Postfix SMTP Auth

Steve Cowles steve at stevecowles.com
Wed Jan 14 15:41:48 UTC 2004 

----- Original Message ----- 
From: "Jason Wellman" <nimh at netmagi.net>
>
> Hey all,
>
> I have searched the mail archives and Google trying to solve my Postfix
> SMTP AUTH issue.
>
> I have read the document:
>
> /usr/share/doc/postfix-2.0.11/README-Postfix-SASL-RedHat.txt
>
> And performed all the tasks it outlines but I am getting the errors
> (hostnames edited of course):
>
> Jan 13 17:36:37 XXX postfix/smtpd[13820]: connect from XXX.net[1.1.1.1]
> Jan 13 17:36:37 XXX postfix/smtpd[13820]: warning: SASL authentication
> problem: unable to open Berkeley db /etc/sasldb2: No such file or
directory
> Jan 13 17:36:37 XXX postfix/smtpd[13820]: warning: SASL authentication
> problem: unable to open Berkeley db /etc/sasldb2: No such file or
directory
> Jan 13 17:36:37 XXX postfix/smtpd[13820]: warning: SASL authentication
> failure: no secret in database
> Jan 13 17:36:37 XXX postfix/smtpd[13820]: warning: XXX.net[1.1.1.1]:
> SASL CRAM-MD5 authentication failed
> Jan 13 17:37:31 XXX postfix/smtpd[13820]: lost connection after AUTH
> from XXX.net[1.1.1.1]
> Jan 13 17:37:31 XXX postfix/smtpd[13820]: disconnect from XXX.net[1.1.1.1]
>

It looks like you may have already perfromed some of the following tasks,
but I'm going to mention them anyway. The following works at my end.

1) Recompile postfix to support sasl version 2? i.e.
[scowles at voyager scowles]$ rpm -q postfix
postfix-2.0.16-8.pcre.sasl2.tls.rh9

2) After adding users to /etc/sasldb2 using the saslpasswd2 command, did you
copy /etc/sasldb2 to the postfix chrooted etc directory? i.e.
/var/spool/postfix/etc

3) Define the auth method to be used in /usr/lib/sasl2/smtpd.conf. NOTE: I
do NOT run saslauthd
[scowles at voyager sasl2]$ pwd
/usr/lib/sasl2
[scowles at voyager sasl2]$ cat smtpd.conf
pwcheck_method: auxprop
realm: mail.mydomain.tld

4) Add the sasl related entries to /etc/postfix/main.cf
[scowles at voyager postfix]$ pwd
/etc/postfix
[scowles at voyager postfix]$ grep sasl main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
smtpd_sasl_local_domain = mail.mydomain.tld
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

...and the following:
smtpd_recipient_restrictions =
[snip...]
  permit_mynetworks
  permit_sasl_authenticated
  reject

Note the order of the permits. I allow users that match "mynetworks" to send
e-mail without authenticating.

Steve Cowles

More information about the fedora-list mailing list