Postfix + dovecot和sasl。 到目前为止工作1域。
添加了一个虚拟域。 传入邮件为这个作品。 但是,传出SASL身份validation失败。
为什么失败我不知道。
/etc/sasl2/smtpd.conf看起来像:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN postconf -n输出:
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = all inet_protocols = all mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 40960000 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain mydomain = primary.net myhostname = mail.primary.net myorigin = $myhostname newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES relay_domains = $mydestination, primary.net, seconddomain.org sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_client_restrictions = permit_sasl_authenticated smtpd_data_restrictions = reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = reject_non_fqdn_hostname smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining, reject_unauth_destination, reject_rbl_client sbl-xbl.spamhaus.org, permit smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_restrictions = reject_unknown_sender_domain soft_bounce = no unknown_local_recipient_reject_code = 550 virtual_alias_domains = mail.seconddomain.org virtual_alias_maps = hash:/etc/postfix/virtual
虚拟别名域的作品。 但是,当我试图validation与虚拟域maillog抛出错误:
SASL PLAIN authentication failed
任何想法我应该看看?
更新#1:
按照下面的说明,我仍然无法validation,所以我安装了saslfinger,这里是输出:
saslfinger - postfix Cyrus sasl configuration Tue Mar 24 07:23:10 GMT 2015 version: 1.0.2 mode: server-side SMTP AUTH -- basics -- Postfix: 2.6.6 System: CentOS release 6.5 (Final) -- smtpd is linked to -- libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007ff8b9655000) -- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot -- listing of /usr/lib64/sasl2 -- total 504 drwxr-xr-x. 2 root root 4096 Sep 15 2013 . dr-xr-xr-x. 43 root root 20480 Jun 20 2014 .. -rwxr-xr-x. 1 root root 18776 Nov 27 2012 libanonymous.so -rwxr-xr-x. 1 root root 18776 Nov 27 2012 libanonymous.so.2 -rwxr-xr-x. 1 root root 18776 Nov 27 2012 libanonymous.so.2.0.23 -rwxr-xr-x 1 root root 22936 Nov 27 2012 libcrammd5.so -rwxr-xr-x 1 root root 22936 Nov 27 2012 libcrammd5.so.2 -rwxr-xr-x 1 root root 22936 Nov 27 2012 libcrammd5.so.2.0.23 -rwxr-xr-x 1 root root 52088 Nov 27 2012 libdigestmd5.so -rwxr-xr-x 1 root root 52088 Nov 27 2012 libdigestmd5.so.2 -rwxr-xr-x 1 root root 52088 Nov 27 2012 libdigestmd5.so.2.0.23 -rwxr-xr-x. 1 root root 18808 Nov 27 2012 liblogin.so -rwxr-xr-x. 1 root root 18808 Nov 27 2012 liblogin.so.2 -rwxr-xr-x. 1 root root 18808 Nov 27 2012 liblogin.so.2.0.23 -rwxr-xr-x. 1 root root 18808 Nov 27 2012 libplain.so -rwxr-xr-x. 1 root root 18808 Nov 27 2012 libplain.so.2 -rwxr-xr-x. 1 root root 18808 Nov 27 2012 libplain.so.2.0.23 -rwxr-xr-x. 1 root root 22784 Nov 27 2012 libsasldb.so -rwxr-xr-x. 1 root root 22784 Nov 27 2012 libsasldb.so.2 -rwxr-xr-x. 1 root root 22784 Nov 27 2012 libsasldb.so.2.0.23 -- listing of /etc/sasl2 -- total 12 drwxr-xr-x. 2 root root 4096 Sep 20 2013 . drwxr-xr-x. 93 root root 4096 Mar 22 03:43 .. -rw-r--r--. 1 root root 70 Mar 24 07:22 smtpd.conf -- content of /etc/sasl2/smtpd.conf -- pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN -- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) smtp inet n - n - - smtpd submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=hash:/etc/postfix/virtual smtps inet n - n - - smtpd pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp -o smtp_fallback_relay= showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - nn - - local virtual unix - nn - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache -- mechanisms on localhost -- 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN -- end of saslfinger output --
更新#2:
我启用详细模式,这里是试图发送电子邮件后的输出:注:我删除了时间戳和srv postfix/smtpd[29481]:从每一行,使其看起来更小一点:
dict_eval: const mail dict_eval: const all dict_eval: const dict_eval: const dict_eval: const name_mask: all dict_eval: const mail.mydomain.net dict_eval: const mydomain.net dict_eval: const Postfix dict_eval: expand ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name} -> postfix dict_eval: const postfix dict_eval: const postdrop dict_eval: expand $myhostname, localhost.$mydomain, localhost, $mydomain,?mail.$mydomain -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net dict_eval: expand $myhostname -> mail.mydomain.net dict_eval: const dict_eval: const /usr/libexec/postfix dict_eval: const /var/lib/postfix dict_eval: const /usr/sbin dict_eval: const /var/spool/postfix dict_eval: const pid dict_eval: const all dict_eval: const dict_eval: const double-bounce dict_eval: const nobody dict_eval: const hash:/etc/aliases dict_eval: const 20100319 dict_eval: const 2.6.6 dict_eval: const hash dict_eval: const deferred, defer dict_eval: const dict_eval: expand $mydestination, mydomain.net, anotherdomain.org -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org dict_eval: expand $relay_domains -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org dict_eval: const TZ MAIL_CONFIG LANG dict_eval: const MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C dict_eval: const subnet dict_eval: const 127.0.0.1 dict_eval: const += dict_eval: const -=+ dict_eval: const debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps dict_eval: const dict_eval: const bounce dict_eval: const cleanup dict_eval: const defer dict_eval: const pickup dict_eval: const qmgr dict_eval: const rewrite dict_eval: const showq dict_eval: const error dict_eval: const flush dict_eval: const verify dict_eval: const trace dict_eval: const proxymap dict_eval: const proxywrite dict_eval: const dict_eval: const dict_eval: const 40960000 dict_eval: const 2 dict_eval: const no dict_eval: const 100s dict_eval: const 100s dict_eval: const 100s dict_eval: const 100s dict_eval: const 3600s dict_eval: const 3600s dict_eval: const 5s dict_eval: const 5s dict_eval: const 1000s dict_eval: const 1000s dict_eval: const 10s dict_eval: const 10s dict_eval: const 1s dict_eval: const 1s dict_eval: const 1s dict_eval: const 1s dict_eval: const 500s dict_eval: const 500s dict_eval: const 18000s dict_eval: const 18000s dict_eval: const 1s dict_eval: const 1s name_mask: subnet inet_addr_local: configured 2 IPv4 addresses inet_addr_local: configured 2 IPv6 addresses been_here: 127.0.0.0/8: 0 been_here: 77.0.0.0/8: 0 been_here: [::1]/128: 0 been_here: [fe80::%eth0]/64: 0 mynetworks: 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 dict_eval: const 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 dict_eval: const 10 dict_eval: expand ${stress?1}${stress:20} -> 20 dict_eval: expand ${stress?1}${stress:100} -> 100 dict_eval: expand ${stress?1}${stress:3} -> 3 dict_eval: const 550 dict_eval: expand $myhostname ESMTP $mail_name -> mail.mydomain.net ESMTP Postfix dict_eval: const resource, software dict_eval: const permit_sasl_authenticated dict_eval: const reject_non_fqdn_hostname dict_eval: const reject_unknown_sender_domain dict_eval: const permit_sasl_authenticated,?permit_mynetworks, reject_invalid_hostname, reject_unauth_pipelining,?reject_unauth_destination,?reject_rbl_client sbl-xbl.spamhaus.org, ?permit dict_eval: const dict_eval: const reject_unauth_pipelining dict_eval: const dict_eval: const dict_eval: const dict_eval: const postmaster dict_eval: const dict_eval: const dict_eval: const dict_eval: const hash:/etc/postfix/virtual dict_eval: const dict_eval: const hash:/etc/aliases dict_eval: expand proxy:unix:passwd.byname $alias_maps -> proxy:unix:passwd.byname hash:/etc/aliases dict_eval: const noanonymous dict_eval: const private/auth dict_eval: const dict_eval: const dict_eval: const dict_eval: const dict_eval: const dict_eval: const dict_eval: const dict_eval: const CONNECT GET POST dict_eval: const <> dict_eval: const dict_eval: expand $double_bounce_sender -> double-bounce dict_eval: expand $authorized_verp_clients -> dict_eval: const dict_eval: expand $myhostname -> mail.mydomain.net dict_eval: const dict_eval: const dict_eval: const dict_eval: expand ${smtpd_client_connection_limit_exceptions:$mynetworks} -> 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 dict_eval: const permit_inet_interfaces dict_eval: const dict_eval: const dict_eval: const dict_eval: expand $smtpd_sasl_security_options -> noanonymous dict_eval: const dict_eval: expand $smtpd_tls_cert_file -> dict_eval: const dict_eval: expand $smtpd_tls_dcert_file -> dict_eval: const dict_eval: expand $smtpd_tls_eccert_file -> dict_eval: const dict_eval: const dict_eval: const export dict_eval: const medium dict_eval: const dict_eval: const dict_eval: const dict_eval: const SSLv3, TLSv1 dict_eval: const dict_eval: const dict_eval: const none dict_eval: const md5 dict_eval: const dict_eval: const dovecot dict_eval: const dict_eval: const j {daemon_name} v dict_eval: const {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer} dict_eval: const i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer} dict_eval: const i {rcpt_addr} {rcpt_host} {rcpt_mailer} dict_eval: const i dict_eval: const i dict_eval: const i dict_eval: const dict_eval: const 6 dict_eval: const tempfail dict_eval: expand $myhostname -> mail.mydomain.net dict_eval: expand $mail_name $mail_version -> Postfix 2.6.6 dict_eval: const dict_eval: const dict_eval: const dict_eval: const defer_if_permit dict_eval: expand $reject_tempfail_action -> defer_if_permit dict_eval: expand $reject_tempfail_action -> defer_if_permit dict_eval: expand $reject_tempfail_action -> defer_if_permit dict_eval: expand $reject_tempfail_action -> defer_if_permit dict_eval: const yes dict_eval: const yes dict_eval: const no dict_eval: const yes dict_eval: expand ${stress?10}${stress:300}s -> 300s dict_eval: expand ${stress?10}${stress:300}s -> 300s dict_eval: const 1s dict_eval: const 1s dict_eval: const 100s dict_eval: const 100s dict_eval: const 3s dict_eval: const 3s dict_eval: const 100s dict_eval: const 100s dict_eval: const 300s dict_eval: const 300s dict_eval: const 1000s dict_eval: const 1000s dict_eval: const 300s dict_eval: const 300s dict_eval: const 3600s
对不起, 误导评论以上 。 当你使用sasldb时,你不需要saslauthd运行。 所以你可以安全地从启动脚本中删除它。 当您通过系统用户,LDAP或远程IMAP进行密码检查时,您应该运行saslauthd。
第一步是使用saslpasswd2二进制创buildsasldb的数据库
# saslpasswd2 -c [email protected] Password: Again (for verification):
请通过运行sasldblistusers2来validation它
# sasldblistusers2 [email protected]: userPassword
这会将数据库保存在sasldb2文件中,在我的系统中文件是/etc/sasldb2 。 因为我们需要postfix(通过SASL库)读取它,所以添加更改这个文件的组,以便postfix可以读取它。
# ls -l /etc/sasldb2 -rw-r----- 1 root root 12288 Feb 27 06:09 /etc/sasldb2 # chgrp postfix /etc/sasldb2 # ls -l /etc/sasldb2 -rw-r----- 1 root postfix 12288 Feb 27 06:09 /etc/sasldb2
上面的/etc/sasl2/smtpd.conf文件很好。
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN
然后testing它
生成PLAIN凭证格式的Base64string
# echo -ne '\[email protected]\000thepassword' | openssl base64 SomERandOMCharActER
testing凭证
telnet localhost 25 Trying ::1... Connected to localhost. Escape character is '^]'. 220 mail.example.com ESMTP Postfix EHLO localhost 250-mail.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH PLAIN SomERandOMCharActER 235 2.7.0 Authentication successful
使用postfix 2.3.3和cyrus sasl 2.1版testingCentOS 6.5
参考文献:
PS:如果您仍然遇到问题,请张贴saslfinger二进制的输出
saslfinger -s
您可以在Postfix书籍作者的网站下载它
如果你的postfix在chrootconfiguration下,那么postfix不能访问/etc/sasldb2来validation用户名。 为了克服这个问题,我们有两个select:
submission / smtpd / smtps服务或任何其他使用smtpd二进制服务的chroot 将sasldb2移动到/var/spool/postfix/etc/像这个post 。 你也可以把/var/spool/postfix/etc/sasldb2/到/etc/sasldb2 。
ln -sf /var/spool/postfix/etc/sasldb2 /etc/