使用 pam_mysql 的 Postfix SMTP SASL 身份驗證不能接受電子郵件地址作為使用者名
我目前正在嘗試一個項目來更新現有的後綴部署。我在針對 smtp 對使用者進行身份驗證時遇到問題。
我遇到的主要問題是我們的後綴使用者數據庫是完全合格的(email@domain.com)。但是,當嘗試使用 AUTH PLAIN 進行身份驗證時,@ 符號以及 . 被截斷。如果我用 testaslauth 測試一個使用者帳戶,我會得到一個成功的結果。
我遇到的第二個問題實際上是了解 saslauth 和 pam 服務在哪裡使用它們各自的 mysql 配置。我已經閱讀了許多關於如何設置的文章,但我不清楚我是否需要這些配置中的一種、另一種或兩種配置。
以下是我可以立即發布的所有相關配置/日誌記錄(注意:系統、域和使用者名已被清理):
作業系統版本:
mose@postfix ~ $ cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core)
後綴版本:
mose@postfix ~ $ postconf -v | grep 'mail_version = ' postconf: $smtpd_tls_security_level in main.cf validates smtpd_tls_security_level=value in master.cf:submission.inet mail_version = 2.10.1
成功測試來自 cli 的憑據:
mose@postfix ~ $ testsaslauthd -u mose@example.com -p password -s smtp 0: OK "Success."
通過 telnet 驗證失敗:
mose@postfix ~ $ openssl s_client -starttls smtp -crlf -connect postfix.example.com:587 <SSL Output truncated for brevity> EHLO example.com 250-postfix.example.com 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN bW9zZS5jb20AbW9zZS5jb20AcGFzc3dvcmQ= 535 5.7.8 Error: authentication failed: authentication failure
記錄,請注意我將使用者名傳遞為 mose@example.com,但是 mysql 查找將其顯示為“mose.com@example.com”:
mose@postfix ~ $ sudo tail /var/log/secure Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option verbose is set to "1" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.host is set to "localhost" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.database is set to "postfix" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.db_user is set to "mysql" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.db_passwd is set to "password" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.password_crypt is set to "1" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.table is set to "mailboxes" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.where_clause is set to "status = 1" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.user_column is set to "login" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.password_column is set to "password" Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_sm_authenticate() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_open_db() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_open_db() returning 0. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_check_passwd() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_format_string() called Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_quick_escape() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - SELECT password FROM mailboxes WHERE login = 'mose.com@example.com' AND (status = 1) Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - SELECT returned no result. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_check_passwd() returning 1. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_sql_log() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_sql_log() returning 0. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_converse() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_open_db() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_check_passwd() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_format_string() called Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_quick_escape() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - SELECT password FROM mailboxes WHERE login = 'mose.com@example.com' AND (status = 1) Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - SELECT returned no result. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_check_passwd() returning 1. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_sql_log() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_sql_log() returning 0. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_sm_authenticate() returning 10. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_release_ctx() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_destroy_ctx() called. Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_close_db() called.
SASLAuthD 配置為使用 PAM:
mose@postfix ~ $ sudo grep -v \# /etc/sysconfig/saslauthd SOCKETDIR=/run/saslauthd MECH=pam FLAGS="-r"
SMTPD 配置為使用 MySQL 外掛:
mose@postfix ~ $ ll /etc/postfix/sasl/smtpd.conf lrwxrwxrwx 1 root root 21 Jan 11 17:24 /etc/postfix/sasl/smtpd.conf -> /etc/sasl2/smtpd.conf mose@postfix ~ $ sudo cat /etc/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login cram-md5 digest-md5 allow_plaintext: true auxprop_plugin: sql sql_engine: mysql sql_hostnames: localhost sql_user: mysql sql_passwd: password sql_database: postfix sql_verbose: yes sql_select: select password from mailboxes where login = '%u@%r' and status='1' sql_usessl: no log_level: 3
PAM 配置為使用 MySQL:
mose@postfix ~ $ sudo cat /etc/pam.d/smtp #%PAM-1.0 auth required pam_nologin.so auth sufficient pam_mysql.so config_file=/etc/postfix/mysql/pam.conf account sufficient pam_mysql.so config_file=/etc/postfix/mysql/pam.conf password required pam_deny.so mose@postfix ~ $ sudo cat /etc/postfix/mysql/pam.conf verbose = 1; users.host = localhost; users.database = postfix; users.db_user = mysql; users.db_passwd = password; users.password_crypt = 1; users.table = postfix_mailboxes; users.where_clause = status = 1; users.user_column = login; users.password_column = password;
完整的後綴配置轉儲:
mose@postfix ~ $ sudo postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 disable_vrfy_command = yes html_directory = no inet_interfaces = $myhostname, localhost, 10.100.0.11 inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mailbox_command = procmail -a "$EXTENSION" mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = mydomain = example.com myhostname = postfix.example.com mynetworks = 127.0.0.0/8, 10.100.0.0/24 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen/access.cidr postscreen_bare_newline_action = enforce postscreen_bare_newline_enable = no postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_reply_map = pcre:$config_directory/postscreen_dnsbl_reply_map.pcre postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net postscreen_dnsbl_threshold = 3 postscreen_greet_action = enforce postscreen_greet_banner = $myhostname [POSTSCREEN] ESMTP $mail_name postscreen_non_smtp_command_enable = no postscreen_pipelining_enable = no postscreen_whitelist_interfaces = static:all proxy_read_maps = $virtual_mailbox_maps $virtual_alias_maps $virtual_mailbox_domains #$transport_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES relay_domains = relayhost = sample_directory = /usr/share/doc/postfix-2.10.1/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_helo_timeout = 5 smtp_host_lookup = native smtp_sasl_auth_enable = yes smtpd_banner = $myhostname [SMTPD] ESMTP $mail_name smtpd_delay_reject = no smtpd_error_sleep_time = 30 smtpd_hard_error_limit = 20 smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_local_domain = $mydomain smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = cyrus smtpd_sender_restrictions = reject_unknown_sender_domain smtpd_soft_error_limit = 10 smtpd_tls_CAfile = /etc/postfix/gd_bundle-g2-g1.crt smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 10800s strict_rfc821_envelopes = yes tls_random_exchange_name = /var/lib/postfix/prng_exch tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_domains = virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/autoreply.cf, proxy:mysql:/etc/postfix/mysql/aliases.cf, proxy:mysql:/etc/postfix/mysql/groups.cf virtual_gid_maps = static:101 virtual_mailbox_base = / virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/mailboxes.cf virtual_minimum_uid = 110532 virtual_uid_maps = static:110532
我可以看到我可以在 SASLAuth mysql 設置(%u@%r)中定義使用者格式的位置,但我還沒有看到 pam_mysql 上支持相同的任何文件。
任何幫助表示讚賞。
編輯:在做出他推薦的更改後,我偶然發現了一個有類似問題的人,但是使用者名仍然沒有正確輸入……
我還對照這篇文章檢查了我的設置,我能看到的唯一區別是我擁有的 pam_mysql 來自以下儲存庫:http: //repo.iotti.biz/CentOS/$releasever
mose@postfix ~ $ sudo yum info pam_mysql --enablerepo=lux Loaded plugins: fastestmirror, langpacks, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Loading mirror speeds from cached hostfile * base: mirrors.lga7.us.voxel.net * extras: mirror.cs.pitt.edu * updates: mirror.cogentco.com Installed Packages Name : pam_mysql Arch : x86_64 Epoch : 1 Version : 0.8.1 Release : 0.22.el7.lux Size : 96 k Repo : installed From repo : lux Summary : PAM module for auth UNIX users using MySQL data base URL : http://sf.net/projects/pam-mysql/ License : GPLv2+ Description : Pam_mysql aims to provide a backend neutral means of authenticating : users against an MySQL database.
我在標誌中添加了“-r -c”。還發現 @ 符號在測試時沒有被正確轉義。一切都按預期工作。