服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 升级到Debian 7:Postfix身份validation失败
Intereting Posts
Linux的foxboardnetworking监视器 stream浪撒哈拉插件 – 多个快照 在ESX4i中重命名vmdk文件 Fedora的firewall-cmd显示比configuration更多的可用服务 成长一个z(1/2) iptables v1.4.21:无法加载匹配`-d':没有这样的文件或目录 Mac os上的dynamic子域名x 将日志文件格式标题添加到Ubuntu的Apace日志中 在个人机器上安全地存储AWS证书 在没有HP Intelligent Provisioning的情况下部署服务器 我如何提高规格? 在Apacheredirect规则上丢弃端口号 远程创build数据库模式的转储 与开发部门的接口 – 任何最佳实践? 强制所有Exchange到Exchange(2010)电子邮件通过外部SMTP网关 Slackware:厨师还是傀儡?

升级到Debian 7:Postfix身份validation失败

我正在升级各种Debian 6服务器到Debian 7.有一些小问题,但这是一个展示塞尔。

在Debian上,Postfix运行在chroot环境中。 该环境设置正确(它在Debian6上工作正常)。

我只使用debian版本库的稳定版本中的软件

相关的(部分)configuration(匿名):

在/ etc / default / saslauthd中: 

START=yes DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="ldap" MECH_OPTIONS="" THREADS=5 PARAMS=" -m /var/spool/postfix/run/saslauthd -O /etc/saslauthd.conf" OPTIONS=" -m /var/spool/postfix/run/saslauthd -O /etc/saslauthd.conf" PIDFILE="/var/spool/postfix/run/saslauthd/saslauthd.pid"

在/etc/saslauthd.conf中: 

 # With multiple servers, separate URIs with a space ldap_servers: ldaps://my.ldap.server # Don't use SASL to connect to LDAP!! (Use SSL) #ldap_version: 3 ldap_use_sasl: no ldap_bind_dn: uid=courier,ou=roles,dc=mydomain,dc=tld #watch out for trailing whitespace after the pasword! ldap_bind_pw: ####### ldap_timeout: 10 ldap_time_limit: 10 ldap_scope: sub ldap_search_base: ou=people,dc=mydomain,dc=tld ldap_auth_method: bind ldap_filter: (mail=%u) #ldap_filter: (mail=%u@%r) ldap_debug: 1 ldap_verbose: off ldap_referrals: yes # Settings below are needed for ldaps URIs ldap_ssl: yes ldap_start_tls: no ldap_tls_cacert_file: /etc/ssl/certs/allcacerts.pem ldap_tls_cert: /etc/ssl/certs/myserver.mydomain.tld.crt ldap_tls_key: /etc/ssl/private/myserver.mydomain.tld.key

在/etc/postfix/sasl/smtpd.conf中: 

 #global parameters log_level: 5 # WARNING !!! POSTFIX runs in a chrooted jail!! # Need to adjust paths to get the socket available! # adjust this in /etc/defaults/saslauthd # eg: PARAMS=/var/spool/postfix/run/saslauthd/ # real saslauthd_path: /var/spool/postfix/run/saslauthd/mux pwcheck_method: saslauthd saslauthd_path: /run/saslauthd/mux mech_list: PLAIN LOGIN auxprop_plugin: ldapdb #allow_plaintext: true #the database used is /var/spool/postfix/etc/sasldb2

在/etc/postfix/main.cf中 

 #sasl configuration smtpd_sasl_auth_enable = yes smtpd_sasl_path= smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = #broken_sasl_auth_clients = yes # TLS configuration smtpd_use_tls = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_key_file = /etc/ssl/private/myserver.mydomain.tld.key #smtpd_tls_cert_file = /etc/ssl/certs/myserver.mydomain.tld.crt smtpd_tls_cert_file = /etc/ssl/certs/myserver.mydomain.tld.pem tls_random_source = dev:/dev/urandom # CAfile is read BEFORE entering chroot jail smtpd_tls_CAfile = /etc/ssl/certs/allcacerts.pem # CApath is used withIN chroot jail #smtpd_tls_CApath = /usr/share/ssl/certs/

赛勒斯SASL在/var/spool/postfix/run/saslauthd/mux有套接字

我testing:

testsaslauthd -s smtpd -f /var/spool/postfix/run/saslauthd/mux -u [email protected] -p PASSWD

给出: 0: OK "Success."

仅供参考:凭证不正确确实失败:)

有了这些结果,我的结论是sasl工作正常。

当我使用'swaks'来testingESMTP身份validation:

swaks -s myserver.mydomain.tld -p 25 -ehlo myclient.mydomain.tld -au [email protected] -ap PASSWD -t [email protected] -f [email protected] 

 === Trying myserver.mydomain.tld:25... === Connected to myserver.mydomain.tld. <- 220 *********************** -> EHLO myclient.mydomain.tld <- 250-myserver.mydomain.tld <- 250-PIPELINING <- 250-SIZE 15360000 <- 250-VRFY <- 250-ETRN <- 250-XXXXXXXA <- 250-AUTH PLAIN LOGIN <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250 DSN -> AUTH LOGIN <- 334 VXNlcmgfhgWU6 -> bWFyY2hgh28ubmw= <- 334 UGFzfghdfmQ6 -> bWFyUzYdfghgfhg== <** 535 5.7.8 Error: authentication failed: no mechanism available -> AUTH PLAIN AG1hcmdfhgdfgd1hclM2NW9ndCo= <** 535 5.7.8 Error: authentication failed: no mechanism available *** No authentication type succeeded -> QUIT <- 221 2.0.0 Bye === Connection closed with remote host.

而在日志中: 

 postfix/smtpd[5646]:auxpropfunc error invalid parameter supplied postfix/smtpd[5646]:_sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb postfix/smtpd[5646]:anonuserfunc error -7 postfix/smtpd[5646]:_sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb postfix/smtpd[5646]:warning: unknown[192.168.114.69 : SASL LOGIN authentication failed: no mechanism available postfix/smtpd[5646]:warning: unknown[192.168.114.69 : SASL PLAIN authentication failed: no mechanism available

(IP是客户机)

后缀用户是sasl组的成员。

我知道Debian通过插入一个三元组来改变库的目录结构,使其具有多重能力。

以前是/usr/lib/sasl2/usr/lib/x86_64-linux-gnu/sasl2 (用于x86 64位系统)

我没有将sasl2目录复制到各个地方,以使这些库可用,但它并没有改变。

任何人?

马塞尔

我解决了!

它花了很多的debugging,但一切工作与以下设置:

在/etc/postfix/smtpd.conf中: 

 pwcheck_method: saslauthd saslauthd_path: /run/saslauthd/mux mech_list: PLAIN LOGIN # DO NOT SPECIFY THE AUX_PROP PLUGIN!! #auxprop_plugin: ldapdb

在/etc/saslauthd.conf中: 

 ... ldap_auth_method: bind #ldap_filter: (mail=%u) ldap_filter: (mail=%u@%r) ...

最初我有这个filter,但因为我看到在LDAP日志loginattempts [email protected]@ ,我已经改变了filter(看我原来的post)。

! 我只需要注释掉auxprop_plugin设置!

但请注意,在我的系统设置中,我使用ldap后端。

马塞尔

警告:localhost [127.0.0.1]:SASL PLAIN身份validation失败:没有可用的机制

我有同样的问题,但我使用MySQL。 注释掉这行后: #auxprop_plugin ,一切正常! 

 pwcheck_method: saslauthd mech_list: plain login cram-md5 digest-md5 allow_plaintext: true #auxprop_plugin: sql sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: postfix sql_passwd: pass sql_database: postfix loglevel: 0 sql_select: select password from mailbox where username = '%u@%r'