Bug 103975 - Postfix + SASL + smtp auth broken as packaged
Summary: Postfix + SASL + smtp auth broken as packaged
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: postfix
Version: 9
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: John Dennis
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2003-09-08 18:12 UTC by Graham Leggett
Modified: 2007-04-18 16:57 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2003-09-09 13:53:19 UTC
Embargoed:


Attachments (Terms of Use)
documentation on configuring postfix + sasl (17.75 KB, text/plain)
2003-09-08 20:26 UTC, John Dennis
no flags Details

Description Graham Leggett 2003-09-08 18:12:36 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.4) Gecko/20030712

Description of problem:
If an attempt is made to configure postfix to use sasl based smtp auth, auth
fails every time and no reason is logged.

main.cf is configured as follows:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname

smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               check_relay_domains

Some googling has revealed that for some reason postfix is linked against the
sasl1 library, even though the cyrus-sasl-2.1.10-4 package is installed.

The config file /usr/lib/sasl/smtpd.conf contains the following:

pwcheck_method: sasldb

No instructions are included on how to authenticate with sasldb in the postfix
docs, nor is there a reason given why a more logical auth scheme is used, like pam.

If saslpasswd is used to add users to the sasldb database, authentication still
fails.

Version-Release number of selected component (if applicable):
postfix-1.1.12-1

How reproducible:
Always

Steps to Reproduce:
xxx
    

Additional info:

Comment 1 John Dennis 2003-09-08 18:33:35 UTC
This has been fixed in the current rpm which is 2.0.11 which you may download
from ftp.redhat.com. Please make sure you read the documentation in
/usr/share/doc/postfix*/README-Postfix-SASL-RedHat.txt

BTW, I think you'll also need a current cyrus-sasl rpm.

Let me know how it goes so I can either close this bug or address the issue.

Comment 2 Graham Leggett 2003-09-08 19:24:13 UTC
Is the latest cyrus-sasl rpms from redhat 9 updates good enough or should I be
linking against one from rawhide?


Comment 3 John Dennis 2003-09-08 20:02:15 UTC
I doubt what is in RHL 9 is current enough, the postfix package is requiring
cyrus-sasl-2.1.10. The easiest thing is try installing the new postfix rpm, rpm
will complain about any unmet dependencies, which you can then download.
Unfortunately this can be a recursive process with successive rpm's having their
own unmet dependencies. I'm sorry to say there is not yet an automated way to
determine all the dependecies and get all the rpms at once (rhn will do this,
but the rpm you need is not part of rhn).

Comment 4 Graham Leggett 2003-09-08 20:15:43 UTC
Just tried to build a version of postfix v2.1.15 as distributed by
http://postfix.WL0.org, and the same problems with SASL occur - I assume the
sasl libraries as shipped with RH9 are broken out the box.

Busy trying the SASL library from rawhide to see if that works.


Comment 5 John Dennis 2003-09-08 20:24:34 UTC
It's not so much that the sasl libraries were broken but version mismatches
between sasl 1 and sasl 2. You also need that a variety of configuration
parameters and files are correctly set up. I went through a somewhat painful
process of figuring all this out myself a few months ago. Our rpm attempts to
get it all right, if you work with virgin upstream souces you may miss some of
the configuration that our rpm does. I'm attaching the write up I did and
referred you to earlier, it is largely a result of what I learned from debugging
this myself. Hopefully you will find it useful.

Comment 6 John Dennis 2003-09-08 20:26:22 UTC
Created attachment 94312 [details]
documentation on configuring postfix + sasl

Comment 7 Graham Leggett 2003-09-08 20:39:16 UTC
Reading through the attachment, it seems that the instructions describe
configuring postfix and sasl2, but postfix as shipped with redhat9 is linked to
sasl1, so the instructions don't work. I have been trying to follow similar
instructions linked from the postfix website which also assume sasl2, and these
instructions don't work either.

I am busy downloading the rawhide cyrus-sasl sources to see if I get any joy out
of those, hopefully postfix does not try and link to sasl1 again.


Comment 8 John Dennis 2003-09-08 21:26:15 UTC
Yes, the change from sasl 1 to sasl 2 was one of the big changes and why you
need the new cyrus-sasl rpm which has sasl 2 support.

Comment 9 Graham Leggett 2003-09-08 21:38:36 UTC
Both the old (shipped with redhat9) and the new (shipped with rawhide)
cyrus-sasl have sasl2.

The problem is postfix - it links to sasl1, even when sasl2 is available.

When postfix builds itself, it seems to try sasl1, then sasl2 - so building
postfix against a redhat supplied cyrus-sasl will bind to sasl1, but then all
the instructions on setting it up are incorrect, because those instructions are
for sasl2.

So the question is: how do you force postfix to bind to sasl2, and not sasl1?


Comment 10 John Dennis 2003-09-08 22:27:42 UTC
Ah, now I recall, it was LDAP that forced sasl 1 to be linked against because
LDAP was not yet sasl2 aware and you couldn't mix the two, but now LDAP is also
linked against sasl2. As I allueded to earlier, getting postfix to use sasl
authentication was an exercise in "version hell". Part of the issue was that you
have to use saslauthd and the protocol for saslauthd changed between sasl v1 and
v2, but the sasl package only provided a v2 saslauthd and postfix was linking
against a v1 sasl library and so there was a run time protocol mismatch. That
was only part of the problems :-(

To see how to link against one or the other look at the postfix.spec file in
/usr/src/redhat/SPECS after you install the postfix src rpm.

Comment 11 Graham Leggett 2003-09-08 23:01:04 UTC
I got joy at last with the postfix RPM as distributed by http://postfix.WL0.org
- the flag sasl in the spec file was supposed to be "2" (indicating v2) rather
than "1" (indicating "true").

The SASL library was upgraded to cyrus-sasl-2.1.15-4 as distributed by redhat
rawhide, and this worked:

/etc/sysconfig/saslauthd was set to METH=pam (this file did not exist by
default), and a pam config file /etc/pam.d/smtp was created as a simple copy of
/etc/pam.d/imap.

To get this to work out the box, it seems that the two files
/etc/sysconfig/saslauthd as above needs to be added to cyrus-sasl, and
/etc/pam.d/smtp as above needs to be added to postfix (and sendmail?).

A commented out section in the postfix main.cf file giving the postfix config
should also help (not sure if it is there already):

#smtpd_sasl_auth_enable = yes
#smtpd_sasl_security_options = noanonymous
##broken_sasl_auth_clients = yes
#smtpd_recipient_restrictions = permit_sasl_authenticated,
#                               permit_mynetworks,
#                               reject_unauth_destination,


Comment 12 John Dennis 2003-09-09 13:53:19 UTC
Good I'm glad you had success. For what its worth the two config files you had
to create are created by our rpm. I agree adding in the commented out parameters
to main.cf is a good idea.


Note You need to log in before you can comment on or make changes to this bug.