# postfix sasl auth problems [solved]

## Mgiese

hi there,

i followed the guide http://www.gentoo.org/doc/en/virt-mail-howto.xml

and i have put :

```
smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_local_domain =

smtpd_recipient_restrictions =

  permit_sasl_authenticated,

  permit_mynetworks,

  reject_unauth_destination

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_use_tls = yes

#smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newkey.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom
```

 in /etc/postfix/main.cf, but when i check for the auth & sasl options via "telnet localhost 25" i just can not see the desired login method  :Sad: 

```
$ telnet localhost 25                                                                                                                                                              

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 blabla[/quote].de ESMTP Postfix

EHLDO domain.com

502 5.5.2 Error: command not recognized

EHLO domain.com

250-blabla.de

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

```

where it should look like this instead :

```
# telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mail.domain.com ESMTP Postfix

EHLO domain.com

250-mail.domain.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-XVERP

250 8BITMIME
```

anybody here to give me a proper hint ? thanks a lot

edit : the service is running ...

```
$ ps aux | grep sasl

root      2366  0.0  0.0  14772   520 ?        Ss   11:09   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost

root      2367  0.0  0.0  14772   152 ?        S    11:09   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost

root      2368  0.0  0.0  14772   152 ?        S    11:09   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost

root      2369  0.0  0.0  14772   152 ?        S    11:09   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost

root      2370  0.0  0.0  14772   152 ?        S    11:09   0:00 /usr/sbin/saslauthd -a rimap -r -O localhost
```

----------

## overkll

IIRC, that's by design in postfix to prevent plain/login passwords from being sent in the clear.  AUTH is offered AFTER TLS/SSL connection has been established.  There is a howto on the postfix site that walks one thru an SSL/TLS setup which includes the telnet sessions used to test SSL/TLS with auth.  I don't remember which one it is.  I do remember that it is a link to a third party site.  I'll see if I can find it and post it here.

----------

## overkll

Here's the howto page on www.postfix.org

http://www.postfix.org/docs.html

It's the first howto under both the TLS section and the SASL section authored by Patrick Koetter.  It's a little oudated, but still a good guide.

If you want to see the AUTH offering in a telnet session while using TLS, then you need to comment out a line in your /etc/postfix/main.cf and restart postfix:

```
#smtpd_tls_auth_only = yes
```

Have Fun!

----------

## cach0rr0

if you suspect it's related to tls (I don't), you can always try:

```

openssl s_client -connect x.x.x.x:25 -starttls smtp

```

where of course x.x.x.x is your IP

postconf -d shows smtpd_tls_auth_only default is set to 'no', so with it commented out (or omitted entirely, same thing) it should not be required for ESMTP auth

however it would not surprise me if postfix disallowed plaintext auth mechanisms over unencrypted sockets

what've you got for /etc/sasl2/smtpd.conf ? If the suspicion is that default feature of postfix is disallowing plaintext mechs over unencrypted connection, smtpd.conf could be set to use only e.g. CRAM-MD5

NB: as for third party guides, I wrote one. here. It's for cyrus+postfix, but explains how things piece together somewhat.

----------

## Mgiese

i found the error  :Smile:  the guide mentioned above just tells you to install postfix but it does not tell you to have a look at the useflag "sasl" .... so i just put sasl in package.use and recompiled postfix et voila sasl auth works  :Very Happy: 

thanks anyways

----------

## cach0rr0

my guide mentions it and explains why you need it ^_^

 *Quote:*   

> 
> 
> Before we begin, however, we should go ahead and set up the environment not only for postfix, but for all of the custom motifications we'll want for the rest of the packages. Namely, we need to set the correct USE flags so that Postfix is built with all of the goodies we need to make this guide work. Now, obviously some of these can be set in make.conf, and thusly applied to your entire box, however going with the lowest common denominator, we'll set these on a per-package basis via package.use.
> 
> If you're already making use of package.use, then you should already know how to adjust these steps accordingly. If you aren't, then you can go ahead and key this stuff in verbatim. So let's get start; we need the following USE flags enabled:
> ...

 

----------

## Mgiese

i did not complain about your guide  :Smile:  i meant the gentoo howto ... i did not have a chance to read your guide, i have been quite busy for some days and when i moved back to the topic i checked the useflags before any other action ...

but thanks a LOT !

----------

## cach0rr0

 *Mgiese wrote:*   

> i did not complain about your guide  i meant the gentoo howto ... i did not have a chance to read your guide, i have been quite busy for some days and when i moved back to the topic i checked the useflags before any other action ...
> 
> but thanks a LOT !

 

ha..no, i know, i was partially just gloating a bit, partially putting info in the forum for people to find when they do a search.

----------

