Postfix + SASLv2 + MySQL + PAM Auth

[Bummibaer]

Hallo Forum,

Postfix 2 mit SASL2 ist auf dem Server installiert. Es werden nur virtuelle User Accounts (über MySQL) verwendet.

cyrus-sasl2, cyrus-sasl2-saslauthd, courier-imap und postfix mit SASL2, TLS (SSL & TLS), MySQL und OpenLDAP wurden aus den Ports verwendet. Symbolic link von /usr/local/lib/sasl2 auf /usr/lib/sasl2 wurde gesetzt.

/var/state/saslauthd ist vorhanden:

Code:

0 srwxrwxrwx  1 root  mail  0 Aug  8 17:27 mux
0 -rw-------  1 root  mail  0 Aug  8 17:27 mux.accept
2 -rw-------  1 root  mail  6 Aug  8 17:27 saslauthd.pid

Edit: /usr/local/lib/sasl2/smtpd.conf:

Code:

pwcheck_method: saslauthd
auto_transition: yes
mech_list: pam

postconf -m:

Code:

static
sdbm
cidr
pcre
regexp
environ
mysql
proxy
ldap
btree
unix
hash

In /usr/local/sbin/: ./saslauthd -v

Code:

saslauthd 2.1.19
authentication mechanisms: sasldb getpwent pam rimap

./saslauthd -a pam -d -V

Code:

saslauthd[37716] :main            : num_procs  : 5
saslauthd[37716] :main            : mech_option: NULL
saslauthd[37716] :main            : run_path   : /var/state/saslauthd
saslauthd[37716] :main            : auth_mech  : pam
saslauthd[37716] :ipc_init        : using accept lock file: /var/state/saslauthd/mux.accept
saslauthd[37716] :detach_tty      : master pid is: 0
saslauthd[37716] :ipc_init        : listening on socket: /var/state/saslauthd/mux
saslauthd[37716] :main            : using process model
saslauthd[37716] :have_baby       : forked child: 37717
saslauthd[37717] :get_accept_lock : acquired accept lock
saslauthd[37716] :have_baby       : forked child: 37718
saslauthd[37716] :have_baby       : forked child: 37719
saslauthd[37716] :have_baby       : forked child: 37720

Fazit: saslauthd scheint vorhanden und läuft schon mal.

Beim Zugriff mittels SMTP zum Mailversand tritt folgender Fehler auf:

Code:

05:33:31 km1601 postfix/postfix-script: starting the Postfix mail system
05:33:31 km1601 postfix/master[44811]: daemon started -- version 2.1.4
05:33:58 km1601 postfix/smtpd[44817]: starting TLS engine
05:33:58 km1601 postfix/master[44811]: warning: process /usr/local/libexec/postfix/smtpd pid 44817 killed by signal 10
05:33:58 km1601 postfix/master[44811]: warning: /usr/local/libexec/postfix/smtpd: bad command startup -- throttling

Die Ausgabe von ldd /usr/local/libexec/postfix/smtpd:

Code:

libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x280ae000)
        libpam.so.1 => /usr/lib/libpam.so.1 (0x280c2000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280cc000)
        libssl.so.3 => /usr/lib/libssl.so.3 (0x280e5000)
        libcrypto.so.3 => /usr/lib/libcrypto.so.3 (0x28114000)
        libm.so.2 => /usr/lib/libm.so.2 (0x2820b000)
        libz.so.2 => /usr/lib/libz.so.2 (0x28226000)
        libldap-2.2.so.7 => /usr/local/lib/libldap-2.2.so.7 (0x28233000)
        liblber-2.2.so.7 => /usr/local/lib/liblber-2.2.so.7 (0x2825e000)
        libpcre.so.0 => /usr/local/lib/libpcre.so.0 (0x28269000)
        libc.so.4 => /usr/lib/libc.so.4 (0x28274000)
        libssl.so.3 => /usr/local/lib/libssl.so.3 (0x2830d000)
        libcrypto.so.3 => /usr/local/lib/libcrypto.so.3 (0x2833b000)

ldd /usr/local/sbin/saslauthd:

Code:

libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x2806f000)
        libpam.so.1 => /usr/lib/libpam.so.1 (0x28088000)
        libc.so.4 => /usr/lib/libc.so.4 (0x28092000)

Ausschnitte aus der /usr/local/etc/postfix/main.cf:

Code:

disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_banner = $myhostname ESMTP
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_error_sleep_time = 1s
smtpd_soft_error_limit = 10
smtpd_hard_error_limit = 20
....
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /usr/local/etc/postfix/imapd.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/imapd.pem
smtpd_tls_CAfile = /usr/local/etc/postfix/imapd.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
...
smtpd_client_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_rbl_client dul.dnsbl.sorbs.net,
    reject_rbl_client relays.ordb.org,
    reject_rbl_client list.dsbl.org,
    reject_rbl_client sbl-xbl.spamhaus.org,
    permit

...
smtpd_helo_restrictions =
    permit_mynetworks,   
    permit_sasl_authenticated,
    reject_invalid_hostname,
    reject_non_fqdn_hostname,
    permit
....
smtpd_sender_restrictions =
     reject_unknown_sender_domain,
     reject_non_fqdn_sender,

    default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what]
    blocked using $rbl_domain${rbl_reason?; $rbl_reason}

smtpd_expansion_filter = t40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~

smtpd_recipient_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_non_fqdn_hostname,
     reject_non_fqdn_sender,
     reject_non_fqdn_recipient,
     reject_unauth_destination,   
     reject_unauth_pipelining,
     reject_invalid_hostname,
     reject_rbl_client opm.blitzed.org,
     reject_rbl_client list.dsbl.org,
     reject_rbl_client proxies.relays.monkeys.com,
     reject_rbl_client relays.ordb.org,
     reject_rbl_client relays.osirusoft.com,
     reject_rbl_client bl.spamcop.net,
     reject_rbl_client sbl.spamhaus.org
     smtpd_sasl_auth_enable = yes
     smtpd_sasl_local_domain =
     smtpd_sasl_security_options = noanonymous
... usw...

Der saslauthd ist gestartet und läuft mit -a pam.

Die /etc/pam.conf wurde angepasst. Hier ein Ausschnitt:

Code:

# postfix, courier-imap
smtp	auth	required	pam_mysql.so			host=localhost user=postfixuser passwd=postfixpassword db=postfix table=mailbox usercolumn=username passwdcolumn=password sqllog=0			
smtp	auth 	sufficient	pam_mysql.so			host=localhost user=postfixuser passwd=postfixpassword db=postfix table=mailbox usercolumn=username passwdcolumn=password sqllog=0
imap    auth    required	pam_mysql.so			host=localhost user=postfixuser passwd=postfixpassword db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
imap    account required	pam_unix.so			try_first_pass
imap    session required	pam_permit.so
pop3	auth	required	pam_unix.so			host=localhost user=postfixuser passwd=postfixpassword db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1

Ausschnitt aus der /etc/rc.conf:

Code:

# Sendmail ausnoggern durch Postfix
sendmail_enable="YES"
sendmail_flags="-bd"
sendmail_pidfile="/var/spool/postfix/pid/master.pid"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"

# SASLAUTHD
sasl_saslauthd_enable="YES"
sasl_saslauthd_flags="-a pam"

Beim Test mit Telnet kommt Connection refused. Danach folgt der Eintrag (vgl. oben) im maillog. Mit einem Mail Client tritt der selbe Effekt auf.

Code:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.*******.de.
Escape character is '^]'.
Connection closed by foreign host.

pam_mysql-0.5_1 A pam module for authenticating with MySQL ist installiert.

Was könnte falsch sein ?

Gruß Bummibaer