Postfix, No SMTP AUTH when TLS is enabled

Raman Gupta rocketraman at fastmail.fm
Sat Jan 2 08:31:07 UTC 2010 

On 01/02/2010 02:58 AM, froinds J wrote:
>
>
> On Sat, Jan 2, 2010 at 2:42 AM, Raman Gupta <rocketraman at fastmail.fm
> <mailto:rocketraman at fastmail.fm>> wrote:
>
>     On 01/01/2010 11:41 PM, froinds J wrote:
>
>         Hello,
>         I'm having a problem with postfix in F12.
>         I used to have my email server setup with F10. My setup had TLS
>         enabled (self signed certs) with SASL using
>         pwcheck_method=auxprop and
>         CRAM-MD5 DIGEST-MD5. I had virtual accounts.
>         Everything worked great until I installed F12. It was a clean
>         install.
>         My issue now is the following:
>         If I disable TLS, postfix works as expected. If I enable it, I
>         cannot
>         authenticate. Without TLS I can telnet to my server and I get
>         250-AUTH
>         CRAM-MD5 DIGEST-MD5
>
>
>     What auxprop plugin are you using?
>
>     Cheers,
>     Raman
>
>
> None. What should I use?
> Froinds

I guess that depends on how your virtual users are configured.

I don't use auxprop myself -- I configure saslauthd to authenticate 
via pam (pwcheck_method: saslauthd). Then configure the 
/etc/pam.d/smtp file as desired (mine uses pam_mysql.so to 
authenticate virtual users against a mysql table).

However, based on the docs at http://www.postfix.org/SASL_README.html 
it appears that if you use auxprop, it should be configured with a 
plugin, like "auxprop_plugin: sql" or "auxprop_plugin: sasldb".

If you do switch to saslauthd (pam) note the following warning from 
the same docs:

IMPORTANT: The Cyrus SASL password verification services pwcheck and 
saslauthd can only support the plaintext mechanisms PLAIN or LOGIN. 
However, the Cyrus SASL library doesn't know this, and will happily 
advertise other authentication mechanisms that the SASL library 
implements, such as DIGEST-MD5. As a result, if a remote SMTP client 
chooses any mechanism other than PLAIN or LOGIN while pwcheck or 
saslauthd are used, authentication will fail. Thus you may need to 
limit the list of mechanisms advertised by the Postfix SMTP server.

Cheers,
Raman

More information about the users mailing list