3

We're having difficulties authenticating over smtp, running postfix + cyrus on centos 7.

When I try to telnet to port 25 (or 587) locally and auth plain, I get the following errors in the mail log:

Sep 25 10:25:00 blabla postfix/smtpd[3858]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: Permission denied

Sep 25 10:25:00 blabla postfix/smtpd[31106]: warning: SASL authentication failure: Password verification failed

Sep 25 10:25:00 blabla postfix/smtpd[31106]: warning: unknown[::1]: SASL plain authentication failed: authentication failure

Not sure what sasldb2 has to do with anything and if that warning has any real bearing on the problem. testsaslauthd with the same credentials returns OK.

Postfix is not running in chroot mode:

smtp inet n - n - - smtpd smtps inet n - n - - smtpd submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes

I'm using /etc/shadow for authentication, so ps aux | grep sasl says:

/usr/sbin/saslauthd -m /var/run/saslauthd -a shadow

Socket dir is /var/run/saslauthd so in main.cf, I have:

smtpd_sasl_path = /var/run/saslauthd/ smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname tls_random_source = dev:/dev/urandom smtpd_sasl_local_domain = broken_sasl_auth_clients = yes smtpd_sasl_exceptions_networks = <someip> smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:/var/spool/postfix/postgrey/socket

Finally, /etc/sasl2/smtpd.conf has:

pwcheck_method: saslauthd mech_list: PLAIN LOGIN saslauthd_path: /var/run/saslauthd/ allow_plaintext: true

Any pointers? I am stumped...

Most of the docs I find online seem to point to chrooted postfix configs or more complicated auth methods.

Improve this question
3
  • Could you add IP address of smtp client to debug_peer_list directive in main.cf? It will turn on debug log for your IP where you tested smtp auth. Commented Sep 25, 2014 at 14:42
  • Done but it's not telling me anything else. One update: I'm also getting warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: Permission denied (updated original description) Commented Sep 25, 2014 at 14:57
  • If the verbose log doesn't tell you anything, then add to above question. Perhaps, some folks here can get additional info from the verbose log. Commented Sep 26, 2014 at 2:51

1 Answer 1

Reset to default
2

The error message

unable to open Berkeley db /etc/sasldb2: Permission denied

was generic message that postfix can't open that directory because permission issue. Use chmod and/or chown to grant access on /etc/sasldb2 to postfix

chown postfix:postfix /etc/sasldb2 chmod 660 /etc/sasldb2

or

chmod 644 /etc/sasldb2

For security reason, I would suggest the first option.

Reference: blog.penumbra.be | www.murat.ws | this thread

Improve this answer
1
  • 2
    Eventually I did that and got rid of that message. Unfortunately, this didn't get rid of the general auth problem. (which kinda makes sense since I'm not using sasldb2 to authenticate) Commented Sep 26, 2014 at 2:42

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.