# postfix + sasl

## meralon

Hello,

I have problems getting postfix (2.0.16-rc1) + sasl (2.1.14) to work. The smtpd_sasl options in /etc/postfix/main.cf are set, but when I connect to the postfix-server via telnet I get no AUTH-line when using the EHLO-command.

/etc/postfix/main.cf:

smtpd_sasl_auth_enabled = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_client_restrictions = permit_sasl_authenticated, reject

/etc/sasl2/smtpd.conf:

pwcheck_method:pam

mech_list: PLAIN LOGIN

----------

## xming

maybe

```

/etc/init.d/saslauthd start

```

xming

----------

## meralon

I have tested this, but still the same problem.

----------

## xming

Have you checked to see it really runs by

```

ps -ef |grep saslauthd

```

xming

----------

## Immortal Q

Can you post a telnet transcript from port 25?

----------

## meralon

The saslauthd is running:

 3044 ?        S      0:00 /usr/sbin/saslauthd -a shadow

 3045 ?        S      0:00 /usr/sbin/saslauthd -a shadow

 3046 ?        S      0:00 /usr/sbin/saslauthd -a shadow

 3047 ?        S      0:00 /usr/sbin/saslauthd -a shadow

 3049 ?        S      0:00 /usr/sbin/saslauthd -a shadow

Here is the telnet transcript from port 25:

220 meralon.dyndns.org ESMTP Postfix

EHLO smtp.infinitum.de

250-meralon.dyndns.org

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-XVERP

250 8BITMIME

----------

## Paulten

ehlo domain should show -250 AUTH = plain . . . . if postfix uses it. 

What errors do you get? 

paste from log!

----------

## PermaNoob

Try this in your /etc/sasl2/smtpd.conf:

```
pwcheck_method:saslauthd

mech_list: LOGIN PLAIN
```

----------

## meralon

I have changed the /etc/sasl2/smtpd.conf. But still no AUTH-lines when using EHLO.

Here is the log which is generated when starting postfix + telnet:

Feb 12 16:05:21 meralon postfix/postfix-script: starting the Postfix mail system

Feb 12 16:05:21 meralon postfix/master[22071]: daemon started -- version 2.0.16

Feb 12 16:05:25 meralon postfix/smtpd[22080]: name_mask: subnet

Feb 12 16:05:25 meralon postfix/smtpd[22080]: mynetworks: 127.0.0.0/8 192.168.1.0/24 192.168.0.0/24 

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: mynetworks ~? debug_peer_list

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: mynetworks ~? fast_flush_domains

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: mynetworks ~? mynetworks

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: relay_domains ~? debug_peer_list

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: relay_domains ~? fast_flush_domains

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: relay_domains ~? mynetworks

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: relay_domains ~? permit_mx_backup_networks

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: relay_domains ~? qmqpd_authorized_clients

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: relay_domains ~? relay_domains

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: permit_mx_backup_networks ~? debug_peer_list

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: permit_mx_backup_networks ~? fast_flush_domains

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: permit_mx_backup_networks ~? mynetworks

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: permit_mx_backup_networks ~? permit_mx_backup_networks

Feb 12 16:05:25 meralon postfix/smtpd[22080]: maps_append: proxy:unix:passwd.byname

Feb 12 16:05:25 meralon postfix/smtpd[22080]: connect to subsystem private/proxymap

Feb 12 16:05:25 meralon postfix/smtpd[22080]: send attr request = open

Feb 12 16:05:25 meralon postfix/smtpd[22080]: send attr table = unix:passwd.byname

Feb 12 16:05:25 meralon postfix/smtpd[22080]: send attr flags = 64

Feb 12 16:05:25 meralon postfix/smtpd[22080]: private/proxymap socket: wanted attribute: status

Feb 12 16:05:25 meralon postfix/smtpd[22080]: input attribute name: status

Feb 12 16:05:25 meralon postfix/smtpd[22080]: input attribute value: 0

Feb 12 16:05:25 meralon postfix/smtpd[22080]: private/proxymap socket: wanted attribute: flags

Feb 12 16:05:25 meralon postfix/smtpd[22080]: input attribute name: flags

Feb 12 16:05:25 meralon postfix/smtpd[22080]: input attribute value: 80

Feb 12 16:05:25 meralon postfix/smtpd[22080]: private/proxymap socket: wanted attribute: (list terminator)

Feb 12 16:05:25 meralon postfix/smtpd[22080]: input attribute name: (end)

Feb 12 16:05:25 meralon postfix/smtpd[22080]: dict_proxy_open: connect to map=unix:passwd.byname status=0 server_flags=0120

Feb 12 16:05:25 meralon postfix/smtpd[22080]: dict_open: proxy:unix:passwd.byname

Feb 12 16:05:25 meralon postfix/smtpd[22080]: maps_append: hash:/etc/mail/aliases

Feb 12 16:05:25 meralon postfix/smtpd[22080]: dict_open: hash:/etc/mail/aliases

Feb 12 16:05:25 meralon postfix/smtpd[22080]: maps_append: hash:/usr/local/mailman/data/aliases

Feb 12 16:05:25 meralon postfix/smtpd[22080]: dict_open: hash:/usr/local/mailman/data/aliases

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: smtpd_access_maps ~? debug_peer_list

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: smtpd_access_maps ~? fast_flush_domains

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: smtpd_access_maps ~? mynetworks

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: smtpd_access_maps ~? permit_mx_backup_networks

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: smtpd_access_maps ~? qmqpd_authorized_clients

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: smtpd_access_maps ~? relay_domains

Feb 12 16:05:25 meralon postfix/smtpd[22080]: match_string: smtpd_access_maps ~? smtpd_access_maps

Feb 12 16:05:25 meralon postfix/smtpd[22080]: watchdog_create: 0x809d860 18000

Feb 12 16:05:25 meralon postfix/smtpd[22080]: watchdog_stop: 0x809d860

Feb 12 16:05:25 meralon postfix/smtpd[22080]: watchdog_start: 0x809d860

Feb 12 16:05:25 meralon postfix/smtpd[22080]: connection established

Feb 12 16:05:25 meralon postfix/smtpd[22080]: master_notify: status 0

Feb 12 16:05:25 meralon postfix/smtpd[22080]: name_mask: resource

Feb 12 16:05:25 meralon postfix/smtpd[22080]: name_mask: software

Feb 12 16:05:25 meralon postfix/smtpd[22080]: connect from localhost[127.0.0.1]

Feb 12 16:05:25 meralon postfix/smtpd[22080]: > localhost[127.0.0.1]: 220 meralon.dyndns.org ESMTP Postfix

Feb 12 16:05:25 meralon postfix/smtpd[22080]: watchdog_pat: 0x809d860

Feb 12 16:05:29 meralon postfix/smtpd[22080]: < localhost[127.0.0.1]: EHLO smtp.infinitum.de

Feb 12 16:05:29 meralon postfix/smtpd[22080]: > localhost[127.0.0.1]: 250-meralon.dyndns.org

Feb 12 16:05:29 meralon postfix/smtpd[22080]: > localhost[127.0.0.1]: 250-PIPELINING

Feb 12 16:05:29 meralon postfix/smtpd[22080]: > localhost[127.0.0.1]: 250-SIZE 10240000

Feb 12 16:05:29 meralon postfix/smtpd[22080]: > localhost[127.0.0.1]: 250-VRFY

Feb 12 16:05:29 meralon postfix/smtpd[22080]: > localhost[127.0.0.1]: 250-ETRN

Feb 12 16:05:29 meralon postfix/smtpd[22080]: match_hostname: localhost ~? 127.0.0.0/8

Feb 12 16:05:29 meralon postfix/smtpd[22080]: match_hostaddr: 127.0.0.1 ~? 127.0.0.0/8

Feb 12 16:05:29 meralon postfix/smtpd[22080]: > localhost[127.0.0.1]: 250-XVERP

Feb 12 16:05:29 meralon postfix/smtpd[22080]: > localhost[127.0.0.1]: 250 8BITMIME

Feb 12 16:05:29 meralon postfix/smtpd[22080]: watchdog_pat: 0x809d860

Feb 12 16:05:31 meralon postfix/smtpd[22080]: < localhost[127.0.0.1]: quit

Feb 12 16:05:31 meralon postfix/smtpd[22080]: > localhost[127.0.0.1]: 221 Bye

Feb 12 16:05:31 meralon postfix/smtpd[22080]: disconnect from localhost[127.0.0.1]

Feb 12 16:05:31 meralon postfix/smtpd[22080]: master_notify: status 1

Feb 12 16:05:31 meralon postfix/smtpd[22080]: connection closed

Feb 12 16:05:31 meralon postfix/smtpd[22080]: watchdog_stop: 0x809d860

Feb 12 16:05:31 meralon postfix/smtpd[22080]: watchdog_start: 0x809d860

----------

## PermaNoob

Do you have this file:  /usr/lib/sasl2/smtpd.conf ???

On my setup, /usr/lib/sasl2/smtpd.conf is a symlink to /etc/sasl2/smtpd.conf.  Your smtpd.conf needs to be in both locations AFAIK and either one can be a symlink to the other.

----------

## meralon

I have created the link in /usr/lib/sasl2 and restarted saslauthd und postfix. But still the same problem, no AUTH-lines.

----------

## Woolong

Hi,

You need this:

vi /etc/conf.d/saslauthd

```

SASL_AUTHMECH=shadow

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"

```

----------

## Woolong

Hi,

Does anyone know how to make postfix relays mails from "untrusted" clients?

 *Quote:*   

> 
> 
> # By default, Postfix relays mail
> 
> # - from "trusted" clients (IP address matches $mynetworks) to any destination,
> ...

 

I have sasl authentication working, but postfix insists on only accepting clients in "mynetworks" field. It becomes a problem accepting non-local clients as they don't have static IPs.

----------

## UberLord

 *Woolong wrote:*   

> Hi,
> 
> Does anyone know how to make postfix relays mails from "untrusted" clients?
> 
>  *Quote:*   
> ...

 

```
smtpd_client_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
```

Solves the problem if the clients auth via sasl  :Smile: 

----------

## Woolong

It works! Thank you so much!   :Very Happy: 

----------

