SASL: no secret in database

S

schnitter44

New Member
Hallöchen.

Bin gerade dabei, einen Mailserver aufzusetzen. Ich hatte es zwar schonmal ungefähr so, wie ich es wollte, aber eben nicht ganz. Habe also ein Backup von allen(mMn.) wichtigen Dateien gemacht, Server neu aufgesetzt, meine alten Konfigdateien wieder rübergeschmissen - und siehe da, nix geht :)

Im Moment arbeite ich mit Postfix, Dovecot(nur aus Verzweiflung, bisher habe ich eigentlich immer Courier verwendet), sasl, Procmail

Erstmal: Ist das überhaupt ideal für mich? Ich sehe sehr viele leute, die MySQL statt SASL verwenden. Nachher möchte ich noch einen webmailer nutzen und habe mich da schon oberflächlich in die Konfiguration von Roundcube eingelesen, das ja auch MySQL verwendet. Wäre es da nicht besser auch MySQL zu verwenden?


Und jetzt mal zum eigentlichen Problem: Mails abrufen per imap(STARTTLS + CRAM-MD5) klappt, Mails empfangen klappt ebenfalls.
Mails verschicken per smtp klappt allerdings überhaupt nicht.
Hier erstmal die relevanten Konfigurationsdateien:

/etc/postfix/master.cf:
Code: 
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd -v
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       -       -       -       smtpd
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       -       -       -       qmqpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       -       300     1       oqmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay     unix  -       -       -       -       -       smtp
	-o smtp_fallback_relay=
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
(Ich starte smtpd also momentan nicht im chroot)

/etc/postfix/main.cf:
Code: 
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = /usr/share/doc/postfix

mydomain = domain.de


# TLS aktivieren
smtpd_use_tls=yes                                                         

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
myhostname = domain.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = domain.de, localhost, 127.0.0.1
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
inet_protocols = ipv4

# Auth ?ber SASL
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
# Nur User Mail versenden lassen, die in SASL-DB stehen, nur MD5-Passw?rter erlauben
smtp_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_secutiry_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd


smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
smtpd_sasl_local_domain = domain.de
smtpd_sasl_security_options = noanonymous


smtp_tls_auth_only = yes

#TLS aktivieren
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes


smtpd_tls_key_file = /etc/postfix/cert/smtpd.key
smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem


smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# Mails in Maildirs ausliefern
home_mailbox = Maildir/

# Dateiname der Virtual-Alias-Map mit der Zuordnung von E-Mail-Adresse zu lokaler Mailbox
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_alias_domains = /etc/postfix/virtual_domains


mailbox_command = procmail -a "$EXTENSION"

/etc/postfix/smtpd.conf:
Code: 
pwcheck_method: saslauthd
mech_list: cram-md5 plain login
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
log_level: 3

/etc/default/saslauthd: (so ziemlich die standarddatei)
Code: 
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Ich hätte jetzt auch noch die courier dateien, aber die sind ja im moment nicht wichtig, schätze ich mal.

Also, nun zur Fehlermeldung:
tail -20 /var/log/mail.log:
Code: 
Feb 14 10:18:01 delorean postfix/smtpd[26071]: > dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: 250-AUTH=PLAIN LOGIN CRAM-MD5
Feb 14 10:18:01 delorean postfix/smtpd[26071]: > dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: 250-ENHANCEDSTATUSCODES
Feb 14 10:18:01 delorean postfix/smtpd[26071]: > dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: 250-8BITMIME
Feb 14 10:18:01 delorean postfix/smtpd[26071]: > dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: 250 DSN
Feb 14 10:18:03 delorean postfix/smtpd[26071]: < dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: AUTH CRAM-MD5
Feb 14 10:18:03 delorean postfix/smtpd[26071]: xsasl_cyrus_server_first: sasl_method CRAM-MD5
Feb 14 10:18:03 delorean postfix/smtpd[26071]: xsasl_cyrus_server_auth_response: uncoded server challenge: <4028066207.3814698@domain.de>
Feb 14 10:18:03 delorean postfix/smtpd[26071]: > dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: 334 PDQwMjgwNjYyMDcuMzgxNDY5OEBiYWVkZXJzb25saW5lLmRlPg==
Feb 14 10:18:04 delorean postfix/smtpd[26071]: < dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: YWJjIDU5NjI5MjIxOTAxZWVjMTNjYjQ4MGVmOWQ3NWRmZDc2
Feb 14 10:18:04 delorean postfix/smtpd[26071]: xsasl_cyrus_server_next: decoded response: abc 59629221901eec13cb480ef9d75dfd76
Feb 14 10:18:04 delorean postfix/smtpd[26071]: warning: SASL authentication failure: no secret in database
Feb 14 10:18:04 delorean postfix/smtpd[26071]: warning: dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: SASL CRAM-MD5 authentication failed: authentication failure
Feb 14 10:18:04 delorean postfix/smtpd[26071]: > dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: 535 5.7.8 Error: authentication failed: authentication failure
Feb 14 10:18:05 delorean postfix/smtpd[26071]: < dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: QUIT
Feb 14 10:18:05 delorean postfix/smtpd[26071]: > dslb-088-067-094-022.pools.arcor-ip.net[88.67.94.22]: 221 2.0.0 Bye
Feb 14 10:18:05 delorean postfix/smtpd[26071]: match_hostname: dslb-088-067-094-022.pools.arcor-ip.net ~? 127.0.0.0/8
Feb 14 10:18:05 delorean postfix/smtpd[26071]: match_hostaddr: 88.67.94.22 ~? 127.0.0.0/8
Feb 14 10:18:05 delorean postfix/smtpd[26071]: match_hostname: dslb-088-067-094-022.pools.arcor-ip.net ~? [::ffff:127.0.0.0]/104
Feb 14 10:18:05 delorean postfix/smtpd[26071]: match_hostaddr: 88.67.94.22 ~? [::ffff:127.0.0.0]/104
Feb 14 10:18:05 delorean postfix/smtpd[26071]: match_hostname: dslb-088-067-094-022.pools.arcor-ip.net ~? [::1]/128
Feb 14 10:18:05 delorean postfix/smtpd[26071]: match_hostaddr: 88.67.94.22 ~? [::1]/128
Feb 14 10:18:05 delorean postfix/smtpd[26071]: match_list_match: dslb-088-067-094-022.pools.arcor-ip.net: no match
Feb 14 10:18:05 delorean postfix/smtpd[26071]: match_list_match: 88.67.94.22: no match
Feb 14 10:18:05 delorean postfix/smtpd[26071]: send attr request = disconnect
Feb 14 10:18:05 delorean postfix/smtpd[26071]: send attr ident = smtp:88.67.94.22
Feb 14 10:18:05 delorean postfix/smtpd[26071]: private/anvil: wanted attribute: status
Feb 14 10:18:05 delorean postfix/smtpd[26071]: input attribute name: status
Feb 14 10:18:05 delorean postfix/smtpd[26071]: input attribute value: 0
Feb 14 10:18:05 delorean postfix/smtpd[26071]: private/anvil: wanted attribute: (list terminator)
Feb 14 10:18:05 delorean postfix/smtpd[26071]: input attribute name: (end)
Das einzig wirklich wichtige ist hier wahrscheinlich das "no secret found in database".
Das kann aber nicht wirklich sein, mein user ist im Moment "abc" mit dem Passwort "abc", also vertippt habe ich mich auf jeden Fall nicht ;)
auch habe ich schon mehrfach probiert, einfach nochmal ein saslpasswd2 abc zu machen, ändert aber nichts.

"saslfinger -c" sowie "saslfinger -s" geben auch nichts ungewöhnliches aus.

Habe mich mit den Schlagwörtern auch schon durch das ganze Internet gewühlt und nix richtiges gefunden. Ich hoff mal mit den Infos hier kann irgendein Profi was anfangen, ich bin nämlich mit meinem bescheidenen Latein am Ende und so langsam auch ziemlich davon genervt.


Danke schonmal ;)
 
Hätte ja nicht gedacht, dass das 'nen Unterschied macht, aber jetzt läuft es :)
Bei dovecot muss man echt terisch drauf achten, dass man nen log_path gesetzt hat, sonst kriegt man von den Fehlern gar nichts mit.

So, von mir noch ein überglückliches Dankeschön.
 
You must log in or register to reply here.
Back
Top