTH_MECH=shadow

SASLAUTHD_OPTS="-a ${SASLAUTH_MECH} -r -V"
```

/etc/pam.d/saslauthd

```
#%PAM-1.0

auth       required     pam_nologin.so

auth       required     pam_stack.so service=system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth
```

Something at the back of my mind is telling me that I have screwed-up somewhere.  :Rolling Eyes: 

John

----------

## Weejoker

Fixed it.  :Very Happy: 

When you have two problems working together against you, it makes it near-impossible to solve them:

* Encoding passwords by hand (mimencode) can be troublesome when certain character sequences aren't interpreted the way you'd like/think...  :Rolling Eyes:  Use an email client that can interpret strings/text correctly for you (as opposed to echo & printf on the command-line)!

* Damn "realm" support - switch it off/set to null if at all possible in both saslauthd and postfix:

```
# /etc/postfix/main.cf

...

smtpd_sasl_local_domain = [--blank--]

...

```

```
# /etc/conf.d/saslauthd

# Notice how there is no '-r' in the OPTS...

SASLAUTH_MECH=shadow

SASLAUTHD_OPTS="-a ${SASLAUTH_MECH}"
```

John

----------

