My MTA (postfix) is set up to do secure SMTP-AUTH and TLS via Cyrus SASL library (a.k.a. saslauthd via the sasl2-bin package) on an Ubuntu box.
Postfix SASL support (RFC 4954, formerly RFC 2554) is used to authenticate remote SMTP clients to the MTA and the Postfix SMTP client to a remote SMTP server.
I originally set things up via the Postfix-SMTP-AUTH-TLS-Howto and everything was working fine until earlier today when I started seeing the following log entries when trying to send mail vi the MTA:
May 30 03:03:36 pyxidis postfix/smtpd: connect from unknown[x.x.x.x]The Solution
May 30 03:03:37 pyxidis postfix/smtpd: setting up TLS connection from unknown[x.x.x.x]
May 30 03:03:40 pyxidis postfix/smtpd: Anonymous TLS connection established from unknown[x.x.x.x]: TLSv1 with cipher AES128-SHA (128/128 bits)
May 30 03:03:40 pyxidis postfix/smtpd: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
May 30 03:03:40 pyxidis postfix/smtpd: warning: SASL authentication failure: Password verification failed
May 30 03:03:40 pyxidis postfix/smtpd: warning: unknown[x.x.x.x]: SASL PLAIN authentication failed: generic failure
May 30 03:03:46 pyxidis postfix/smtpd: lost connection after AUTH from unknown[x.x.x.x]
May 30 03:03:46 pyxidis postfix/smtpd: disconnect from unknown[x.x.x.x]
I checked and the saslauthd process was happily running. Next up I had a peek in /var/spool/postfix/var/run/saslauthd/ (which I had previously created as per the HOWTO above) but there were no *mux* files to be seen as there should have been.
I then dawned on me that postfix runs in a chrooted jail and that saslauthd for some reason had stopped writing the required info to the chrooted jail where postfix was running. A quick look at the saslauthd rc script and its default file showed that it no longer had the required config to do this properly.
Why? Dunno. I'll have to go do some snooping a little later.
For now thought the fix was as simple as modifying the OPTIONS variable in the /etc/defaults/saslauthd config file to be something like this:
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"Restart saslauthd and things start appearing where they should and mail is back in business.
Good hints. It was enough to tip me in to check /var/spool/postfix/ to see what was going on. For some odd reason, I had ./run, not ./var/run, and the ownership of the former had passed to root.
Brill. It works again. Thanks for the pointer!
Thanks, that fixed it for me... until it broke again.
The problem was that my Postfix was listening on several different ports, and some were set to chroot in master.cf, while others were not. After I set them all to be chroot-ed, and edited /etc/defaults/saslauthd, it started working consistently.
R, thanks for the heads up. Changing the /etc/postfix/master.cf worked as well for me - converting the smtps(smtp) processes to be chrooted.
Post a Comment