SASL PLAIN은 기본 도메인으로 인증하지만 가상 도메인으로는 인증하지 않습니다.

SASL PLAIN은 기본 도메인으로 인증하지만 가상 도메인으로는 인증하지 않습니다.

접미사 + 비둘기장 및 sasl. 지금까지 1개의 도메인으로 작동합니다.

가상 도메인을 추가했습니다. 이에 대한 수신 메일이 작동합니다. 그러나 발신에서는 SASL 인증이 실패했습니다.

왜 실패하는지 모르겠습니다.

/etc/sasl2/smtpd.conf는 다음과 같습니다:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

postconf -n 출력:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 40960000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, mail.$mydomain
mydomain = primary.net
myhostname = mail.primary.net
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
relay_domains = $mydestination, primary.net, seconddomain.org
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = reject_non_fqdn_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated,   
                               permit_mynetworks,        
                               reject_invalid_hostname,        
                               reject_unauth_pipelining,    
                               reject_unauth_destination,   
                               reject_rbl_client sbl-xbl.spamhaus.org,              
                               permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
soft_bounce = no
unknown_local_recipient_reject_code = 550
virtual_alias_domains = mail.seconddomain.org
virtual_alias_maps = hash:/etc/postfix/virtual

가상 별칭 도메인이 작동합니다. 하지만 가상 도메인 메일로그로 인증하려고 하면 오류가 발생합니다.

 SASL PLAIN authentication failed

내가 무엇을 봐야할지 아이디어가 있습니까?

업데이트 #1:

아래 지침에 따라 여전히 인증할 수 없어서 saslfinger를 설치했는데 결과는 다음과 같습니다.

saslfinger - postfix Cyrus sasl configuration Tue Mar 24 07:23:10 GMT 2015
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.6.6
System: CentOS release 6.5 (Final)

-- smtpd is linked to --
    libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007ff8b9655000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot


-- listing of /usr/lib64/sasl2 --
total 504
drwxr-xr-x.  2 root root  4096 Sep 15  2013 .
dr-xr-xr-x. 43 root root 20480 Jun 20  2014 ..
-rwxr-xr-x.  1 root root 18776 Nov 27  2012 libanonymous.so
-rwxr-xr-x.  1 root root 18776 Nov 27  2012 libanonymous.so.2
-rwxr-xr-x.  1 root root 18776 Nov 27  2012 libanonymous.so.2.0.23
-rwxr-xr-x   1 root root 22936 Nov 27  2012 libcrammd5.so
-rwxr-xr-x   1 root root 22936 Nov 27  2012 libcrammd5.so.2
-rwxr-xr-x   1 root root 22936 Nov 27  2012 libcrammd5.so.2.0.23
-rwxr-xr-x   1 root root 52088 Nov 27  2012 libdigestmd5.so
-rwxr-xr-x   1 root root 52088 Nov 27  2012 libdigestmd5.so.2
-rwxr-xr-x   1 root root 52088 Nov 27  2012 libdigestmd5.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 liblogin.so
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 liblogin.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 liblogin.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 libplain.so
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 libplain.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27  2012 libplain.so.2.0.23
-rwxr-xr-x.  1 root root 22784 Nov 27  2012 libsasldb.so
-rwxr-xr-x.  1 root root 22784 Nov 27  2012 libsasldb.so.2
-rwxr-xr-x.  1 root root 22784 Nov 27  2012 libsasldb.so.2.0.23

-- listing of /etc/sasl2 --
total 12
drwxr-xr-x.  2 root root 4096 Sep 20  2013 .
drwxr-xr-x. 93 root root 4096 Mar 22 03:43 ..
-rw-r--r--.  1 root root   70 Mar 24 07:22 smtpd.conf




-- content of /etc/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual

smtps     inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
    -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

-- mechanisms on localhost --
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN

-- end of saslfinger output --

업데이트 #2:

자세한 정보 표시 모드를 활성화했으며 이메일 전송을 시도한 후의 출력은 다음과 같습니다. 참고: srv postfix/smtpd[29481]:보기에 조금 더 작게 만들기 위해 모든 줄에서 타임스탬프와 모든 줄을 제거했습니다.

 dict_eval: const  mail
 dict_eval: const  all
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 name_mask: all
 dict_eval: const  mail.mydomain.net
 dict_eval: const  mydomain.net
 dict_eval: const  Postfix
 dict_eval: expand ${multi_instance_name:postfix}${multi_instance_name?$multi_instance_name} -> postfix
 dict_eval: const  postfix
 dict_eval: const  postdrop
 dict_eval: expand $myhostname, localhost.$mydomain, localhost, $mydomain,?mail.$mydomain -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net
 dict_eval: expand $myhostname -> mail.mydomain.net
 dict_eval: const  
 dict_eval: const  /usr/libexec/postfix
 dict_eval: const  /var/lib/postfix
 dict_eval: const  /usr/sbin
 dict_eval: const  /var/spool/postfix
 dict_eval: const  pid
 dict_eval: const  all
 dict_eval: const  
 dict_eval: const  double-bounce
 dict_eval: const  nobody
 dict_eval: const  hash:/etc/aliases
 dict_eval: const  20100319
 dict_eval: const  2.6.6
 dict_eval: const  hash
 dict_eval: const  deferred, defer
 dict_eval: const  
 dict_eval: expand $mydestination, mydomain.net, anotherdomain.org -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org
 dict_eval: expand $relay_domains -> mail.mydomain.net, localhost.mydomain.net, localhost, mydomain.net,?mail.mydomain.net, mydomain.net, anotherdomain.org
 dict_eval: const  TZ MAIL_CONFIG LANG
 dict_eval: const  MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
 dict_eval: const  subnet
 dict_eval: const  127.0.0.1
 dict_eval: const  +=
 dict_eval: const  -=+
 dict_eval: const  debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
 dict_eval: const  
 dict_eval: const  bounce
 dict_eval: const  cleanup
 dict_eval: const  defer
 dict_eval: const  pickup
 dict_eval: const  qmgr
 dict_eval: const  rewrite
 dict_eval: const  showq
 dict_eval: const  error
 dict_eval: const  flush
 dict_eval: const  verify
 dict_eval: const  trace
 dict_eval: const  proxymap
 dict_eval: const  proxywrite
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  40960000
 dict_eval: const  2
 dict_eval: const  no
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  3600s
 dict_eval: const  3600s
 dict_eval: const  5s
 dict_eval: const  5s
 dict_eval: const  1000s
 dict_eval: const  1000s
 dict_eval: const  10s
 dict_eval: const  10s
 dict_eval: const  1s
 dict_eval: const  1s
 dict_eval: const  1s
 dict_eval: const  1s
 dict_eval: const  500s
 dict_eval: const  500s
 dict_eval: const  18000s
 dict_eval: const  18000s
 dict_eval: const  1s
 dict_eval: const  1s
 name_mask: subnet
 inet_addr_local: configured 2 IPv4 addresses
 inet_addr_local: configured 2 IPv6 addresses
 been_here: 127.0.0.0/8: 0
 been_here: 77.0.0.0/8: 0
 been_here: [::1]/128: 0
 been_here: [fe80::%eth0]/64: 0
 mynetworks: 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 
 dict_eval: const  127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 
 dict_eval: const  10
 dict_eval: expand ${stress?1}${stress:20} -> 20
 dict_eval: expand ${stress?1}${stress:100} -> 100
 dict_eval: expand ${stress?1}${stress:3} -> 3
 dict_eval: const  550
 dict_eval: expand $myhostname ESMTP $mail_name -> mail.mydomain.net ESMTP Postfix
 dict_eval: const  resource, software
 dict_eval: const  permit_sasl_authenticated
 dict_eval: const  reject_non_fqdn_hostname
 dict_eval: const  reject_unknown_sender_domain
 dict_eval: const  permit_sasl_authenticated,?permit_mynetworks,        reject_invalid_hostname,        reject_unauth_pipelining,?reject_unauth_destination,?reject_rbl_client sbl-xbl.spamhaus.org,           ?permit
 dict_eval: const  
 dict_eval: const  reject_unauth_pipelining
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  postmaster
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  hash:/etc/postfix/virtual
 dict_eval: const  
 dict_eval: const  hash:/etc/aliases
 dict_eval: expand proxy:unix:passwd.byname $alias_maps -> proxy:unix:passwd.byname hash:/etc/aliases
 dict_eval: const  noanonymous
 dict_eval: const  private/auth
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  CONNECT GET POST
 dict_eval: const  <>
 dict_eval: const  
 dict_eval: expand $double_bounce_sender -> double-bounce
 dict_eval: expand $authorized_verp_clients -> 
 dict_eval: const  
 dict_eval: expand $myhostname -> mail.mydomain.net
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: expand ${smtpd_client_connection_limit_exceptions:$mynetworks} -> 127.0.0.0/8 77.0.0.0/8 [::1]/128 [fe80::%eth0]/64 
 dict_eval: const  permit_inet_interfaces
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: expand $smtpd_sasl_security_options -> noanonymous
 dict_eval: const  
 dict_eval: expand $smtpd_tls_cert_file -> 
 dict_eval: const  
 dict_eval: expand $smtpd_tls_dcert_file -> 
 dict_eval: const  
 dict_eval: expand $smtpd_tls_eccert_file -> 
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  export
 dict_eval: const  medium
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  SSLv3, TLSv1
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  none
 dict_eval: const  md5
 dict_eval: const  
 dict_eval: const  dovecot
 dict_eval: const  
 dict_eval: const  j {daemon_name} v
 dict_eval: const  {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
 dict_eval: const  i {auth_type} {auth_authen} {auth_author} {mail_addr} {mail_host} {mail_mailer}
 dict_eval: const  i {rcpt_addr} {rcpt_host} {rcpt_mailer}
 dict_eval: const  i
 dict_eval: const  i
 dict_eval: const  i
 dict_eval: const  
 dict_eval: const  6
 dict_eval: const  tempfail
 dict_eval: expand $myhostname -> mail.mydomain.net
 dict_eval: expand $mail_name $mail_version -> Postfix 2.6.6
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  
 dict_eval: const  defer_if_permit
 dict_eval: expand $reject_tempfail_action -> defer_if_permit
 dict_eval: expand $reject_tempfail_action -> defer_if_permit
 dict_eval: expand $reject_tempfail_action -> defer_if_permit
 dict_eval: expand $reject_tempfail_action -> defer_if_permit
 dict_eval: const  yes
 dict_eval: const  yes
 dict_eval: const  no
 dict_eval: const  yes
 dict_eval: expand ${stress?10}${stress:300}s -> 300s
 dict_eval: expand ${stress?10}${stress:300}s -> 300s
 dict_eval: const  1s
 dict_eval: const  1s
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  3s
 dict_eval: const  3s
 dict_eval: const  100s
 dict_eval: const  100s
 dict_eval: const  300s
 dict_eval: const  300s
 dict_eval: const  1000s
 dict_eval: const  1000s
 dict_eval: const  300s
 dict_eval: const  300s
 dict_eval: const  3600s

답변1

미안합니다위에 오해의 소지가 있는 댓글. sasldb를 사용하면 실행할 필요가 없습니다 saslauthd . 따라서 시작 스크립트에서 안전하게 제거할 수 있습니다. 다음과 같은 경우 saslauthd를 실행해야 합니다.시스템 사용자, LDAP 또는 원격 IMAP을 통해 비밀번호 확인을 수행합니다..

saslpasswd2첫 번째 단계는 바이너리를 사용하여 sasldb용 데이터베이스를 생성하는 것입니다.

# saslpasswd2 -c  [email protected]
Password:
Again (for verification):

sasldblistusers2를 실행하여 확인하십시오.

# sasldblistusers2
[email protected]: userPassword

이렇게 하면 데이터베이스가 sasldb2 파일에 저장됩니다. 내 시스템의 파일은 /etc/sasldb2. 그것을 읽으려면 (SASL 라이브러리를 통해) postfix가 필요하기 때문에 postfix가 그것을 읽을 수 있도록 이 파일의 그룹 변경을 추가하십시오.

# ls -l /etc/sasldb2
-rw-r----- 1 root root 12288 Feb 27 06:09 /etc/sasldb2
# chgrp postfix /etc/sasldb2
# ls -l /etc/sasldb2
-rw-r----- 1 root postfix 12288 Feb 27 06:09 /etc/sasldb2

위 파일 은 /etc/sasl2/smtpd.conf괜찮았습니다.

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

그런 다음 테스트해 보세요.

  • PLAIN 자격 증명 형식의 Base64 문자열 생성

    # echo -ne '\[email protected]\000thepassword' | openssl base64
    SomERandOMCharActER
    
  • 자격 증명 테스트

    telnet localhost 25
    Trying ::1...
    Connected to localhost.
    Escape character is '^]'.
    220 mail.example.com ESMTP Postfix
    EHLO localhost
    250-mail.example.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-AUTH PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    AUTH PLAIN SomERandOMCharActER
    235 2.7.0 Authentication successful
    

Postfix 2.3.3 및 Cyrus sasl 버전 2.1을 사용하는 CentOS 6.5에서 테스트되었습니다.

참고자료:

추신: 문제가 계속 발생하면 saslfinger바이너리 출력을 게시해 주세요.

saslfinger -s

다음에서 다운로드할 수 있습니다.Postfix 책 저자의 웹사이트


chroot 구성에 있는 postfix의 경우 postfix는 /etc/sasldb2인증된 사용자 이름에 액세스할 수 없습니다. 이 문제를 극복하기 위해 두 가지 대안이 있습니다.

  1. submissionmaster.cf에서 // 서비스 또는 바이너리를 사용하는 다른 서비스 에서 chroot를 끄십시오 smtpd.smtpssmtpd
  2. /var/spool/postfix/etc/sasldb2를 좋아요 로 이동이 게시물. /var/spool/postfix/etc/sasldb2/에 심볼릭링크할 수도 있습니다 /etc/sasldb2.

    ln -sf /var/spool/postfix/etc/sasldb2 /etc/
    

관련 정보