Getting SMTP AUTH to work with SASL2

I'm trying to setup postfix 2.0.3 on a Debian Woody server with
pam_mysql and SASL2, following the Postfix-Cyrus-Web-cyradm-HOWTO
(http://tinyurl.com/8vji).

I assume that the pam_mysql and SASL2 parts are working, because I'm
able to login with Cyrus IMAP.

However, when I try to login with SMTP AUTH, I get the following error
message in /var/log/mail.warn:

Apr 5 13:05:32 debian postfix/smtpd[31679]: connect from
port-212-202-188-167.reverse.qdsl-home.de[212.202.188.167]
Apr 5 13:05:32 debian postfix/smtpd[31679]: warning: SASL
authentication failure: cannot connect to saslauthd server: Permission
denied
Apr 5 13:05:32 debian postfix/smtpd[31679]: warning: SASL
authentication failure: Password verification failed
Apr 5 13:05:32 debian postfix/smtpd[31679]: warning:
port-212-202-188-167.reverse.qdsl-home.de[212.202.188.167]: SASL PLAIN
authentication failed

The part that is causing me headaches, is:

SASL authentication failure: cannot connect to saslauthd server:
Permission denied

Which file does postfix try to access?

Versions:

postfix 2.0.3 linked against SASL2
cyrus-sasl 2.1.10
pam_mysql 0.4.7
MySQL 3.23.54a
Debian Woody 3.0r1 plus some updates from testing

-------------------------------------------------- /etc/pam.d/smtp:

auth sufficient pam_mysql.so user=mail passwd=XXX host=localhost db=mail
table=accountuser usercolumn=username passwdcolumn=password crypt=1

account required pam_mysql.so user=mail passwd=XXX host=localhost
db=mail table=accountuser usercolumn=username passwdcolumn=password
crypt=1

-------------------------------------------------- /etc/smtpd.conf:

pwcheck_method: saslauthd

-------------------------------------------------- posfconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 9
debug_peer_list = 212.202.190.206
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
mailbox_transport = cyrus
mydestination = email-server.info, localhost.localdomain, localhost,
message-center.info, info.gotdns.com, info.dyndns.tv
mydomain = email-server.info
myhostname = email-server.info
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
program_directory = /usr/lib/postfix
recipient_delimiter = +
sender_canonical_maps = mysql:/etc/postfix/mysql-canonical.cf
setgid_group = postdrop
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous

-------------------------------- Dateien in /var/spool/postfix/:

root@email-server:/etc/pam.d# cd /var/spool/postfix/
root@email-server:/var/spool/postfix# find . -type f -exec ls -lar {} \;
-rw-rw---- 1 mysql mysql 5 ./var/run/mysqld/mysqld.pid
-rw------- 1 root root 6 ./var/run/saslauthd/mux.pid
-rw------- 1 root root 0 ./var/run/saslauthd/mux.accept
-rw-r--r-- 1 root root 837 ./etc/localtime
-rw-r--r-- 1 root root 16651 ./etc/services
-rw-r--r-- 1 root root 98 ./etc/resolv.conf
-rw-r--r-- 1 root root 309 ./etc/hosts
-rw-r--r-- 1 root root 456 ./etc/nsswitch.conf
-rw-rw-rw- 1 cyrus root 12288 ./etc/sasldb2
-rw-r--r-- 1 root root 646 ./etc/pam.d/other
-rw-r--r-- 1 root root 1014 ./etc/pam.d/smtp
-rw-r--r-- 1 root root 38892 ./lib/libnss_compat-2.3.1.so
-rw-r--r-- 1 root root 12828 ./lib/libnss_dns-2.3.1.so
-rw-r--r-- 1 root root 32204 ./lib/libnss_files-2.3.1.so
-rw-r--r-- 1 root root 13340 ./lib/libnss_hesiod-2.3.1.so
-rw-r--r-- 1 root root 4568 ./lib/libnss_lwres.so.2.0.0
-rw-r--r-- 1 root root 30888 ./lib/libnss_nis-2.3.1.so
-rw-r--r-- 1 root root 36912 ./lib/libnss_nisplus-2.3.1.so
-rw-r--r-- 1 root root 7940 ./lib/security/pam_access.so
-rw-r--r-- 1 root root 12388 ./lib/security/pam_cracklib.so
-rw-r--r-- 1 root root 5608 ./lib/security/pam_debug.so
-rw-r--r-- 1 root root 3364 ./lib/security/pam_deny.so
-rw-r--r-- 1 root root 9976 ./lib/security/pam_env.so
-rw-r--r-- 1 root root 10636 ./lib/security/pam_filter.so
-rw-r--r-- 1 root root 5820 ./lib/security/pam_ftp.so
-rw-r--r-- 1 root root 10240 ./lib/security/pam_group.so
-rw-r--r-- 1 root root 7344 ./lib/security/pam_issue.so
-rw-r--r-- 1 root root 7436 ./lib/security/pam_lastlog.so
-rw-r--r-- 1 root root 11884 ./lib/security/pam_limits.so
-rw-r--r-- 1 root root 8608 ./lib/security/pam_listfile.so
-rw-r--r-- 1 root root 8292 ./lib/security/pam_mail.so
-rw-r--r-- 1 root root 15676 ./lib/security/pam_mkhomedir.so
-rw-r--r-- 1 root root 4184 ./lib/security/pam_motd.so
-rw-r--r-- 1 root root 9772 ./lib/security/pam_mysql.so
-rw-r--r-- 1 root root 5048 ./lib/security/pam_nologin.so
-rw-r--r-- 1 root root 3632 ./lib/security/pam_permit.so
-rw-r--r-- 1 root root 10320
./lib/security/pam_rhosts_auth.so
-rw-r--r-- 1 root root 3828 ./lib/security/pam_rootok.so
-rw-r--r-- 1 root root 5416 ./lib/security/pam_securetty.so
-rw-r--r-- 1 root root 4516 ./lib/security/pam_shells.so
-rw-r--r-- 1 root root 10252 ./lib/security/pam_stress.so
-rw-r--r-- 1 root root 8752 ./lib/security/pam_tally.so
-rw-r--r-- 1 root root 8936 ./lib/security/pam_time.so
-rw-r--r-- 1 root root 5416 ./lib/security/pam_tmpdir.so
-rw-r--r-- 1 root root 41412 ./lib/security/pam_unix.so
-rw-r--r-- 1 root root 7224 ./lib/security/pam_userdb.so
-rw-r--r-- 1 root root 4448 ./lib/security/pam_warn.so
-rw-r--r-- 1 root root 5424 ./lib/security/pam_wheel.so
-rw-r--r-- 1 root root 752 ./usr/lib/sasl2/libanonymous.la
-rw-r--r-- 1 root root 10668
./usr/lib/sasl2/libanonymous.so.2.0.10
-rw-r--r-- 1 root root 738 ./usr/lib/sasl2/libcrammd5.la
-rw-r--r-- 1 root root 13240
./usr/lib/sasl2/libcrammd5.so.2.0.10
-rw-r--r-- 1 root root 761 ./usr/lib/sasl2/libdigestmd5.la
-rw-r--r-- 1 root root 38920
./usr/lib/sasl2/libdigestmd5.so.2.0.10
-rw-r--r-- 1 root root 732 ./usr/lib/sasl2/liblogin.la
-rw-r--r-- 1 root root 11384
./usr/lib/sasl2/liblogin.so.2.0.10
-rw-r--r-- 1 root root 784 ./usr/lib/sasl2/libmysql.la
-rw-r--r-- 1 root root 12580
./usr/lib/sasl2/libmysql.so.2.0.10
-rw-r--r-- 1 root root 726 ./usr/lib/sasl2/libntlm.la
-rw-r--r-- 1 root root 16044
./usr/lib/sasl2/libntlm.so.2.0.10
-rw-r--r-- 1 root root 726 ./usr/lib/sasl2/libotp.la
-rw-r--r-- 1 root root 38976 ./usr/lib/sasl2/libotp.so.2.0.10
-rw-r--r-- 1 root root 732 ./usr/lib/sasl2/libplain.la
-rw-r--r-- 1 root root 11196
./usr/lib/sasl2/libplain.so.2.0.10
-rw-r--r-- 1 root root 738 ./usr/lib/sasl2/libsasldb.la
-rw-r--r-- 1 root root 13812
./usr/lib/sasl2/libsasldb.so.2.0.10
-rw------- 1 root root 17 ./pid/master.pid
-rw------- 1 root root 0 ./pid/unix.cleanup
-rw------- 1 root root 0 ./pid/unix.local
-rw------- 1 root root 0 ./pid/inet.smtp
-rw------- 1 root root 0 ./pid/unix.showq
-rw------- 1 root root 0 ./pid/unix.smtp
-rw------- 1 root root 0 ./pid/unix.cyrus
-rw------- 1 root root 0 ./pid/unix.bounce
-rw------- 1 root root 0 ./pid/unix.relay
-rw------- 1 root root 0 ./pid/inet.smtps

-----------------------------------------------------------------------------

Which additional information are needed, so that someone might be able
to help me?

Thanks a lot,

Alexander Skwar
--
/* So there I am, in the middle of my `netfilter-is-wonderful'
talk in Sydney, and someone asks `What happens if you try
to enlarge a 64k packet here?'. I think I said something
eloquent like `fuck'. */
2.4.3 linux/net/ipv4/netfilter/ip_nat_ftp.c

There are some possibilities: If you run smtpd in chroot
(debian-default) you should first try to get SASL-AUTH working without
chroot. I think postfix tries to access the file "mux" which is
generated by saslauthd at starttime. I cannot say where the file is
located, but it should be determinable by a look at the saslautd-init
script. If you run postfix in chroot you have to link (AFAICT it only
works with *hard*-links) the file into your chroot - which obviously
doesn't work if your postfix-chroot is on an other partition. Telling
saslauthd to generate the file directly in the chroot will brake cyrus
IMHO.

<snip/>

regards
--
\\\ ||| /// _\=/_
( @ @ ) (o o)
+--------oOOo-(_)-oOOo--------------------------oOOo-(_)-oOOo------+
| Markus Schabel TGM - Die Schule der Technik www.tgm.ac.at |
| IT-Service A-1200 Wien, Wexstrasse 19-23 net.tgm.ac.at |
| markus....@tgm.ac.at Tel.: +43(1)33126/316 |
| markus....@members.fsf.org Fax.: +43(1)33126/154 |
| FSF Associate Member #597, Linux User #259595 (counter.li.org) |
| oOOo Yet Another Spam Trap: oOOo |
| ( ) oOOo ya...@tgm.ac.at ( ) oOOo |
+--------\ (----( )--------------------------\ ( -----( )-----+
\_) ) / \_) ) /
(_/ (_/

Computers are like airconditioners:
They stop working properly if you open windows.

Yep, that's correct. The mux file is located in /var/run/saslauthd/.
I've moved this directory to /var/spool/postfix/var/run, so that it is
in the chroot. Next I modified the startup script to put the file in
this directory and replaced the directory /var/run/saslauthd/ with a
link to /var/spool/postfix/var/run/saslauthd/, so that cyrus still
works. And as far as I can tell, cyrus does indeed still work, because
I'm able to login to Cyrus IMAPd which uses SASL.

root@email-server:/etc/postfix# ls -la /var/run/saslauthd
/var/spool/postfix/var/run/saslauthd/
lrwxrwxrwx 1 root sasl 36 2003-04-04 18:49
/var/run/saslauthd -> /var/spool/postfix/var/run/saslauthd

/var/spool/postfix/var/run/saslauthd/:
insgesamt 12
drwx--x--- 2 cyrus mail 4096 2003-04-04 18:50 .
drwxr-xr-x 4 root root 4096 2003-04-04 18:49 ..
srwxrwxrwx 1 root root 0 2003-04-04 18:50 mux
-rw------- 1 root root 0 2003-04-02 23:27 mux.accept
-rw------- 1 root root 6 2003-04-04 18:50 mux.pid

Alexander Skwar
--
#ifdef STUPIDLY_TRUST_BROKEN_PCMD_ENA_BIT
2.4.0-test2 /usr/src/linux/drivers/ide/cmd640.c

> Hello.
>=20

>=20
> I assume that the pam_mysql and SASL2 parts are working, because I'm
> able to login with Cyrus IMAP.
>=20

>=20

>=20

>=20

>=20

If smtpd ist chrooted it will search in /var/spool/postfix.
It depends on your SASL version and how you have compiled it.
In my configuration (woody, with backports) this is working:
# ls -la /var/spool/postfix/var/run/saslauthd/
insgesamt 12
drwxr-xr-x 2 root root 4096 26. M=E4r 21:26 .
drwxr-xr-x 3 root root 4096 11. Okt 14:12 ..
srwxrwxrwx 1 root root 0 26. M=E4r 21:26 mux
-rw------- 1 root root 6 26. M=E4r 21:26 mux.pid

Are you sure there is only one SASL version installed?
Debian Woody normally have libsasl1 installed, too.=20

> -------------------------------- Dateien in /var/spool/postfix/:
>=20
> root@email-server:/etc/pam.d# cd /var/spool/postfix/
> root@email-server:/var/spool/postfix# find . -type f -exec ls -lar {} \=
;

I don't need all the pam and sasl2 stuff in my chroot.
saslauthd uses pam, pam use mysql as backend for authentication
data. And postfix communicates via a socket with saslauthd.

strace log of smtpd pid would help a little bit.
And ls -la /usr/lib/sasl*
dpkg -l|grep sasl

I read your second mail, but it's not clear, if you solved
it by now, so I decided to write this mail.

bye
Waldemar

--=20
8485 D0CE 2743 656E 867C 5C93 0317 AFD8 BE21 BD90

Hallo Waldemar!

Same here - woody with backports plus postfix manually compiled and
linked against SASL2.

Yep, and that's why it's working! Your directory was set to allow
read/exec permission for me.

For some reason, my directory has:

drwx--x--- 2 cyrus mail 4096 2003-04-05 15:59
/var/spool/postfix/var/run/saslauthd/

Because of this, I had to make the postfix mail_owner a member of the
mail group. After having done so, it worked!

As I figured out, neither do I ;)

Yep, problem solved. I'll post a summary about how I got it to work
shortly.

Alexander Skwar
--=20
/*
* Hash table gook..
*/
2.4.0-test2 /usr/src/linux/fs/buffer.c