warning: SASL authentication failure: cannot connect to Courier authdaemond: Connection refused
postfix/smtpd[3585]: warning: unknown[111.200.216.141]: SASL LOGIN authentication failed: generic failure
commenter #auxprop_plugin: sql
et ça marche, plus de "no mechanism available"
Saslauthd
Since we want to allow users to log in to our mail server so they can send emails, we need to configure some kind of protection. First we need to make sure users can log in using the same username and password as the one they will be using for checking email.
For this, we are going to use Saslauthd. Saslauthd will also use the same database we already created to verify user credentials.
apt-get install libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql
Open /etc/default/saslauthd with nano and change START=no to START=yes. At the end of the file we need to change OPTIONS=”-c -m /var/run/saslauthd” to
OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"
This change needs to be made because Postfix on Debian is run under chroot so it needs access to saslauthd socket and adding of -r parameter is needed because otherwise username is not passed correctly from Postfix to saslauthd.
We also need to create this directory
mkdir -p /var/spool/postfix/var/run/saslauthd
and one symbolic link (because Postfix on Debian is running from a chrooted environment and other applications you maybe using on your server (including testsaslauthd for testing if saslauthd is working correctly) are not aware of us changing the saslauthd directory).
rm -rf /var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd
[Warning] Warning
If you do not delete /var/run/saslauthd before creating a symbolic link the link will we created in /var/run/saslauthd/saslauthd and testing SASL with testsaslauthd will result in an error: "connect() : No such file or directory 0".
We also need to create two more files:
nano /etc/pam.d/smtp
auth required pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=mailbox usercolumn=username passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=mailbox usercolumn=username passwdcolumn=password crypt=1
nano /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
We need to add Postfix to the sasl group so it can access the saslauthd process we just created:
adduser postfix sasl
Restart Postfix and sasl
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
Now, we can check is saslauthd is working correctly.
testsaslauthd -s smtp -u root@example.com -p newpassword
Ofcourse use your own credentials here. Authentification should work.
atlantis:~# testsaslauthd -s smtp -u root@example.com -p newpassword
0: OK "Success."
If you do not get “Success.” as a response, check that you have a symbolic link in /var/run/ named saslauthd and that it points to /var/spool/postfix/var/run/saslauthd.
We have to change permissions to these two files as well:
chgrp sasl /etc/pam.d/smtp
chmod 640 /etc/pam.d/smtp
chgrp postfix /etc/postfix/sasl/smtpd.conf
chmod 640 /etc/postfix/sasl/smtpd.conf
We also need to tell Postfix to allow authenticated users to send mail. Edit /etc/postfix/main.cf and add
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
permit_tls_clientcerts
Restart Postfix and sasl.
/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
