Red Hat Bugzilla – Bug 103975
Postfix + SASL + smtp auth broken as packaged
Last modified: 2007-04-18 12:57:26 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.4) Gecko/20030712
Description of problem:
If an attempt is made to configure postfix to use sasl based smtp auth, auth
fails every time and no reason is logged.
main.cf is configured as follows:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated,
Some googling has revealed that for some reason postfix is linked against the
sasl1 library, even though the cyrus-sasl-2.1.10-4 package is installed.
The config file /usr/lib/sasl/smtpd.conf contains the following:
No instructions are included on how to authenticate with sasldb in the postfix
docs, nor is there a reason given why a more logical auth scheme is used, like pam.
If saslpasswd is used to add users to the sasldb database, authentication still
Version-Release number of selected component (if applicable):
Steps to Reproduce:
This has been fixed in the current rpm which is 2.0.11 which you may download
from ftp.redhat.com. Please make sure you read the documentation in
BTW, I think you'll also need a current cyrus-sasl rpm.
Let me know how it goes so I can either close this bug or address the issue.
Is the latest cyrus-sasl rpms from redhat 9 updates good enough or should I be
linking against one from rawhide?
I doubt what is in RHL 9 is current enough, the postfix package is requiring
cyrus-sasl-2.1.10. The easiest thing is try installing the new postfix rpm, rpm
will complain about any unmet dependencies, which you can then download.
Unfortunately this can be a recursive process with successive rpm's having their
own unmet dependencies. I'm sorry to say there is not yet an automated way to
determine all the dependecies and get all the rpms at once (rhn will do this,
but the rpm you need is not part of rhn).
Just tried to build a version of postfix v2.1.15 as distributed by
http://postfix.WL0.org, and the same problems with SASL occur - I assume the
sasl libraries as shipped with RH9 are broken out the box.
Busy trying the SASL library from rawhide to see if that works.
It's not so much that the sasl libraries were broken but version mismatches
between sasl 1 and sasl 2. You also need that a variety of configuration
parameters and files are correctly set up. I went through a somewhat painful
process of figuring all this out myself a few months ago. Our rpm attempts to
get it all right, if you work with virgin upstream souces you may miss some of
the configuration that our rpm does. I'm attaching the write up I did and
referred you to earlier, it is largely a result of what I learned from debugging
this myself. Hopefully you will find it useful.
Created attachment 94312 [details]
documentation on configuring postfix + sasl
Reading through the attachment, it seems that the instructions describe
configuring postfix and sasl2, but postfix as shipped with redhat9 is linked to
sasl1, so the instructions don't work. I have been trying to follow similar
instructions linked from the postfix website which also assume sasl2, and these
instructions don't work either.
I am busy downloading the rawhide cyrus-sasl sources to see if I get any joy out
of those, hopefully postfix does not try and link to sasl1 again.
Yes, the change from sasl 1 to sasl 2 was one of the big changes and why you
need the new cyrus-sasl rpm which has sasl 2 support.
Both the old (shipped with redhat9) and the new (shipped with rawhide)
cyrus-sasl have sasl2.
The problem is postfix - it links to sasl1, even when sasl2 is available.
When postfix builds itself, it seems to try sasl1, then sasl2 - so building
postfix against a redhat supplied cyrus-sasl will bind to sasl1, but then all
the instructions on setting it up are incorrect, because those instructions are
So the question is: how do you force postfix to bind to sasl2, and not sasl1?
Ah, now I recall, it was LDAP that forced sasl 1 to be linked against because
LDAP was not yet sasl2 aware and you couldn't mix the two, but now LDAP is also
linked against sasl2. As I allueded to earlier, getting postfix to use sasl
authentication was an exercise in "version hell". Part of the issue was that you
have to use saslauthd and the protocol for saslauthd changed between sasl v1 and
v2, but the sasl package only provided a v2 saslauthd and postfix was linking
against a v1 sasl library and so there was a run time protocol mismatch. That
was only part of the problems :-(
To see how to link against one or the other look at the postfix.spec file in
/usr/src/redhat/SPECS after you install the postfix src rpm.
I got joy at last with the postfix RPM as distributed by http://postfix.WL0.org
- the flag sasl in the spec file was supposed to be "2" (indicating v2) rather
than "1" (indicating "true").
The SASL library was upgraded to cyrus-sasl-2.1.15-4 as distributed by redhat
rawhide, and this worked:
/etc/sysconfig/saslauthd was set to METH=pam (this file did not exist by
default), and a pam config file /etc/pam.d/smtp was created as a simple copy of
To get this to work out the box, it seems that the two files
/etc/sysconfig/saslauthd as above needs to be added to cyrus-sasl, and
/etc/pam.d/smtp as above needs to be added to postfix (and sendmail?).
A commented out section in the postfix main.cf file giving the postfix config
should also help (not sure if it is there already):
#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
##broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated,
Good I'm glad you had success. For what its worth the two config files you had
to create are created by our rpm. I agree adding in the commented out parameters
to main.cf is a good idea.