Getting SASL to work

[mattch]

I followed this post from 2017, but I think some things change since then. EFA-4.0.4
https://forum.efa-project.org/viewtopi ... 85#p11085

Make sure you've already ran the LetsEncrypt setup (option 15)...
-enable HTTPS, redirect is fine, open port 80.

1) /etc/postfix/main.cf

Code: Select all

smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes

2) Create a sasl user in the db.

Code: Select all

saslpasswd2 -c -u adomain.com username
# ie username@adomain.com

Code: Select all

sasldblistusers2 
# to verify the user is in the db.

Code: Select all

(you can skip this)

testsaslauthd -u username@adomain.com -p secret  
or
testsaslauthd -u username@adomain.com -p secret -s smtp

# testing it with testsaslauthd, it always says "NO authentication failed". idk how to fix that
# HOWever, testing AUTH LOGIN through an smtp session, it is authenticating ok. 
 

3) Last step took me about a day and a half to figure out

Code: Select all

systemctl start saslauthd
systemctl enable saslauthd
systemctl restart postfix

# enable sasl lol

4) Test with your favorite smtp tester, using AUTH LOGIN

----------------------------------------------------------

it seems like most of the steps from the 2017 post were added in recent versions. such as;
-uncomment in master.cf
-and /etc/sasl2/smtpd.conf

----------------------------------------------------------

My intention for enabling sasl is to allow an external service to relay through using auth login, for alerts and stuff. The regular relay based on ip address (menu 7/menu 1) works fine but im moving my external service to azure which totally blocks outbound port 25, must use tls/587.
Next step is configure my external service (postfix) to relay through efa using login.

[mattch]

Well.... I am halfway there

I did my 'auth login' test using port 25
Port 25 authenticates ok but not on 587

testing on port 587 i get:

Code: Select all

535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6

i tested with openssl:

Code: Select all

 
> openssl s_client -starttls smtp -connect server:587 -crlf -ign_eof
 ---
250 SMTPUTF8
ehlo dude
250-server
250-PIPELINING
250-SIZE 133169152
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8

auth login

334 VXNlcm5hbWU6
xxxxx

334 UGFzc3dvcmQ6
xxxxx

535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6

 

Anyone have a suggestion on where to look to get authentication working on port 587?
It seems like it is not looking towards the sasl database but idk.

Thank you!!

[deajan]

So I'll answer this for anyone who may actually need this.

So first: saslauthd is compiled without sasldb support on RHEL9 (yes, sounds crazy, was already that way on RHEL7).
Because of this, all testsaslauthd tests will fail, regardless of what you configure.

Step 1: Install cyrus sasl auth mecanisms

Code: Select all

dnf install cyrus-sasl*

Step 2: Configure /etc/sasl2/smtpd.conf like this:

Code: Select all

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: plain login CRAM-MD5 DIGEST-MD5

This file is used by postfix when using cyrus sasl (default), and will tell postfix what auth mechanisms are allowed, and what kind of backend we use (here, we use a standard berkleyDB file for user/passwords).

Step 3: Create a user

Code: Select all

saslpasswd2 -c -u domain.tld username

You can search your users with

Code: Select all

sasldblistusers2

Step 4. Make sure postfix can read the sasldb2 file

Code: Select all

chown postfix /etc/sasl2/sasldb2

Step 5: Configure postfix
Open /etc/postfix/main.cf and add the following lines

Code: Select all

# NPF-MOD for SASL auth
smtpd_sasl_path = sasl2/smtpd.conf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_forbid_unauth_pipelining = yes
smtpd_discard_ehlo_keywords = chunking, silent-discard
smtpd_sasl_type = cyrus

Step 6: Verify if someone overrides the smtpd_sasl settings
This one drove me nuts. I had to enable debugging in postfix to realize that postfix still used dovecot sasl (try to auth against IMAP server) instead of cyrus (sasldb).

Open /etc/postfix/master.cf and search for

Code: Select all

-o smtpd_sasl_type=dovecot

under the submission line.
If you have that setting enabled, comment it out.

Step 7: Restart postfix

Step 8: Test postfix
Prepare your login string as base64 string with the following (the \0 are mandatory)

Code: Select all

echo -ne "\0username@domain.tld\0password"|base64

Now open telnet like this and test your auth

Code: Select all

telnet localhost 587

Escape character is '^]'.
220 smtp.myserverdomain.tld ESMTP Postfix
EHLO me
250-smtp.myserverdomain.tld
250-PIPELINING
250-SIZE 133169152
250-ETRN
250-STARTTLS
250-AUTH GSS-SPNEGO GSSAPI SCRAM-SHA-256 SCRAM-SHA-1 GS2-KRB5 GS2-IAKERB DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-AUTH=GSS-SPNEGO GSSAPI SCRAM-SHA-256 SCRAM-SHA-1 GS2-KRB5 GS2-IAKERB DIGEST-MD5 CRAM-MD5 NTLM LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
AUTH PLAIN
334
<THE BASE64 STRING>
235 2.7.0 Authentication successful
QUIT
221 2.0.0 Bye

Keep in mind that users created via the webinterface of e-F-a are not available in sasldb, nor in dovecot, so any user you want to authenticate must actually be created in shell.