SASL PLAIN authentication failed

22 posts / 0 new
Last post
#1 Tue, 08/14/2007 - 16:39
webinger

SASL PLAIN authentication failed

Hi all,

I have trouble getting SMTP to work using SASL authentication. I read all kinds of threads related to this problem but still can not solve it, it seems.

The Problem:

mail.log

[code:1]postfix/smtpd[24131]: connect from localhost[127.0.0.1] postfix/smtpd[24131]: warning: SASL authentication failure: Password verification failed postfix/smtpd[24131]: warning: localhost[127.0.0.1]: SASL PLAIN authentication failed lost connection after AUTH from localhost[127.0.0.1] disconnect from localhost[127.0.0.1][/code:1]

telnet

[code:1]telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 xxxxxxxxxxxx.net ESMTP Postfix EHLO localhost 250-xxxxxxxxxxxx.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250 8BITMIME[/code:1]

My Configs:

smtpd.conf

[code:1]mech_list: PLAIN LOGIN[/code:1]

postconf -n

[code:1]command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix debug_peer_level = 2 home_mailbox = Maildir/ html_directory = no inet_interfaces = all mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME mailbox_size_limit = 0 mailbox_transport = cyrus mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man mydestination = localhost.$mydomain, localhost, $mydomain, $myhostname mydomain = XXXXXXXXXXX.net mydomain_fallback = localhost myhostname = XXXXXXXXXXX.net mynetworks_style = host newaliases_path = /usr/bin/newaliases queue_directory = /private/var/spool/postfix readme_directory = /usr/share/doc/postfix sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop smtpd_pw_server_security_options = plain smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual [/code:1]

I am trying to get this to work now for the last 48 hours or so and don't know anymore what to try and where to look.

Tony

EDIT: I should mention that I did read and follow the instructions here: http://www.virtualmin.com/faq/cat/virtualmin/68/#faq89<br><br>Post edited by: tony.p, at: 2007/08/14 16:43

Fri, 08/10/2007 - 18:14
Joe
Joe's picture

Man says to his doctor, &quot;Doctor, it hurts when I do this.&quot;

The kind old doctor replies, &quot;Don't do that!&quot;

But, if you really do want to do that (the developer of Postfix recommends against it), you have to make the SASL socket file available within the chroot. It depends on your OS, as to where that file normally is...but you have to change the configuration in a few places to make it available within the chroot.

On Debian it'd be something like &quot;/var/spool/postfix/var/run/saslauthd&quot; (actually I think this is the default on Virtualmin systems, since Debian's default Postfix runs in a chroot, and we try to stick to OS package policies as closely as possible, even if we think they're maybe misguided). And this would be configured in /etc/default/saslauthd in the PARAMS variable.

Note that the location and directives used to configure this are different on [em]every[/em] distribution, and sometimes even different between versions of the same distro. saslauthd is a very poorly standardized piece of kit, and everybody sets it up a little bit differently (and many of its locations are compiled in and don't exist in a default installation, so it's not very discoverable either).

--

Check out the forum guidelines!

Tue, 08/14/2007 - 18:18
Joe
Joe's picture

Hey Tony,

Looks like you're on Ubuntu or Debian? We actually need to know specifically, even between those two systems, because SASL is different on every single platform [em]and[/em] version! It might be the postfix chroot problem, in either case. You have to jump through a couple of extra hoops to make SASL available within the chroot, which isn't covered in that FAQ (I stopped updating the FAQ because the installer is supposed to set this up automatically on all supported platforms).

BTW-Was this system setup with the Pro install.sh? I seem to recall seeing several bits and pieces from you here that indicate maybe the virtualmin-base package failed to install or it's postinstall script failed to run to completion, as it sounds like lots of stuff wasn't configured out-of-the-box for you.

--

Check out the forum guidelines!

Tue, 08/14/2007 - 18:29 (Reply to #3)
tony.p

Hey Joe,

nope still running on OS X Server! Thought you would know..
sorry for that. And of course I did not use the auto install script or anything. ;)

Cyrus-SASL was in my case already preinstalled by Apple, even though, I am missing saslauthd binary and service wich does not show up in my running process tree!? This is probably bad right? The only SASL directory I found was in /usr/lib/sasl2

Seems to include pretty much only all the libraries needed to run SASL2.

Tony

Tue, 08/14/2007 - 18:34 (Reply to #4)
Joe
Joe's picture

Hey Tony,

Ah! Right. I remember now. We have 600-ish paying customers and 4500 or so registered users here at Virtualmin.com (woohoo!), which means I'm having a hard time keeping up with who's who. But now I recall that we have two Tony's using oddball operating systems (a fellow named Anthony is our resident FreeBSD master, and I believe he also has run it on OS X, but I might be confusing him with you!). It's hard to keep up with what everyone is doing. ;-)

saslauthd is definitely required. They might call it something else...but if no sasl binaries are running, things aren't going to work. That's probably the source of trouble, and where you ought to go next--figure out where it is, or how to get it installed.

--

Check out the forum guidelines!

Tue, 08/14/2007 - 20:42 (Reply to #5)
tony.p

Well I just installed cyrus-imapd &amp; cyrus-sasl from darwinports/macports but could not find a way to put everything together. So that Webmin and Postfix wouldn't use Cyrus and SASL that comes with the OSX installation.

Is there any way to let Webmin know what CYRUS &amp; SASL install it should use?

Tony

Sat, 03/07/2009 - 14:51 (Reply to #6)
placebo

I am having the same problem on a CentOS 5.2 (just installed).
I have changed the authentication to be: username@domain , I can retrieve emails but no delivery.

Upon delivery the messages as below:

<div class='quote'>Mar 8 01:45:55 I057 postfix/smtpd[20964]: connect from **************
Mar 8 01:45:57 I057 postfix/smtpd[20964]: warning: **************: SASL LOGIN authentication failed: authentication failure
Mar 8 01:45:57 I057 postfix/smtpd[20964]: lost connection after AUTH from **************
Mar 8 01:45:57 I057 postfix/smtpd[20964]: disconnect from **************
</div>

sasl looks to be configured fine.
<div class='quote'>
telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 h05.host.al ESMTP Postfix
ehlo localhost
250-h05.host.al
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
</div>

/usr/lib/sasl2/smtpd.conf
<div class='quote'>
pwcheck_method: saslauthd
mech_list: LOGIN PLAIN
</div>

Any idea?

Sat, 03/07/2009 - 14:54 (Reply to #7)
Joe
Joe's picture

<div class='quote'>I am having the same problem on a CentOS 5.2 (just installed).
I have changed the authentication to be: username@domain , I can retrieve emails but no delivery.</div>

Not the same problem. But, a very easy solution to be found in the FAQ:

http://www.virtualmin.com/component/option,com_openwiki/Itemid,48/id,fre...

--

Check out the forum guidelines!

Sat, 03/07/2009 - 15:04 (Reply to #8)
placebo

Perfect,
Thank you Joe!
It worked just fine!

Thu, 06/04/2009 - 00:42 (Reply to #9)
John

SASL LOGIN authentication failed
Hello...the last 3 days i have been trying to figure out why the clients cannot authenticate succesfull with no results. I have attach a log file with all the relevants.
I am using Postfix 2.5.6-1....
and Cyrus:2.1.22-19....

Please help................
Thanks in advance! [file name=SASL_LOGIN_authentication_failed.txt size=4966]http://www.virtualmin.com/components/com_fireboard/uploaded/files/SASL_L...

Thu, 06/04/2009 - 01:08 (Reply to #10)
Joe
Joe's picture

[root@xxxx ~]# more /usr/lib/sasl2/smtpd.conf
pwcheck_method:auxprop
auxprop_plugin:sasldb
mech_list:PLAIN LOGIN

This is wrong. smtpd.conf should contain:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

--

Check out the forum guidelines!

Thu, 06/04/2009 - 20:52 (Reply to #11)
John

I am still try to find what i do wrong. I was try everything and still no result. What is the correct command?
1) saslpasswd2 -c -u mydomain.com.xx -a smtpauth test
2) saslpasswd2 -c -u mydomain.com.xx -a smtpd test2

Anyhow, I test both and I get the same error from both. In addition, i add FLAG=r. See attached log file3 to see the steps that i perform.

Please help!!

Thanks in advance,
John [file name=LOG_FILE3.txt size=27817]http://www.virtualmin.com/components/com_fireboard/uploaded/files/LOG_FI...

Fri, 06/05/2009 - 05:11 (Reply to #12)
andreychek

Hmm, what's listed in your attachment is &quot;FLAGS=r&quot;, whereas, I think you'll need:

FLAGS=-r

If you type:

ps auxw | grep saslauthd

What output do you get?
-Eric

Thu, 06/04/2009 - 01:40
John

Many thanks for your quick reply. I have perform the change as you advice but unfortunetelly with no result. However, i get a new error in the lof file which is: Error: authentication failed: generic failure

I have attached the new log file.

Again thanks a lot for your help.
John [file name=authentication_failed_generic_failure.txt size=5140]http://www.virtualmin.com/components/com_fireboard/uploaded/files/authen...

Thu, 06/04/2009 - 01:42 (Reply to #14)
Joe
Joe's picture

You have to have saslauthd running.

--

Check out the forum guidelines!

Thu, 06/04/2009 - 03:05
John

:) My mistake...I have start it but again I get an error. See attached log file. [file name=log_file.txt size=19276]http://www.virtualmin.com/components/com_fireboard/uploaded/files/log_fi...

Thu, 06/04/2009 - 05:45 (Reply to #16)
andreychek

One of the possible causes of this could be the parameters saslauthd is running with.

If the username has an @ in it, for example, you have to be running saslauthd with -r.

There's some info on that here:

http://www.virtualmin.com/documentation/id,frequently_asked_questions/#w...

Fri, 06/05/2009 - 06:13
John

Hi...I add -r (FLAG =-r) and I restart saslauthd but unfortunetely i am still get the following error:

SASL PLAIN authentication failed: authentication failure
xxxx postfix/smtpd[29338]: &gt; unknown[A.B.C.D]: 535 5.7.8 Error: authentication failed: authentication failure

I run the command &quot;ps auxw | grep saslauthd&quot; and the result are on the attach log file. Also you can find the last portion of the maillog.

I cannot understand what am doing wrong!!!
Thanks for your help.
John [file name=log_file4.txt size=6308]http://www.virtualmin.com/components/com_fireboard/uploaded/files/log_fi...

Fri, 06/05/2009 - 17:59 (Reply to #18)
andreychek

Interesting :-)

I do just want to verify -- is this user able to log in via other means -- say, using IMAP/POP, or perhaps using the Usermin Webmail?

I'm just looking to check that the authentication info for this user is working as expected.
-Eric

Tue, 06/09/2009 - 02:19 (Reply to #19)
John

Hello,

I believe the the user cannot log in via other means. I didn't configure POP yet because I want first the SMTP to work authentication succesfully. Could you please tell me an alternative method that I can test that?

However, I believe that the users that I added with command 'saslpasswd2' cannot authenticate. Do you have any recomentations or any advice how to solve this problem?

Thanks a lot for your help! John

Tue, 06/09/2009 - 10:10
John

Hi,

I just tried the above user/password at the Squirrelmail and i get the error "ERROR:Unknown user or password incorrect.". So, you are correct the authentication info for this user is NOT working as expected.

Thanks, John

Tue, 06/09/2009 - 10:33
andreychek

I'm not sure I have a really clear picture of your setup there.

However, a typical Virtualmin setup would have saslauthd, dovecot, and friends authenticate against users found in the /etc/passwd file.

So when adding a user, Virtualmin just adds them to /etc/passwd.

Or you could add a new user from the command line using useradd.

It's certainly possible to use an alternate file to authenticate against, and it sounds like that may be what you're trying to do with saslpasswd2, but you'd have to make sure all the components involved are configured to use that new file.

If you don't care one way or the other, the more straight forward way might be to use system users -- and for those that should only have email access, just set them up with a shell such as /dev/null so that they can't log in via SSH or FTP. -Eric