Postfix + SASL Authentifizierung

[fbronko]

Guten Morgen,

ich habe hier auf einem Server ein kleines Problem, wie ich finde. Ich habe diesen mittels Tutorial aufgesetzt und jetzt per dummen Zufall festgestellt, dass ich auch Mails per SMTP (SASL-Authentifizierung per pam auf lokale Benutzer) verschicken kann, obwohl ich ein falsches Passwort eingegeben habe ... Bei leeren blockt er jedoch ab.

Meine Konfiguration:
- Debian
- Postfix für SMTP (chroot)
- Courier für POP3/IMAP

Welche Dateien werden bei einer Authentifizierung geprüft ?
Wenn ich mit

testsaslauthd -f /var/run/saslauthd/mux -u USER -p PASSWORT
testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u USER -p PASSWORT

prüfe sieht alles OK aus (d.h. wenn ich ein falsches Kennwort eingebe, dann gibts eine Fehlermeldung und nur bei richtigem Passwort gibts ein OK)

saslfinger-Log

Das saslfinger-Log:

saslfinger - postfix Cyrus sasl configuration Tue Dec 31 11:46:36 CET 2013
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.7.1
System: Debian GNU/Linux 6.0 \n \l

-- smtpd is linked to --
	libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x00007f1d5d5b7000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes


-- listing of /usr/lib64/sasl2 --
total 808
drwxr-xr-x  2 root root  4096 Mar 24  2012 .
drwxr-xr-x 59 root root 20480 Jul  3 15:20 ..
-rw-r--r--  1 root root 18956 Dec 18  2010 libanonymous.a
-rw-r--r--  1 root root  1003 Dec 18  2010 libanonymous.la
-rw-r--r--  1 root root 16200 Dec 18  2010 libanonymous.so
-rw-r--r--  1 root root 16200 Dec 18  2010 libanonymous.so.2
-rw-r--r--  1 root root 16200 Dec 18  2010 libanonymous.so.2.0.23
-rw-r--r--  1 root root 22082 Dec 18  2010 libcrammd5.a
-rw-r--r--  1 root root   989 Dec 18  2010 libcrammd5.la
-rw-r--r--  1 root root 19336 Dec 18  2010 libcrammd5.so
-rw-r--r--  1 root root 19336 Dec 18  2010 libcrammd5.so.2
-rw-r--r--  1 root root 19336 Dec 18  2010 libcrammd5.so.2.0.23
-rw-r--r--  1 root root 60432 Dec 18  2010 libdigestmd5.a
-rw-r--r--  1 root root  1012 Dec 18  2010 libdigestmd5.la
-rw-r--r--  1 root root 48656 Dec 18  2010 libdigestmd5.so
-rw-r--r--  1 root root 48656 Dec 18  2010 libdigestmd5.so.2
-rw-r--r--  1 root root 48656 Dec 18  2010 libdigestmd5.so.2.0.23
-rw-r--r--  1 root root 19318 Dec 18  2010 liblogin.a
-rw-r--r--  1 root root   983 Dec 18  2010 liblogin.la
-rw-r--r--  1 root root 16896 Dec 18  2010 liblogin.so
-rw-r--r--  1 root root 16896 Dec 18  2010 liblogin.so.2
-rw-r--r--  1 root root 16896 Dec 18  2010 liblogin.so.2.0.23
-rw-r--r--  1 root root 38676 Dec 18  2010 libntlm.a
-rw-r--r--  1 root root   977 Dec 18  2010 libntlm.la
-rw-r--r--  1 root root 32672 Dec 18  2010 libntlm.so
-rw-r--r--  1 root root 32672 Dec 18  2010 libntlm.so.2
-rw-r--r--  1 root root 32672 Dec 18  2010 libntlm.so.2.0.23
-rw-r--r--  1 root root 19318 Dec 18  2010 libplain.a
-rw-r--r--  1 root root   983 Dec 18  2010 libplain.la
-rw-r--r--  1 root root 16800 Dec 18  2010 libplain.so
-rw-r--r--  1 root root 16800 Dec 18  2010 libplain.so.2
-rw-r--r--  1 root root 16800 Dec 18  2010 libplain.so.2.0.23
-rw-r--r--  1 root root 29212 Dec 18  2010 libsasldb.a
-rw-r--r--  1 root root  1014 Dec 18  2010 libsasldb.la
-rw-r--r--  1 root root 22056 Dec 18  2010 libsasldb.so
-rw-r--r--  1 root root 22056 Dec 18  2010 libsasldb.so.2
-rw-r--r--  1 root root 22056 Dec 18  2010 libsasldb.so.2.0.23

-- listing of /usr/lib/sasl2 --
total 808
drwxr-xr-x  2 root root  4096 Mar 24  2012 .
drwxr-xr-x 59 root root 20480 Jul  3 15:20 ..
-rw-r--r--  1 root root 18956 Dec 18  2010 libanonymous.a
-rw-r--r--  1 root root  1003 Dec 18  2010 libanonymous.la
-rw-r--r--  1 root root 16200 Dec 18  2010 libanonymous.so
-rw-r--r--  1 root root 16200 Dec 18  2010 libanonymous.so.2
-rw-r--r--  1 root root 16200 Dec 18  2010 libanonymous.so.2.0.23
-rw-r--r--  1 root root 22082 Dec 18  2010 libcrammd5.a
-rw-r--r--  1 root root   989 Dec 18  2010 libcrammd5.la
-rw-r--r--  1 root root 19336 Dec 18  2010 libcrammd5.so
-rw-r--r--  1 root root 19336 Dec 18  2010 libcrammd5.so.2
-rw-r--r--  1 root root 19336 Dec 18  2010 libcrammd5.so.2.0.23
-rw-r--r--  1 root root 60432 Dec 18  2010 libdigestmd5.a
-rw-r--r--  1 root root  1012 Dec 18  2010 libdigestmd5.la
-rw-r--r--  1 root root 48656 Dec 18  2010 libdigestmd5.so
-rw-r--r--  1 root root 48656 Dec 18  2010 libdigestmd5.so.2
-rw-r--r--  1 root root 48656 Dec 18  2010 libdigestmd5.so.2.0.23
-rw-r--r--  1 root root 19318 Dec 18  2010 liblogin.a
-rw-r--r--  1 root root   983 Dec 18  2010 liblogin.la
-rw-r--r--  1 root root 16896 Dec 18  2010 liblogin.so
-rw-r--r--  1 root root 16896 Dec 18  2010 liblogin.so.2
-rw-r--r--  1 root root 16896 Dec 18  2010 liblogin.so.2.0.23
-rw-r--r--  1 root root 38676 Dec 18  2010 libntlm.a
-rw-r--r--  1 root root   977 Dec 18  2010 libntlm.la
-rw-r--r--  1 root root 32672 Dec 18  2010 libntlm.so
-rw-r--r--  1 root root 32672 Dec 18  2010 libntlm.so.2
-rw-r--r--  1 root root 32672 Dec 18  2010 libntlm.so.2.0.23
-rw-r--r--  1 root root 19318 Dec 18  2010 libplain.a
-rw-r--r--  1 root root   983 Dec 18  2010 libplain.la
-rw-r--r--  1 root root 16800 Dec 18  2010 libplain.so
-rw-r--r--  1 root root 16800 Dec 18  2010 libplain.so.2
-rw-r--r--  1 root root 16800 Dec 18  2010 libplain.so.2.0.23
-rw-r--r--  1 root root 29212 Dec 18  2010 libsasldb.a
-rw-r--r--  1 root root  1014 Dec 18  2010 libsasldb.la
-rw-r--r--  1 root root 22056 Dec 18  2010 libsasldb.so
-rw-r--r--  1 root root 22056 Dec 18  2010 libsasldb.so.2
-rw-r--r--  1 root root 22056 Dec 18  2010 libsasldb.so.2.0.23

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 Nov  9  2012 .
drwxr-xr-x 4 root root 4096 Nov 19 10:04 ..
-rw-r--r-- 1 root root  110 Mar 25  2012 smtpd.conf


-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
saslauthd_path: /var/run/saslauthd/mux
autotransition: true


-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
saslauthd_path: /var/run/saslauthd/mux
autotransition: true



-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       -       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

-- mechanisms on localhost --
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN


-- end of saslfinger output --

Wäre schön wenn mir jemand ein paar Tips geben könnte, damit ich das korrigieren kann. Will ja nicht, das mir andere Mails unterjubeln

Schonmal Danke vorab!

Frank

 

[danton]

Logauszüge (wenn eine Mail mit falschem Passwort versandt wurde) und deine Postfix-KOnfig wären hilfreich.

 

[fbronko]

Postfix Config

smtpd_banner = $myhostname ESMTP
biff = no

append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

myhostname = mail.meinedomain.de
mydomain = meinedomain.de
mydestination = $myhostname, $mydomain, loalhost, localhost.$mydomain

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

mail_owner = postfix
mailbox_size_limit = 102400000
message_size_limit = 102400000

alias_maps = hash:/etc/aliases

virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains
virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps
sender_canonical_maps = hash:/etc/postfix/sender_canonical
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
sender_bcc_maps = hash:/etc/postfix/sender_bcc_maps

virtual_uid_maps = static:5000
virtual_gid_maps = static:5000

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
       # reject_rbl_client list.dsbl.org,
        reject_rbl_client sbl-xbl.spamhaus.org,
        reject_rbl_client dnsbl.njabl.org
        reject_rbl_client ix.dnsbl.manitu.net
        reject_unlisted_recipient
        check_policy_service inet:127.0.0.1:10023

home_mailbox = Maildir/

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

anvil_rate_time_unit = 3600s
smtpd_client_message_rate_limit = 300
smtpd_client_recipient_rate_limit = 300

logfile wenn benutzer mit definitiv falschen kennwort mail versendet

Dec 30 16:22:19 pluto postfix/smtpd[25867]: connect from p5B14D124.dip0.t-ipconnect.de[91.20.209.xx]
Dec 30 16:22:20 pluto postfix/smtpd[25867]: 14258360A649: client=p5B14D124.dip0.t-ipconnect.de[91.20.209.xx], sasl_method=LOGIN, sasl_username=web1m1
Dec 30 16:22:20 pluto postfix/cleanup[25923]: 14258360A649: message-id=<PM-HC.20131230162215.C8FB2.2.D@mail.meinedomain.de>
Dec 30 16:22:20 pluto postfix/qmgr[30641]: 14258360A649: from=<test@meinedomain.de>, size=526, nrcpt=1 (queue active)
Dec 30 16:22:20 pluto postfix/smtpd[25867]: disconnect from p5B14D124.dip0.t-ipconnect.de[91.20.209.xx]
Dec 30 16:22:29 pluto postfix/qmgr[30641]: 14258360A649: removed

logfile wenn passwort leer ist

Dec 30 16:21:18 pluto postfix/smtpd[25867]: connect from p5B14D124.dip0.t-ipconnect.de[91.20.209.xx]
Dec 30 16:21:18 pluto postfix/smtpd[25867]: warning: p5B14D124.dip0.t-ipconnect.de[91.20.209.xx]: SASL LOGIN authentication failed: authentication failure
Dec 30 16:21:18 pluto postfix/smtpd[25867]: disconnect from p5B14D124.dip0.t-ipconnect.de[91.20.209.xx]

Danke für Eure Hilfe!

Frank

PS: Ein gesundes neues Jahr wünsche ich ;-)

 

[fbronko]

Kann mir jemand sagen, ob das ein SASL-Problem oder eher etwas mit PAM zu hat ?

Wenn ich von PAM auf sasldb umstellen würden wolle hätte ich nur das Problem, das bei sasldb die Daten ja mit Domain gespeichert werden (wenn ich das richtig interpretiert habe) also name@meinedomain.de statt bisher web1m1. Gibts da workarounds ?

Danke!


Frank