|
|
Date: Prev Next Date Index Thread: Prev Next Thread Index
Note to "postfix-users": the same problem was sent with a different
Subject to "postfix-users"... On Sat, Nov 01, 2003 at 04:05:13AM +0100, Denny Schierz wrote: > my postfix (2.x) servers want to authenticate to my relay server (same > postfix version) with digest-md5 or cram-md5. It fails with: > > example output: > > username="test.test.de",realm="s15144503.rootmaster.info",nonce="fBBfmTWk9G1wsrkPuQsQeY0gaROxop1PCBotcNOG9Yg=",cnonce="aKOLNAMd1Xg2DQN5WQzcx9zvXZFQ+fc2t3pJi8eCFyI=",nc=00000001,qop=auth,digest-uri="smtp/cstroot.dyndns.org",response=0fdb6fd2f8cb8a1ecf003fc261d83b4c > Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: warning: SASL > authentication failure: no secret in database Did you notice this information: no secret in database... > The server supports Digest: > > s15144503 root # telnet localhost 25 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 huhu, where you are? > EHLO test > 250-s15144503.rootmaster.info > 250-PIPELINING > 250-SIZE 10240000 > 250-ETRN > 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 > 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 > 250-XVERP > 250 8BITMIME Actually, the server announces to support DIGEST-MD5. Whether this is true or not depends on your setup. If you are using a trapdoor mechanism (like /etc/passwd) only cleartext passwords as LOGIN or PLAIN can actually be used. SASL will however offer all mechanisms compiled in unless you adapt the list of supported mechanism to the working ones by adding a mech_list: login plain directive to smtpd.conf I am not familiar with pam->mysql, so I don't know whether it technically could be used with digest type authentication. In any case the manual page of saslauthd is clear: saslauthd is a daemon process that handles plaintext authentication requests on behalf of the SASL library. So when using saslauthd you must restrict the list of options to plaintext (LOGIN, PLAIN) anyway! > something is not working :-/ Both servers have the same version of > cyrus-sasl and postfix with same options (runs not in chroot). On the > relay server runs saslauthd (pam -> mysql). Aha, so the saslauthd information does answer the question! > i disabled cram and digest, but now postfix authenticate with ntlm :-/. > Only login/plain ist working, but i don't know, how to tell postfix to > authenticate via login/plain. Postfix client will use the list of options offered by the server... Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@xxxxxxxxxxxxxxxxx http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus
Thread at a glance:
Previous Message by Date:digest-md5 cram -> postfix -> saslauthd - pam -> mysqlhi, my postfix (2.x) servers want to authenticate to my relay server (same postfix version) with digest-md5 or cram-md5. It fails with: example output: Nov 1 03:02:35 s15144503 postfix/smtpd[16218]: > p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: 535 Error: authentication failed Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: < p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: dXNlcm5hbWU9ImRlbm55LmRlbm55LXNjaGllcnouZGUiLHJlYWxtPSJzMTUxNDQ1MDMucm9vdG1hc3Rlci5pbmZvIixub25jZT0iZkJCZm1UV2s5RzF3c3JrUHVRc1FlWTBnYVJPeG9wMVBDQm90Y05PRzlZZz0iLGNub25jZT0iYUtPTE5BTWQxWGcyRFFONVdRemN4OXp2WFpGUStmYzJ0M3BKaThlQ0Z5ST0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InNtdHAvY3N0cm9vdC5keW5kbnMub3JnIixyZXNwb25zZT0wZmRiNmZkMmY4Y2I4YTFlY2YwMDNmYzI2MWQ4M2I0Yw== Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: smtpd_sasl_authenticate: decoded response: username="test.test.de",realm="s15144503.rootmaster.info",nonce="fBBfmTWk9G1wsrkPuQsQeY0gaROxop1PCBotcNOG9Yg=",cnonce="aKOLNAMd1Xg2DQN5WQzcx9zvXZFQ+fc2t3pJi8eCFyI=",nc=00000001,qop=auth,digest-uri="smtp/cstroot.dyndns.org",response=0fdb6fd2f8cb8a1ecf003fc261d83b4c Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: warning: SASL authentication failure: no secret in database Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: warning: p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: SASL DIGEST-MD5 authentication failed Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: > p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: 535 Error: authentication failed Nov 1 03:02:35 s15144503 postfix/smtpd[20642]: < p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: dXNlcm5hbWU9ImRlbm55LmRlbm55LXNjaGllcnouZGUiLHJlYWxtPSJzMTUxNDQ1MDMucm9vdG1hc3Rlci5pbmZvIixub25jZT0iL1UxSkFGb1Rxbms4UmhjUTdwR25Mbmh5UEJ3QlNXK2t0emtKTUwwdnRXQT0iLGNub25jZT0iNmxRSHBvSEVvRnVyTHI2ZTV0Y1oyelNnWmt1L3RGcSswM2QxVk11ZU9jVT0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InNtdHAvY3N0cm9vdC5keW5kbnMub3JnIixyZXNwb25zZT1hZDg5ZWUyN2U5Y2IzZmJkZjc5Y2RjMjVlMjc0MWFjYg== Nov 1 03:02:35 s15144503 postfix/smtpd[20642]: smtpd_sasl_authenticate: decoded response: username=test.test.de",realm="s15144503.rootmaster.info",nonce="/U1JAFoTqnk8RhcQ7pGnLnhyPBwBSW+ktzkJML0vtWA=",cnonce="6lQHpoHEoFurLr6e5tcZ2zSgZku/tFq+03d1VMueOcU=",nc=00000001,qop=auth,digest-uri="smtp/cstroot.dyndns.org",response=ad89ee27e9cb3fbdf79cdc25e2741acb Nov 1 03:02:35 s15144503 postfix/smtpd[20642]: warning: SASL authentication failure: no secret in database Nov 1 03:02:35 s15144503 postfix/smtpd[20642]: warning: p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: SASL DIGEST-MD5 authentication failed The server supports Digest: s15144503 root # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 huhu, where you are? EHLO test 250-s15144503.rootmaster.info 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250-XVERP 250 8BITMIME something is not working :-/ Both servers have the same version of cyrus-sasl and postfix with same options (runs not in chroot). On the relay server runs saslauthd (pam -> mysql). With the relayserver from 1und1.com or auth.smtp.kundenserver.de i had no problems. i disabled cram and digest, but now postfix authenticate with ntlm :-/. Only login/plain ist working, but i don't know, how to tell postfix to authenticate via login/plain. any suggestion? -- cu denny Gnupg key can be found under pgp.mit.edu, key ID 0x73137598 signature.asc Description: This is a digitally signed message part Next Message by Date:Re: digest-md5 cram -> postfix -> saslauthd - pam -> mysqlDenny Schierz wrote: hi, my postfix (2.x) servers want to authenticate to my relay server (same postfix version) with digest-md5 or cram-md5. It fails with: Any of the shared secret mechanisms *require* that you use an auxprop plugin. You can only use saslauthd for plaintext mechanisms. If you want to use the md5 mechs with MySQL, then use the [my]sql auxprop plugin. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp Previous Message by Thread:digest-md5 cram -> postfix -> saslauthd - pam -> mysqlhi, my postfix (2.x) servers want to authenticate to my relay server (same postfix version) with digest-md5 or cram-md5. It fails with: example output: Nov 1 03:02:35 s15144503 postfix/smtpd[16218]: > p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: 535 Error: authentication failed Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: < p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: dXNlcm5hbWU9ImRlbm55LmRlbm55LXNjaGllcnouZGUiLHJlYWxtPSJzMTUxNDQ1MDMucm9vdG1hc3Rlci5pbmZvIixub25jZT0iZkJCZm1UV2s5RzF3c3JrUHVRc1FlWTBnYVJPeG9wMVBDQm90Y05PRzlZZz0iLGNub25jZT0iYUtPTE5BTWQxWGcyRFFONVdRemN4OXp2WFpGUStmYzJ0M3BKaThlQ0Z5ST0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InNtdHAvY3N0cm9vdC5keW5kbnMub3JnIixyZXNwb25zZT0wZmRiNmZkMmY4Y2I4YTFlY2YwMDNmYzI2MWQ4M2I0Yw== Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: smtpd_sasl_authenticate: decoded response: username="test.test.de",realm="s15144503.rootmaster.info",nonce="fBBfmTWk9G1wsrkPuQsQeY0gaROxop1PCBotcNOG9Yg=",cnonce="aKOLNAMd1Xg2DQN5WQzcx9zvXZFQ+fc2t3pJi8eCFyI=",nc=00000001,qop=auth,digest-uri="smtp/cstroot.dyndns.org",response=0fdb6fd2f8cb8a1ecf003fc261d83b4c Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: warning: SASL authentication failure: no secret in database Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: warning: p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: SASL DIGEST-MD5 authentication failed Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: > p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: 535 Error: authentication failed Nov 1 03:02:35 s15144503 postfix/smtpd[20642]: < p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: dXNlcm5hbWU9ImRlbm55LmRlbm55LXNjaGllcnouZGUiLHJlYWxtPSJzMTUxNDQ1MDMucm9vdG1hc3Rlci5pbmZvIixub25jZT0iL1UxSkFGb1Rxbms4UmhjUTdwR25Mbmh5UEJ3QlNXK2t0emtKTUwwdnRXQT0iLGNub25jZT0iNmxRSHBvSEVvRnVyTHI2ZTV0Y1oyelNnWmt1L3RGcSswM2QxVk11ZU9jVT0iLG5jPTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InNtdHAvY3N0cm9vdC5keW5kbnMub3JnIixyZXNwb25zZT1hZDg5ZWUyN2U5Y2IzZmJkZjc5Y2RjMjVlMjc0MWFjYg== Nov 1 03:02:35 s15144503 postfix/smtpd[20642]: smtpd_sasl_authenticate: decoded response: username=test.test.de",realm="s15144503.rootmaster.info",nonce="/U1JAFoTqnk8RhcQ7pGnLnhyPBwBSW+ktzkJML0vtWA=",cnonce="6lQHpoHEoFurLr6e5tcZ2zSgZku/tFq+03d1VMueOcU=",nc=00000001,qop=auth,digest-uri="smtp/cstroot.dyndns.org",response=ad89ee27e9cb3fbdf79cdc25e2741acb Nov 1 03:02:35 s15144503 postfix/smtpd[20642]: warning: SASL authentication failure: no secret in database Nov 1 03:02:35 s15144503 postfix/smtpd[20642]: warning: p50890BE2.dip0.t-ipconnect.de[80.137.11.226]: SASL DIGEST-MD5 authentication failed The server supports Digest: s15144503 root # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 huhu, where you are? EHLO test 250-s15144503.rootmaster.info 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250-XVERP 250 8BITMIME something is not working :-/ Both servers have the same version of cyrus-sasl and postfix with same options (runs not in chroot). On the relay server runs saslauthd (pam -> mysql). With the relayserver from 1und1.com or auth.smtp.kundenserver.de i had no problems. i disabled cram and digest, but now postfix authenticate with ntlm :-/. Only login/plain ist working, but i don't know, how to tell postfix to authenticate via login/plain. any suggestion? -- cu denny Gnupg key can be found under pgp.mit.edu, key ID 0x73137598 signature.asc Description: This is a digitally signed message part Next Message by Thread:Re: digest-md5 cram -> postfix -> saslauthd - pam -> mysqlDenny Schierz wrote: hi, my postfix (2.x) servers want to authenticate to my relay server (same postfix version) with digest-md5 or cram-md5. It fails with: Any of the shared secret mechanisms *require* that you use an auxprop plugin. You can only use saslauthd for plaintext mechanisms. If you want to use the md5 mechs with MySQL, then use the [my]sql auxprop plugin. -- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
|
|
