Seeking guidance: Cyrus SASL+Postfix+Mac OS X Server

From: David B. O'Donnell (david at destinynewmedia dot net)
Date: Thu May 27 2004 - 17:41:32 EDT

  • Next message: Mike Roesch: "Make problems - Seeking help"

    Because I disagree with the way Apple modified (and IMO limited) Postfix
    2.0.10 in Mac OS X Server, I decided I would roll my own, using the Postfix
    2.1.1 source and integrating PCRE support and SASL Authentication.

    Unfortunately, while Apple does supply their own SASL library, they don't
    supply sasl.h or saslutil.h, both of which Postfix appears to need in order
    to build SASL support. I say "appears to need" because (a) smtpd.h
    references both files and (b) attempts to build Postfix and let it find SASL
    on its own result in no SASL support at all.

    I grabbed Cyrus SASL 2.1.18 from the FTP site and it configures, makes, and
    installs just fine. However, moving Apple's /usr/lib/sasl2 (or removing it)
    and symlinking /usr/local/lib/sasl2 to /usr/lib/sasl2 is a Very Bad
    Thing--as in no users being able to log in at console, Server Apps refusing
    to connect, etc.

    Leaving Cyrus SASL 2.1.18 in /usr/local/lib/sasl2 and telling Postfix (via
    CCARGS='-DUSE_SASL_AUTH -I/usr/local/include/sasl' and AUXLIBS='-L/usr/lib
    -lsasl2') builds /usr/libexec/postfix/smtpd with the same SASL support as
    the out of the box Postfix 2.0.10:

    % otool -L /usr/libexec/postfix/smtpd | grep sasl
            /usr/lib/libsasl2.2.0.1.dylib (compatibility version 3.0.0, current
    version 1.0.0)

    setting /usr/lib/sasl2/smtpd.conf up as:

    auxprop_plugin: sasldb
    pwcheck_method: auxprop
    mech_list: plain login cram-md5

    and chgrp postfix /etc/sasldb.db; chmod 640 /etc/sasldb.db seems to set
    things up for authentication.

    Apple includes a bunch of entries in /etc/sasldb.db already, like:

    0x40aef2aa023ef6740000000300000003 at mrsgale dot fates dot org: cmusaslsecretOTP

    After reading documentation (Postfix', what I could find on this list, and
    various other Web sites reached by Google), I tried adding an entry for
    myself with /usr/local/sbin/saslpasswd2 -c -u mrsgale.fates.org -a smtpd
    atropos

    The result is the following line ONLY being added to /etc/sasldb2.db:

    atropos at mrsgale dot fates dot org: cmusaslsecretOTP

    From the various sources of documentation, I was led to expect to see

    atropos at mrsgale dot fates dot org: userPassword

    as well, but Cyrus SASL 2.1.18 saslpasswd2 does not write that line and I
    couldn't find any way of forcing it to do so.

    I then switched to Cyrus SASL 2.1.15. That build installs, if you disable
    krb4. Its saslpasswd2 also adds the userPassword line to /etc/sasldb.db.

    Everything *seemed* to be kosher... but apparently not.

    Following the directions in the Postfix SASL hotwo, I built the client and
    server sample applications and ran them in separate terminals:

    (Server)
    root at mrsgale [/Volumes/Consulate/UNIX/cyrus-sasl-2.1.15/sample]: ./server
    trying 30, 1, 6
    trying 2, 1, 6
    accepted new connection
    send: {160}
    TWOWAYRANDOM SMB-NT SMB-LAN-MANAGER MS-CHAPv2 LOGIN PLAIN PLAIN OTP OTP
    LOGIN DIGEST-MD5 DIGEST-MD5 CRAM-MD5 CRAM-MD5 ANONYMOUS ANONYMOUS
    WEBDAV-DIGEST DHX APOP
    recv: {10}
    DIGEST-MD5
    recv: {1}
    N
    send: {122}
    nonce="+UsMiyMQE69UQSh4nCErEt7jBx2of0ywVBIFhmjYU4Y=",realm="mrsgale.fates.org",qop="auth",charset=utf-8,algorithm=md5-sess
    recv: {250}
    username="atropos",realm="mrsgale.fates.org",nonce="+UsMiyMQE69UQSh4nCErEt7jBx2of0ywVBIFhmjYU4Y=",cnonce="6K/lU3XvynvInsEAvXIV2re5Tjvv01yfeUPLkrplimA=",nc=00000001,qop=auth,digest-uri="rcmd/mrsgale.fates.org",response=400d96e93b88e2d51ac2103e0e440f17
    send: {40}
    rspauth=d11a59a3c7d300023b93ff57f2f8456e
    recv: {0}

    successful authentication 'atropos'
    closing connection

    (Client)
    root at mrsgale [/Volumes/Consulate/UNIX/cyrus-sasl-2.1.15/sample]: ./client
    mrsgale.fates.org
    receiving capability list... recv: {160}
    TWOWAYRANDOM SMB-NT SMB-LAN-MANAGER MS-CHAPv2 LOGIN PLAIN PLAIN OTP OTP
    LOGIN DIGEST-MD5 DIGEST-MD5 CRAM-MD5 CRAM-MD5 ANONYMOUS ANONYMOUS
    WEBDAV-DIGEST DHX APOP
    TWOWAYRANDOM SMB-NT SMB-LAN-MANAGER MS-CHAPv2 LOGIN PLAIN PLAIN OTP OTP
    LOGIN DIGEST-MD5 DIGEST-MD5 CRAM-MD5 CRAM-MD5 ANONYMOUS ANONYMOUS
    WEBDAV-DIGEST DHX APOP
    send: {10}
    DIGEST-MD5
    send: {1}
    N
    recv: {122}
    nonce="+UsMiyMQE69UQSh4nCErEt7jBx2of0ywVBIFhmjYU4Y=",realm="mrsgale.fates.org",qop="auth",charset=utf-8,algorithm=md5-sess
    please enter an authentication id: atropos
    please enter an authorization id: atropos
    Password:
    send: {250}
    username="atropos",realm="mrsgale.fates.org",nonce="+UsMiyMQE69UQSh4nCErEt7jBx2of0ywVBIFhmjYU4Y=",cnonce="6K/lU3XvynvInsEAvXIV2re5Tjvv01yfeUPLkrplimA=",nc=00000001,qop=auth,digest-uri="rcmd/mrsgale.fates.org",response=400d96e93b88e2d51ac2103e0e440f17
    recv: {40}
    rspauth=d11a59a3c7d300023b93ff57f2f8456e
    send: {0}

    successful authentication
    closing connection
    *** malloc[3571]: Deallocation of a pointer not malloced: 0x357b; This could
    be a double free(), or free() called with the middle of an allocated block;
    Try setting environment variable MallocHelp to see tools to help debug
    *** malloc[3571]: Deallocation of a pointer not malloced: 0x300970; This
    could be a double free(), or free() called with the middle of an allocated
    block; Try setting environment variable MallocHelp to see tools to help debug
    *** malloc[3571]: error for object 0x300970: Incorrect checksum for freed
    object - object was probably modified after being freed; break at szone_error

    I tried authenticating using -m PLAIN and -m CRAM-MD5, and in all cases
    authentication was successful (with the three lines of complaints afterward).

    Next, I tried the SMTP method:

    220 mrsgale.fates.org ESMTP Postfix (2.1.1) [NO UCE, NO UBE, C=US, L=VA]
    ehlo mrsgale.fates.org
    250-mrsgale.fates.org
    250-PIPELINING
    250-SIZE 20971520
    250-ETRN
    250-AUTH PLAIN LOGIN CRAM-MD5
    250 8BITMIME
    auth plain YXRyb3BvcwBhdHJvcG9zAGlsbHlyaWE=
    235 Authentication successful

    That also seems fine... EXCEPT for the following in /var/log/mail.log:

    May 27 17:31:15 localhost postfix/smtpd[9281]: connect from
    localhost[127.0.0.1]
    May 27 17:31:25 localhost postfix/smtpd[9281]: warning: SASL authentication
    failure: no user in db
    May 27 17:31:25 localhost postfix/smtpd[9281]: warning: SASL authentication
    failure: no user in db

    /usr/local/sbin/sasldblistusers2 says:

    atropos at mrsgale dot fates dot org: userPassword
    atropos at mrsgale dot fates dot org: cmusaslsecretOTP

    (among other lines).

    At this point, I thought that since smtpd was saying I am authenticated,
    that I should just be able to go ahead and enable SASL support in Postfix
    and authenticate away... except that I can't. Postfix refuses to let me
    relay (it always fails by triggering a built-in reject_unauth_destination
    check, and returns 554 cannot relay errors). Before I risk being flamed for
    daring to ask a question on the Postfix-users list, I thought I would see if
    anyone here could offer any insight as to why I'm getting the "no user in
    db" errors in /var/log/mail.log, yet getting 235 Authentication successful
    in the transaction.

    Any assistance, pointers, guidance, or guesses would be most welcome. 

    -- 
David B. O'Donnell - david at destinynewmedia dot net
E-mail, List, and Web Hosting Services - http://www.destinynewmedia.net
  • Next message: Mike Roesch: "Make problems - Seeking help"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    		Powered By FreeBSD   Powered By FreeBSD