# Postfix+cyrus-sasl authentication failures [SOLVED]

## Souperman

The machine which hosts my virtual server suffered a complete data loss a few days ago.  I keep daily backups of the important stuff, so I restored my /etc/make.conf and /var/cache/edb/world file and did an "emerge `cat /var/cache/edb/world` before restoring the rest of my backup data.

Everything seems to be working perfectly, except for SMTP authentication.  The following syslog messages are relevant:

```
Feb 14 12:17:15 wizard postfix/smtpd[17983]: connect from myhost[myip]

Feb 14 12:17:18 wizard postfix/smtpd[17983]: warning: myhost[myip]: SASL LOGIN authentication failed

Feb 14 12:17:31 wizard postfix/smtpd[17983]: lost connection after AUTH from myhost[myip]

Feb 14 12:17:31 wizard postfix/smtpd[17983]: disconnect from myhost[myip]
```

My configuration is the same as that used in the Virtual/Mailhosting Guide, except that I've tweaked it to authenticate against /etc/(passwd|shadow) in addition to the mysql database.  This worked perfectly before the data loss.

Relevant /etc/postfix/main.cf bits:

```

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

```

/etc/sasl2/smtpd.conf:

```

# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtpd-2.0.conf,v 1.1 2003/07/18 20:34:39 lanius Exp $

pwcheck_method:saslauthd

mech_list: LOGIN PLAIN

```

/etc/pam.d/smtp:

```

# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtp.pam,v 1.2 2002/05/04 03:55:29 woodchip Exp $

auth     sufficient  /lib/security/pam_pwdb.so nullok shadow

account  sufficient  /lib/security/pam_pwdb.so

auth     sufficient  pam_mysql.so server=localhost db=mailsql user=mailsql passwd=password table=users usercolumn=email passwdcolumn=crypt crypt=1

account  sufficient  pam_mysql.so server=localhost db=mailsql user=mailsql passwd=password table=users usercolumn=email passwdcolumn=crypt crypt=1

```

Anyone know where the problem could be?

----------

## Souperman

*bump*

still haven't figured this one out.   :Confused: 

----------

## voidx

 *Quote:*   

> 
> 
> passwdcolumn=crypt crypt=1
> 
> 

 

Just for sure - so you are using crypted passwords in mysql database ?

And what about reemerging cyrus-sasl ? This is total blindshot  :Very Happy:  but I remember I have similar problem after one disaster and this solved it for me...

----------

## Souperman

Yes, I'm using crypted passwords in the database, but that's not the problem in this case anyway, as the 2 people who are having a problem are real users, i.e. they have an account on the box.  Re-emerging cyrus-sasl as I type but will only be able to test that when I get home in a few hours.

----------

## voidx

local users - oh I overlooked that   :Shocked: 

Im using same virtual mysql mail system also with local users and it is working - I looked at your and my configs and /etc/pam.d/smtp and  /etc/sasl2/smtpd.conf and part from /etc/postfix/main.cf are exactly same. 

We'll see after reemerging cyrus-sasl...

----------

## Souperman

OK, a different error message now:

```

Feb 18 19:58:06 wizard postfix/smtpd[1531]: connect from myhost[myip]

Feb 18 19:58:29 wizard postfix/smtpd[1531]: warning: SASL authentication failure: client didn't issue valid NTLM response

Feb 18 19:58:29 wizard postfix/smtpd[1531]: warning: myhost[myip]: SASL NTLM authentication failed

Feb 18 19:58:43 wizard postfix/smtpd[1531]: warning: myhost[myip]: SASL NTLM authentication failed

Feb 18 19:58:44 wizard postfix/smtpd[1531]: lost connection after AUTH from myhost[myip]

Feb 18 19:58:44 wizard postfix/smtpd[1531]: disconnect from myhost[myip]

```

I have no idea where NTLM comes into the equation.  According to /etc/conf.d/saslauthd, I am only using pam and "ps x | grep sasl" only shows up "/usr/sbin/saslauthd -a pam". 

 :Confused: 

----------

## Souperman

I also just noticed this, in response to EHLO:

```

250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5

```

I'm not 100% sure, but as far as I can recall, that only said "LOGIN PLAIN" before the crash/re-install.

(EDIT: Checked some backups and it definitely only had "LOGIN PLAIN" previously)

Not sure how to get rid of NTLM there ... any ideas?

----------

## voidx

AFAIK 250-AUTH list is generated from setting in /etc/sasl2/smtpd.conf

If I remember well, in earlier versions of cyrus-sasl there was other place where smtpd.conf was stored (somewhere under /var I guess)... So only idea I have is to check if somewhere in the system isn't another smtpd.conf where cyrus gets it's configuration instead of getting it from /etc/sasl2/. It is logical - if it is true, maybee it is also source of your authentication problems

```

find / -iname smtpd.conf

```

----------

## Jaxom

This line needs to be commented out for sasl to work.  I ran into the same thing where my clients couldn't auth via sasl....after much searching knowing that it HAD been working at one time, I found this to be the culprit.

```
#smtpd_tls_auth_only = yes
```

After commenting it out, sasl worked perfectly again.

[edit] oops, I lied, I didn't have the exact same problem.  I re-read everything....sorry about that, but I'll leave my post just incase it does help  :Smile: 

----------

## Souperman

 *voidx wrote:*   

> AFAIK 250-AUTH list is generated from setting in /etc/sasl2/smtpd.conf
> 
> If I remember well, in earlier versions of cyrus-sasl there was other place where smtpd.conf was stored (somewhere under /var I guess)... So only idea I have is to check if somewhere in the system isn't another smtpd.conf where cyrus gets it's configuration instead of getting it from /etc/sasl2/. It is logical - if it is true, maybee it is also source of your authentication problems
> 
> ```
> ...

 

The only thing close is /var/lib/sasl2.  There's no smtpd.conf there, but I tried symlinking it to /etc/sasl2/smtpd.conf and restarting postfix & saslauthd but it's still showing me NTLM and still failing when I try to send a message.   :Rolling Eyes: 

 *Jaxom wrote:*   

> This line needs to be commented out for sasl to work. I ran into the same thing where my clients couldn't auth via sasl....after much searching knowing that it HAD been working at one time, I found this to be the culprit.
> 
> Code:
> 
> #smtpd_tls_auth_only = yes
> ...

 

I have no such line in my postfix config.

----------

## voidx

it's strange...

I played with my /etc/sasl2/smtpd.conf and emediatelly after changing login methods in this file and after restarting saslauthd & postfix is my postfix reflecting this changes and I get diferent 250-AUTH response when I connect with telnet...

I have no idea for now   :Sad: 

----------

## ikaro

from what i can see in the postfix docs is:

```

Limiting SASL mechanisms

As of Cyrus-SASL-2.x SASL is able to limit the mechanisms it will offer when an application e.g. Postfix uses it. This is done by setting the parameter mech_list in /usr/lib/sasl2/smtpd.conf.

pwcheck_method: saslauthd 

mech_list: plain login 

```

The mech_list restricts the usage of more than ´Plain ´  and `Login`

If you comment the mech_list you get:

```

250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5

250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5

```

The file where the changes take effect is  /etc/sasl2/smtpd.conf

the NTLM its just another login method.

You might want to check this answer in here:

http://www.irbs.net/internet/cyrus-sasl/0402/0021.html

  :?

----------

## Souperman

Thanks ikaro!!

```

# ln -s /etc/sasl2/smtpd.conf /usr/lib/sasl2/smtpd.conf

# postfix reload

```

Solved!  :Mr. Green: 

----------

## ikaro

alright :) nice that you got it working :)

----------

## Souperman

Do you think this qualifies as a bug?  I mean, emerging cyrus-sasl *should* put the config file where it belongs or create a symlink or something.

----------

## ikaro

i had the file both places, but sure it should only be one in the right location to avoid confusion.

you can try and submit a bug :)

----------

## Souperman

Hmm ok, guess I was just unlucky  :Wink: 

----------

## voidx

This is what I was talking about: in earlier versions of saslauthd there was no /etc/sasl2/smtpd.conf - there was only smtpd.conf under /usr/lib/...  

I think this is noted also in gentoo virt mailhosting howto...

Unfortunately my poor in-head-cpu has very bad memory and thought that it was somewhere under /var/....  :Smile:  and I didn't notice that now /etc/sasl/... is symlinked to /usr/... 

I think that you really experienced some strange problem with ebuild, not really a bug because as you can see - my symlink was automatically created during upgrade from older version and I even didn't notice that something changed   :Cool: 

----------

