# Postfix/SASL2: cannot connect to saslauthd server [SOLVED]

## dageyra

I have been working on this problem for about 2 weeks now, trying  a wide variety of different ideas/suggestion.  I know that there have been many posts about this & similar problems, but none of the suggestions have worked for me sofar.  

I want my mail users to be able to authenticate via shadow as to avoid fiddling with other username/passwd storage systems.  Makes sense to me because only the users who have login accounts are able to access email.

I have postfix-2.1.5-r2, built with pam (authenticating via shadow) & sasl (cyrus-sasl-2.1.20, built with ssl, pam, & authdaemond).  We use cyrus authentication with courier and this works great both locally (via squirrelmail) & remotely (via my pesonal email client).  However, sending mail via postfix only works locally (works remotely when sending to our domain, but that is due to postfix's authentication via permit_mynetworks).

Postfix main.cf <snippet>

```

# sasl stuff

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = 

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains 

smptd_sasl_security_options = noanonymous

# this section is used when postfix sends email to a remote MX domain

#smtp_sasl_password_maps = hash:/usr/local/postfix/etc/sasl_passwd

# smtp_sasl_password_maps = hash:/etc/passwd

# smtp_sasl_auth_enable = yes

```

Postfix master.cf <snippet> (to show not running chroot'd)

```

# ==========================================================================

# service type  private unpriv  chroot  wakeup  maxproc command + args

#               (yes)   (yes)   (yes)   (never) (100)

# ==========================================================================

smtp      inet  n       -       n       -       -       smtpd 

```

Sasl file is in /etc/sasl2/smtpd.conf:

```

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

pwcheck_method: saslauthd

mech_list: plain login

```

saslauthd is configured as follows (I have changed SASLAUTH_MECH to be shadow, there seems to be no effect between having pam/shadow, which makes sense since pam is configured to use shadow):

```

SASLAUTH_MECH=pam

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes 

# Specify the authentications mechanism.

# *NOTE* For list see: saslauthd -v

# From 2.1.19, add "-r" to options for old behavior

# ie. reassemble user and realm to user@realm form.

# SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam -r"

#SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

SASLAUTHD_OPTS="-a ${SASLAUTH_MECH}"

```

And my pam.d/smpt:

```

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.pam,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

auth    required        /lib/security/pam_stack.so service=system-auth

account required        /lib/security/pam_stack.so service=system-auth

```

I have created symlinks @ /etc/postfix/sasl2, /usr/lib/sasl2/smtpd.conf, /var/lib/sasl2/smtpd.conf, all pointing to /etc/sasl2/smtpd.conf.  The interesting thing is that before I created the symlink in /usr/lib/sasl2, I was just getting sasl failures:

```

Mar  1 10:36:40 neonet postfix/smtpd[18100]: connect from 12-109-93-150.joink.com[12.109.93.150]

Mar  1 10:36:42 neonet postfix/smtpd[18100]: warning: SASL authentication failure: Password verification failed

Mar  1 10:36:42 neonet postfix/smtpd[18100]: warning: 12-109-93-150.joink.com[12.109.93.150]: SASL PLAIN authentication failed

Mar  1 10:36:42 neonet postfix/smtpd[18100]: warning: 12-109-93-150.joink.com[12.109.93.150]: SASL LOGIN authentication failed

Mar  1 10:36:43 neonet postfix/smtpd[18100]: lost connection after AUTH from 12-109-93-150.joink.com[12.109.93.150]

Mar  1 10:36:43 neonet postfix/smtpd[18100]: disconnect from 12-109-93-150.joink.com[12.109.93.150]

```

After creating the symlink in /usr/lib/sasl2, another message has appeared:

```

Mar  1 10:36:42 neonet postfix/smtpd[18100]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

...

Mar  1 10:36:42 neonet postfix/smtpd[18100]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

```

I believe that this symlink is required, but I do not know why there is a connection problem.  saslauthd is running as saslauthd -a pam, and testsaslauthd -u [username] -p [password] returns true/false correctly, and I have also created the sasl group and added the user postfix to this group.  When I telnet into the box via port 25, I get:

```

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250 8BITMIME

```

but this does not authenticate correctly.  I think the problem is postfix configuration or permissions or something in that general area, but I am at a loss and the numerous posts I have encountered about this problem have proven futile.  I hope that someone out there is able to shed some light into this growing black hole.  Thanks in advance for any help offered.Last edited by dageyra on Wed Mar 02, 2005 10:10 pm; edited 1 time in total

----------

## langthang

WFM wih the least changes to the default configuration files.

```
# grep -vE '^#|^$' /etc/conf.d/saslauthd

SASLAUTHD_OPTS=""

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

# grep -vE '^#|^$' /etc/sasl2/smtpd.conf

pwcheck_method: saslauthd

mech_list: plain login

# grep -vE '^#|^$' /etc/postfix/main.cf

<snip postfix default settings>

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smptd_sasl_security_options = noanonymous

# grep -vE '^#|^$' /etc/pam.d/smtp

auth    required        /lib/security/pam_stack.so service=system-auth

account required        /lib/security/pam_stack.so service=system-auth

$ printf 'user' | mimencode

dXNlcg==

$ printf 'pass' | mimencode

cGFzcw== 

$ telnet 10.1.2.3 25

Trying 10.1.2.3...

Connected to 10.1.2.3.

Escape character is '^]'.

220 my.mail.server ESMTP Postfix

EHLO blah

250-my.mail.server

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-XVERP

250 8BITMIME

auth login

334 VXNlcm5hbWU6

dXNlcg==

334 UGFzc3dvcmQ6

cGFzcw==

235 Authentication successful
```

 *Quote:*   

> I have postfix-2.1.5-r2, built with pam (authenticating via shadow) & sasl (cyrus-sasl-2.1.20, built with ssl, pam, & authdaemond). We use cyrus authentication with courier and this works great both locally (via squirrelmail) & remotely (via my pesonal email client). However, sending mail via postfix only works locally (works remotely when sending to our domain, but that is due to postfix's authentication via permit_mynetworks).

 

for your setup, all you need is cyrus-sasl emerge with pam and either berkdb or gdbm USE flags. postfix emerge with sasl, pam USE flag.

 *Quote:*   

> I have created symlinks @ /etc/postfix/sasl2, /usr/lib/sasl2/smtpd.conf, /var/lib/sasl2/smtpd.conf, all pointing to /etc/sasl2/smtpd.conf.

 

No need. Gentoo patched cyrus-sasl to read /etc/sasl2/smtpd.conf

Back up all your configurations. Try the simple thing first, make sure it works, then start add stuff in.

----------

## dageyra

 *langthang wrote:*   

> 
> 
> WFM wih the least changes to the default configuration files.
> 
> ```
> ...

 

I don't see that these configurations are any different than mine.

 *Quote:*   

> 
> 
> ```
> 
> # grep -vE '^#|^$' /etc/conf.d/saslauthd
> ...

 

I believe this configuration is designed to simply pass -a pam to saslauthd when starting, which is what my bloated (due to trying numerous ideas) code does.  I have simplified and ensured the -a pam is passed to saslauthd when starting.

 *Quote:*   

> 
> 
> for your setup, all you need is cyrus-sasl emerge with pam and either berkdb or gdbm USE flags. postfix emerge with sasl, pam USE flag. 
> 
> ...
> ...

 

I will try to re-emerge postfix/cyrus-sasl using the USE flags you have specified and get back to you.  Thanks for your suggestions.

----------

## dageyra

I've re-emerged postfix & cyrus-sasl with: USE="pam sasl gdbm -berkdb".

I have the following:

```

$ grep -vE '^#|^$' /etc/conf.d/saslauthd 

SASLAUTHD_OPTS=""

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

$ grep -vE '^#|^$' /etc/sasl2/smtpd.conf 

pwcheck_method: saslauthd

mech_list: plain login

$ grep -vE '^#|^$' /etc/postfix/main.cf  

...

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = 

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smptd_sasl_security_options = noanonymous

...

$ grep -vE '^#|^$' /etc/pam.d/smtp      

auth    required        /lib/security/pam_stack.so service=system-auth

account required        /lib/security/pam_stack.so service=system-auth

$ /etc/init.d/postfix reload

 * Reloading postfix...                                                                                                       [ ok ]

$ /etc/init.d/saslauthd restart

  * Stopping saslauthd...                                                                                                      [ ok ]

 * Starting saslauthd... 

$ ps ax | grep sasl

14962 ?        Ss     0:00 /usr/sbin/saslauthd -a pam

14964 ?        S      0:00 /usr/sbin/saslauthd -a pam

14965 ?        S      0:00 /usr/sbin/saslauthd -a pam

14966 ?        S      0:00 /usr/sbin/saslauthd -a pam

14967 ?        S      0:00 /usr/sbin/saslauthd -a pam

 5540 pts/7    S+     0:00 grep sasl

```

Again, I can send/receive mail locally, I can receive mail remotely, but trying to send mail remotely (or use telnet) gives the following in my log:

```

postfix/smtpd[24469]: connect from 12-109-93-150.joink.com[12.109.93.150]

postfix/smtpd[24469]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3

postfix/smtpd[24469]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3

postfix/smtpd[24469]: warning: SASL authentication failure: no secret in database

postfix/smtpd[24469]: warning: 12-109-93-150.joink.com[12.109.93.150]: SASL CRAM-MD5 authentication failed

postfix/smtpd[24469]: NTLM server step 1

postfix/smtpd[24469]: client flags: 

postfix/smtpd[24469]: NTLM server step 2

postfix/smtpd[24469]: client user: dageyra

postfix/smtpd[24469]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3

postfix/smtpd[24469]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3

postfix/smtpd[24469]: warning: SASL authentication failure: no secret in database

postfix/smtpd[24469]: warning: 12-109-93-150.joink.com[12.109.93.150]: SASL NTLM authentication failed

postfix/smtpd[24469]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3

***[same error repeated]***

postfix/smtpd[24469]: warning: SASL authentication failure: Password verification failed

postfix/smtpd[24469]: warning: 12-109-93-150.joink.com[12.109.93.150]: SASL PLAIN authentication failed

postfix/smtpd[24469]: warning: SASL authentication failure: Could not open /etc/sasl2/sasldb2: gdbm_errno=3

***[same error repeated]***

postfix/smtpd[24469]: warning: 12-109-93-150.joink.com[12.109.93.150]: SASL LOGIN authentication failed

```

This is the error message that I was getting wayyyyyy back in the beginning of this mess.  Instead of pam authentication (or maybe I just don't really understand the pam authentication), it tries to use sasldb2...which I do not want because I want to use Unix built-in logins.  I got rid of the sasldb2 errors initially by not emerging with either database.  The NTLM errors I was able to elminate by mv the *ntlm* libraries in /usr/lib/sasl2 to a folder /usr/lib/sasl2/deactivated, since I do not need NTLM authentication anyhow.

I reckon this is as simple as I can get--base install.  Please let me know if I've missed something or have something setup incorrectly.

----------

## dageyra

 *dageyra wrote:*   

> 
> 
> ...
> 
> Again, I can send/receive mail locally, I can receive mail remotely, but trying to send mail remotely (or use telnet) gives the following in my log:
> ...

 

I fixed the "Could not open /etc/sasl2/sasldb2" error by adding the postfix user to the mail group.  However, I still get the 'no secret in database' error.  I read a post that this was because there MUST be something in the sasl database...I don't really like adding a fake user/pw to this database, but I cannot even if I did.  When I try to use saslpasswd2, I get the following error:

```

saslpasswd2: symbol lookup error: saslpasswd2: undefined symbol: sasl_auxprop_store

```

This is all oh-so-familiar territory, but I am still at a loss.  I am very confused as to why postfix/sasl is even dealing with a database other than shadow-authentication...

----------

## dageyra

 *dageyra wrote:*   

> 
> 
> I fixed the "Could not open /etc/sasl2/sasldb2" error by adding the postfix user to the mail group.  However, I still get the 'no secret in database' error.  I read a post that this was because there MUST be something in the sasl database...I don't really like adding a fake user/pw to this database, but I cannot even if I did.  When I try to use saslpasswd2, I get the following error:
> 
> ```
> ...

 

By getting rid of unneeded authentication methods [NTLM/crammd5/etc], I was able to have sasl bypass the database lookup.  The error log is now down to this:

```

postfix/smtpd[17838]: connect from 12-109-93-150.joink.com[12.109.93.150]

postfix/smtpd[17838]: warning: SASL authentication failure: Password verification failed

postfix/smtpd[17838]: warning: 12-109-93-150.joink.com[12.109.93.150]: SASL PLAIN authentication failed

postfix/smtpd[17838]: warning: 12-109-93-150.joink.com[12.109.93.150]: SASL LOGIN authentication failed

```

Any suggestions, or should I backtrack from here?

----------

## langthang

try this:

```
$ printf 'user' | mimencode

dXNlcg==

$ printf 'pass' | mimencode

cGFzcw==

$ telnet 10.1.2.3 25

Trying 10.1.2.3...

Connected to 10.1.2.3.

Escape character is '^]'.

220 my.mail.server ESMTP Postfix

EHLO blah

250-my.mail.server

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-XVERP

250 8BITMIME

auth login

334 VXNlcm5hbWU6

dXNlcg==

334 UGFzc3dvcmQ6

cGFzcw==

235 Authentication successful
```

then post your telnet session.

----------

## dageyra

 *langthang wrote:*   

> try this:
> 
> ...
> 
> then post your telnet session.

 

I do not have mimencode on my system, but I do have encode-base64 (I created a user (user/pass) for this demonstration).

```

$ printf 'user' | encode-base64

dXNlcg==

$ printf 'pass' | encode-base64

cGFzcw==

$ testsaslauthd -u user -p pass

0: OK "Success."

220 mail.neoterichovercraft.com ESMTP

ehlo gmail.com

250-mail.neoterichovercraft.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250 8BITMIME

auth login

334 VXNlcm5hbWU6

dXNlcg==

334 UGFzc3dvcmQ6

cGFzcw==

535 Error: authentication failed

$ tail /var/log/messages

postfix/smtpd[7249]: warning: 12-109-93-150.joink.com[12.109.93.150]: SASL login authentication failed

```

What'd ya think?

----------

## langthang

would you be able to /join #gentoo-netmail on irc.freenode.net ? It'd would be easier.

----------

## dageyra

 *langthang wrote:*   

> would you be able to /join #gentoo-netmail on irc.freenode.net ? It'd would be easier.

 

Sure, I don't use IRC (wayyyyy to easy to get side-tracked and divert from my work), but I can jump in.  I'll look you up when I get a client emerg'd.

----------

## dageyra

In case anyone has this problem again, you can try out a few of these steps, or definitely talk to langthang.  He knows what he's doing.

The end result was an improperly-linked library, which became clear after

```

ldd $(which saslpasswd2)

```

The smtpd.conf file should not be in /usr/lib/sasl2/.  Having it here gave me the error that started this thread.  I had to use saslpasswd2 to generate an entry into the sasldb2 database (why, I do not know, but it works).  To generate this entry I had to fix the library libsasl2.so.2 (remove bad library files from previous install and ln -s to correct libraries was the easiest, though in theory a full unmerge/emerge should have fixed this).  I kept the same settings that langthang has used here, but the difference is that with the entry into the database, I can now send email remotely.

Experience comes from two places: mistakes and mentors.  Sometimes we have to call on both.  Thanks langthang.

----------

