Red Hat Bugzilla – Bug 103975
Postfix + SASL + smtp auth broken as packaged
Last modified: 2007-04-18 12:57:26 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.4) Gecko/20030712 Description of problem: If an attempt is made to configure postfix to use sasl based smtp auth, auth fails every time and no reason is logged. main.cf is configured as follows: smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains Some googling has revealed that for some reason postfix is linked against the sasl1 library, even though the cyrus-sasl-2.1.10-4 package is installed. The config file /usr/lib/sasl/smtpd.conf contains the following: pwcheck_method: sasldb No instructions are included on how to authenticate with sasldb in the postfix docs, nor is there a reason given why a more logical auth scheme is used, like pam. If saslpasswd is used to add users to the sasldb database, authentication still fails. Version-Release number of selected component (if applicable): postfix-1.1.12-1 How reproducible: Always Steps to Reproduce: xxx Additional info:
This has been fixed in the current rpm which is 2.0.11 which you may download from ftp.redhat.com. Please make sure you read the documentation in /usr/share/doc/postfix*/README-Postfix-SASL-RedHat.txt BTW, I think you'll also need a current cyrus-sasl rpm. Let me know how it goes so I can either close this bug or address the issue.
Is the latest cyrus-sasl rpms from redhat 9 updates good enough or should I be linking against one from rawhide?
I doubt what is in RHL 9 is current enough, the postfix package is requiring cyrus-sasl-2.1.10. The easiest thing is try installing the new postfix rpm, rpm will complain about any unmet dependencies, which you can then download. Unfortunately this can be a recursive process with successive rpm's having their own unmet dependencies. I'm sorry to say there is not yet an automated way to determine all the dependecies and get all the rpms at once (rhn will do this, but the rpm you need is not part of rhn).
Just tried to build a version of postfix v2.1.15 as distributed by http://postfix.WL0.org, and the same problems with SASL occur - I assume the sasl libraries as shipped with RH9 are broken out the box. Busy trying the SASL library from rawhide to see if that works.
It's not so much that the sasl libraries were broken but version mismatches between sasl 1 and sasl 2. You also need that a variety of configuration parameters and files are correctly set up. I went through a somewhat painful process of figuring all this out myself a few months ago. Our rpm attempts to get it all right, if you work with virgin upstream souces you may miss some of the configuration that our rpm does. I'm attaching the write up I did and referred you to earlier, it is largely a result of what I learned from debugging this myself. Hopefully you will find it useful.
Created attachment 94312 [details] documentation on configuring postfix + sasl
Reading through the attachment, it seems that the instructions describe configuring postfix and sasl2, but postfix as shipped with redhat9 is linked to sasl1, so the instructions don't work. I have been trying to follow similar instructions linked from the postfix website which also assume sasl2, and these instructions don't work either. I am busy downloading the rawhide cyrus-sasl sources to see if I get any joy out of those, hopefully postfix does not try and link to sasl1 again.
Yes, the change from sasl 1 to sasl 2 was one of the big changes and why you need the new cyrus-sasl rpm which has sasl 2 support.
Both the old (shipped with redhat9) and the new (shipped with rawhide) cyrus-sasl have sasl2. The problem is postfix - it links to sasl1, even when sasl2 is available. When postfix builds itself, it seems to try sasl1, then sasl2 - so building postfix against a redhat supplied cyrus-sasl will bind to sasl1, but then all the instructions on setting it up are incorrect, because those instructions are for sasl2. So the question is: how do you force postfix to bind to sasl2, and not sasl1?
Ah, now I recall, it was LDAP that forced sasl 1 to be linked against because LDAP was not yet sasl2 aware and you couldn't mix the two, but now LDAP is also linked against sasl2. As I allueded to earlier, getting postfix to use sasl authentication was an exercise in "version hell". Part of the issue was that you have to use saslauthd and the protocol for saslauthd changed between sasl v1 and v2, but the sasl package only provided a v2 saslauthd and postfix was linking against a v1 sasl library and so there was a run time protocol mismatch. That was only part of the problems :-( To see how to link against one or the other look at the postfix.spec file in /usr/src/redhat/SPECS after you install the postfix src rpm.
I got joy at last with the postfix RPM as distributed by http://postfix.WL0.org - the flag sasl in the spec file was supposed to be "2" (indicating v2) rather than "1" (indicating "true"). The SASL library was upgraded to cyrus-sasl-2.1.15-4 as distributed by redhat rawhide, and this worked: /etc/sysconfig/saslauthd was set to METH=pam (this file did not exist by default), and a pam config file /etc/pam.d/smtp was created as a simple copy of /etc/pam.d/imap. To get this to work out the box, it seems that the two files /etc/sysconfig/saslauthd as above needs to be added to cyrus-sasl, and /etc/pam.d/smtp as above needs to be added to postfix (and sendmail?). A commented out section in the postfix main.cf file giving the postfix config should also help (not sure if it is there already): #smtpd_sasl_auth_enable = yes #smtpd_sasl_security_options = noanonymous ##broken_sasl_auth_clients = yes #smtpd_recipient_restrictions = permit_sasl_authenticated, # permit_mynetworks, # reject_unauth_destination,
Good I'm glad you had success. For what its worth the two config files you had to create are created by our rpm. I agree adding in the commented out parameters to main.cf is a good idea.