SASL PLAIN 使用主域進行身份驗證,但不使用虛擬域進行身份驗證
Postfix + dovecot 和 sasl。到目前為止適用於 1 個域。
添加了一個虛擬域。為此工作的傳入郵件。但是,傳出的 SASL 身份驗證失敗。
為什麼會失敗我不知道。
/etc/sasl2/smtpd.conf 看起來像:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN
postconf -n 輸出:
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 40960000 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain mydomain = primary.net myhostname = mail.primary.net myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_domains = $mydestination, primary.net, seconddomain.org sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_client_restrictions = permit_sasl_authenticated smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_hostname smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client sbl-xbl.spamhaus.org, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unknown_sender_domain soft_bounce = no unknown_local_recipient_reject_code = 550 virtual_alias_domains = mail.seconddomain.org virtual_alias_maps = hash:/etc/postfix/virtual
虛擬別名域有效。但是當我嘗試使用虛擬域郵件日誌進行身份驗證時會引發錯誤:
SASL PLAIN authentication failed
有什麼想法我應該看看嗎?
更新#1:
按照下面的說明,我仍然無法進行身份驗證,所以我安裝了 saslfinger,這是輸出:
saslfinger - postfix Cyrus sasl configuration Tue Mar 24 07:23:10 GMT 2015 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.6.6 System: CentOS release 6.5 (Final) -- smtpd is linked to -- libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007ff8b9655000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot -- listing of /usr/lib64/sasl2 -- total 504 drwxr-xr-x. 2 root root 4096 Sep 15 2013 . dr-xr-xr-x. 43 root root 20480 Jun 20 2014 .. -rwxr-xr-x. 1 root root 18776 Nov 27 2012 libanonymous.so -rwxr-xr-x. 1 root root 18776 Nov 27 2012 libanonymous.so.2 -rwxr-xr-x. 1 root root 18776 Nov 27 2012 libanonymous.so.2.0.23 -rwxr-xr-x 1 root root 22936 Nov 27 2012 libcrammd5.so -rwxr-xr-x 1 root root 22936 Nov 27 2012 libcrammd5.so.2 -rwxr-xr-x 1 root root 22936 Nov 27 2012 libcrammd5.so.2.0.23 -rwxr-xr-x 1 root root 52088 Nov 27 2012 libdigestmd5.so -rwxr-xr-x 1 root root 52088 Nov 27 2012 libdigestmd5.so.2 -rwxr-xr-x 1 root root 52088 Nov 27 2012 libdigestmd5.so.2.0.23 -rwxr-xr-x. 1 root root 18808 Nov 27 2012 liblogin.so -rwxr-xr-x. 1 root root 18808 Nov 27 2012 liblogin.so.2 -rwxr-xr-x. 1 root root 18808 Nov 27 2012 liblogin.so.2.0.23 -rwxr-xr-x. 1 root root 18808 Nov 27 2012 libplain.so -rwxr-xr-x. 1 root root 18808 Nov 27 2012 libplain.so.2 -rwxr-xr-x. 1 root root 18808 Nov 27 2012 libplain.so.2.0.23 -rwxr-xr-x. 1 root root 22784 Nov 27 2012 libsasldb.so -rwxr-xr-x. 1 root root 22784 Nov 27 2012 libsasldb.so.2 -rwxr-xr-x. 1 root root 22784 Nov 27 2012 libsasldb.so.2.0.23 -- listing of /etc/sasl2 -- total 12 drwxr-xr-x. 2 root root 4096 Sep 20 2013 . drwxr-xr-x. 93 root root 4096 Mar 22 03:43 .. -rw-r--r--. 1 root root 70 Mar 24 07:22 smtpd.conf -- content of /etc/sasl2/smtpd.conf -- pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=hash:/etc/postfix/virtual smtps inet n - n - - smtpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache -- mechanisms on localhost -- 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN -- end of saslfinger output --
更新#2:
我啟用了詳細模式,這是嘗試發送電子郵件後的輸出: 注意:我
srv postfix/smtpd[29481]:
從每一行中刪除了時間戳,使其看起來更小:dict_eval: const mail dict_eval: const all dict_eval: const dict_eval: const dict_eval: const name_mask: all dict_eval: const mail.mydomain.net dict_eval: const mydomain.net dict_eval: const Postfix dict_eval: expand ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name} -> postfix dict_eval: const postfix dict_eval: const postdrop dict_eval: expand $myhostname, localhost.$mydomain, localhost, $mydomain,?mail.$mydomain -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net dict_eval: expand $myhostname -> mail.mydomain.net dict_eval: const dict_eval: const /usr/libexec/postfix dict_eval: const /var/lib/postfix dict_eval: const /usr/sbin dict_eval: const /var/spool/postfix dict_eval: const pid dict_eval: const all dict_eval: const dict_eval: const double-bounce dict_eval: const nobody dict_eval: const hash:/etc/aliases dict_eval: const 20100319 dict_eval: const 2.6.6 dict_eval: const hash dict_eval: const deferred, defer dict_eval: const dict_eval: expand $mydestination, mydomain.net, anotherdomain.org -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org dict_eval: expand $relay_domains -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org dict_eval: const TZ MAIL_CONFIG LANG dict_eval: const MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C dict_eval: const subnet dict_eval: const 127.0.0.1 dict_eval: const += dict_eval: const -=+ dict_eval: const debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps dict_eval: const dict_eval: const bounce dict_eval: const cleanup dict_eval: const defer dict_eval: const pickup dict_eval: const qmgr dict_eval: const rewrite dict_eval: const showq dict_eval: const error dict_eval: const flush dict_eval: const verify dict_eval: const trace dict_eval: const proxymap dict_eval: const proxywrite dict_eval: const dict_eval: const dict_eval: const 40960000 dict_eval: const 2 dict_eval: const no dict_eval: const 100s dict_eval: const 100s dict_eval: const 100s dict_eval: const 100s dict_eval: const 3600s dict_eval: const 3600s dict_eval: const 5s dict_eval: const 5s dict_eval: const 1000s dict_eval: const 1000s dict_eval: const 10s dict_eval: const 10s dict_eval: const 1s dict_eval: const 1s dict_eval: const 1s dict_eval: const 1s dict_eval: const 500s dict_eval: const 500s dict_eval: const 18000s dict_eval: const 18000s dict_eval: const 1s dict_eval: const 1s name_mask: subnet inet_addr_local: configured 2 IPv4 addresses inet_addr_local: configured 2 IPv6 addresses been_here: 127.0.0.0/8: 0 been_here: 77.0.0.0/8: 0 been_here: [::1]/128: 0 been_here: [fe80::%eth0]/64: 0 mynetworks: 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 dict_eval: const 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 dict_eval: const 10 dict_eval: expand ${stress?1}${stress:20} -> 20 dict_eval: expand ${stress?1}${stress:100} -> 100 dict_eval: expand ${stress?1}${stress:3} -> 3 dict_eval: const 550 dict_eval: expand $myhostname ESMTP $mail_name -> mail.mydomain.net ESMTP Postfix dict_eval: const resource, software dict_eval: const permit_sasl_authenticated dict_eval: const reject_non_fqdn_hostname dict_eval: const reject_unknown_sender_domain dict_eval: const permit_sasl_authenticated,?permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining,?reject_unauth_destination,?reject_rbl_client sbl-xbl.spamhaus.org, ?permit dict_eval: const dict_eval: const reject_unauth_pipelining dict_eval: const dict_eval: const dict_eval: const dict_eval: const postmaster dict_eval: const dict_eval: const dict_eval: const dict_eval: const hash:/etc/postfix/virtual dict_eval: const dict_eval: const hash:/etc/aliases dict_eval: expand proxy:unix:passwd.byname $alias_maps -> proxy:unix:passwd.byname hash:/etc/aliases dict_eval: const noanonymous dict_eval: const private/auth dict_eval: const dict_eval: const dict_eval: const dict_eval: const dict_eval: const dict_eval: const dict_eval: const dict_eval: const CONNECT GET POST dict_eval: const <> dict_eval: const dict_eval: expand $double_bounce_sender -> double-bounce dict_eval: expand $authorized_verp_clients -> dict_eval: const dict_eval: expand $myhostname -> mail.mydomain.net dict_eval: const dict_eval: const dict_eval: const dict_eval: expand ${smtpd_client_connection_limit_exceptions:$mynetworks} -> 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 dict_eval: const permit_inet_interfaces dict_eval: const dict_eval: const dict_eval: const dict_eval: expand $smtpd_sasl_security_options -> noanonymous dict_eval: const dict_eval: expand $smtpd_tls_cert_file -> dict_eval: const dict_eval: expand $smtpd_tls_dcert_file -> dict_eval: const dict_eval: expand $smtpd_tls_eccert_file -> dict_eval: const dict_eval: const dict_eval: const export dict_eval: const medium dict_eval: const dict_eval: const dict_eval: const dict_eval: const SSLv3, TLSv1 dict_eval: const dict_eval: const dict_eval: const none dict_eval: const md5 dict_eval: const dict_eval: const dovecot dict_eval: const dict_eval: const j {daemon_name} v dict_eval: const {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer} dict_eval: const i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer} dict_eval: const i {rcpt_addr} {rcpt_host} {rcpt_mailer} dict_eval: const i dict_eval: const i dict_eval: const i dict_eval: const dict_eval: const 6 dict_eval: const tempfail dict_eval: expand $myhostname -> mail.mydomain.net dict_eval: expand $mail_name $mail_version -> Postfix 2.6.6 dict_eval: const dict_eval: const dict_eval: const dict_eval: const defer_if_permit dict_eval: expand $reject_tempfail_action -> defer_if_permit dict_eval: expand $reject_tempfail_action -> defer_if_permit dict_eval: expand $reject_tempfail_action -> defer_if_permit dict_eval: expand $reject_tempfail_action -> defer_if_permit dict_eval: const yes dict_eval: const yes dict_eval: const no dict_eval: const yes dict_eval: expand ${stress?10}${stress:300}s -> 300s dict_eval: expand ${stress?10}${stress:300}s -> 300s dict_eval: const 1s dict_eval: const 1s dict_eval: const 100s dict_eval: const 100s dict_eval: const 3s dict_eval: const 3s dict_eval: const 100s dict_eval: const 100s dict_eval: const 300s dict_eval: const 300s dict_eval: const 1000s dict_eval: const 1000s dict_eval: const 300s dict_eval: const 300s dict_eval: const 3600s
對不起,上面的誤導性評論。當您使用 sasldb 時,您不需要
saslauthd
執行。因此,您可以安全地將其從啟動腳本中刪除。當您通過系統使用者、LDAP 或遠端 IMAP 進行密碼檢查時,您應該執行 saslauthd 。第一步是使用
saslpasswd2
二進製文件為 sasldb 創建一個數據庫# saslpasswd2 -c username@example.com Password: Again (for verification):
請通過執行 sasldblistusers2 進行驗證
# sasldblistusers2 username@example.com: userPassword
這會將數據庫保存在 sasldb2 文件中,在我的系統中該文件是
/etc/sasldb2
. 因為我們需要 postfix(通過 SASL 庫)來讀取它,所以添加這個文件的更改組以便 postfix 可以讀取它。# ls -l /etc/sasldb2 -rw-r----- 1 root root 12288 Feb 27 06:09 /etc/sasldb2 # chgrp postfix /etc/sasldb2 # ls -l /etc/sasldb2 -rw-r----- 1 root postfix 12288 Feb 27 06:09 /etc/sasldb2
你
/etc/sasl2/smtpd.conf
上面的文件很好。pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN
然後測試一下
- 生成 PLAIN 憑證格式的 Base64 字元串
# echo -ne '\000username@example.com\000thepassword' | openssl base64 SomERandOMCharActER
- 測試憑證
telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 mail.example.com ESMTP Postfix EHLO localhost 250-mail.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN SomERandOMCharActER 235 2.7.0 Authentication successful
在 CentOS 6.5 中測試,帶有 postfix 2.3.3 和 cyrus sasl 版本 2.1
參考:
PS:如果還是遇到問題,請貼出
saslfinger
二進制的輸出saslfinger -s
您可以在Postfix 書籍作者的網站上下載它
如果您的 postfix 在 chroot 配置下,則 postfix 無法訪問
/etc/sasldb2
經過身份驗證的使用者名。為了克服這個問題,我們有兩種選擇:
- 在master.cf中,關閉//服務中的chroot
submission
或smtpd
任何smtps
其他使用smtpd
二進制的服務- 將 sasldb2 移至
/var/spool/postfix/etc/
喜歡這篇文章。您還可以符號連結/var/spool/postfix/etc/sasldb2/
到/etc/sasldb2
.ln -sf /var/spool/postfix/etc/sasldb2 /etc/