服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Postfix:SASL身份validation失败:无法连接到saslauthd服务器:权限被拒绝
Intereting Posts
服务器到服务器REST通信是否需要SSL? SAS连接器= 4x SATA自动? 电子邮件服务器使用哪些不同的触发器将电子邮件标记为垃圾邮件 Observium和SNMP参数 转发外部stream量到127.0.0.1 通过GPO / AD更新networking驱动程序 Windows Server 2012域控制器具有不同networkingconfiguration文件的两个NIC Azure SQL Server缓慢地打开连接 安装外置硬盘 在DoS攻击下的ESXi服务器,我可以使用SSH来确定从哪里? 打印机服务器主机名已更改 – 通过GPO部署打印机不再有效 有没有办法绕过单一的IMAP电子邮件帐户的MS Exchange内部路由? 修复分区表 Lync用户迁移策略 为什么这么多apache插槽被标记为“繁忙”?

Postfix:SASL身份validation失败:无法连接到saslauthd服务器:权限被拒绝

我有一个Postfix / Dovecot服务器启动并运行了大约一个星期,直到我不得不重新启动它。 当我做了,事情停止工作。 我一直在寻找几个小时无济于事。

IMAP成功进行身份validation(尽pipedovecot被configuration为从postfix身份validation中捎带)。 Postfix不会,而是失败,并出现以下错误: SASL authentication failure: cannot connect to saslauthd server: Permission denied

我已经尝试将postfix用户添加到saslauth组(不是sasl,根据几个google结果)。这并没有改变任何东西。 Postfix似乎根本没有/var/spool/postfix/var/目录(它没有/var//etc/或其他东西),所以没有/var/run/saslauthd权限可以被修改。 但是,它重新启动之前,所以我不认为这不是这个问题。

我已经在debugging模式下启动了saslauthd,并没有输出任何东西。 我到处search并尝试了所有可以find的解决scheme,但似乎没有任何帮助。

Postfixconfiguration为PLAINLOGIN授权机制。 saslauthdconfiguration为使用PAM auth(更改为阴影不起作用)。

我很抱歉,如果这是措辞不佳,现在是午夜12点,我从下午9:45开始一直在为此工作。

doveconf -n: 

 # 2.2.13: /etc/dovecot/dovecot.conf # OS: Linux 3.14.5-200.fc20.x86_64 x86_64 Fedora release 20 (Heisenbug) auth_mechanisms = plain login mail_location = maildir:~/Maildir mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { auto = create special_use = \Drafts } mailbox Junk { auto = create special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { auto = create special_use = \Trash } prefix = } passdb { driver = pam } protocols = imap pop3 ssl = required ssl_cert = </etc/pki/dovecot/certs/dovecot.pem ssl_cipher_list = EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4 ssl_key = </etc/pki/dovecot/private/dovecot.pem ssl_prefer_server_ciphers = yes ssl_protocols = !SSLv2 !SSLv3 userdb { driver = passwd }

postconf -n: 

 alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = (example.com) myhostname = mail.(example.com) mynetworks = 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix/README_FILES sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_header_checks = regexp:/etc/postfix/smtp_header_checks smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_type = cyrus smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550

master.cf: 

 # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master"). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ========================================================================== smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_sender=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o broken_sasl_auth_clients=yes #smtp inet n - n - 1 postscreen #smtpd pass - - n - - smtpd #dnsblog unix - - n - 0 dnsblog #tlsproxy unix - - n - 0 tlsproxy #submission inet n - n - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #smtps inet n - n - - smtpd # -o syslog_name=postfix/smtps # -o smtpd_tls_wrappermode=yes # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - nn - - local virtual unix - nn - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # #maildrop unix - nn - - pipe # flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - nn - - pipe # user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # # Old example of delivery via Cyrus. # #old-cyrus unix - nn - - pipe # flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # #uucp unix - nn - - pipe # flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # ==================================================================== # # Other external delivery methods. # #ifmail unix - nn - - pipe # flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) # #bsmtp unix - nn - - pipe # flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # #scalemail-backend unix - nn - 2 pipe # flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store # ${nexthop} ${user} ${extension} # #mailman unix - nn - - pipe # flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py # ${nexthop} ${user}

saslauthd run_path是/run/saslauthd

告诉saslauthd通过-m选项在postfix'chroot jail中创build它的套接字,例如-m /var/spool/postfix/var/run/saslauthd 。 在我的Ubuntu上,我把这行添加到/ etc / default / saslauthd: 

  OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

然后我做了 

  service saslauthd stop mkdir -p /var/spool/postfix/var/run mv /var/run/saslauthd /var/spool/postfix/var/run/ service saslauthd start

如果其他服务(如IMAP服务)希望find/ var / run / saslauthd,则可能需要在旧的地方留下一个软链接: 

  ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/

如果/ var / run /是一个tmpfs,你可能必须在启动后每次创build这个链接,例如/etc/init.d/saslauthd内的某个地方

我刚刚遇到了一个类似的问题,最终使用Postfix chroot jail的绑定挂载到SASL Auth守护进程的首选path: 

 mkdir -p /var/spool/postfix/var/run/saslauthd chgrp sasl /var/spool/postfix/var/run/saslauthd mount --bind /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

我还必须稍微更改权限以允许Postfix将(-x)遍历到该目录中。 (我没有更改Postfix目录/ var / spool / postfix的权限),这就是为什么我使用绑定挂载; 因为更改Postfix权限似乎比改变包含Unix域套接字和PID文件的saslauthd目录上的“其他执行”权限更为麻烦。

我仍然欢迎有关启用Postfix和SASLauthd的更好的HOWTO指针。

顺便说一下,虽然我自己想出了这个解决方法,但是在这个Serverfault条目之后(对于我来说,在这个时候)Google中的下一个链接是这样的:

https://github.com/webmin/webmin/issues/58

这是对问题和解决scheme更详细的描述。 基本上和我自己想的一样。

您也可以尝试将postfix用户添加到sasl组。