在给实验室的mail服务器增加smtp认证的时候,遇到的一些问题,记录一些解决的过程,方便后来人;-)
错误一:
查看/var/log/mail.log:
Feb 26 23:39:57 vd postfix/smtpd[2323]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
postfix没有找到saslauthd的工作目录,由于postfix的工作目录默认在/var/spool/postfix/var/run/saslauthd中;而saslauthd默认的工作目录为/var/run/saslauthd中,从而导致postfix无法连接saslauthd服务。
解决方法:
1. 设置saslauthd的工作目录为/var/spool/postfix/var/run/saslauthd
2. 创建符号链接,将/var/run/saslauthd链接到/var/spool/postfix/var/run/saslauthd
由于testsaslauthd也是采用saslauthd的默认目录,所以如果saslauthd的工作目录不在/var/run/saslauthd的话,就会无法连接saslauthd服务,需要通过-f选项来指定工作目录;或者是创建一个符号连接。
pact518:/var/log# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u test -r pact518.hit.edu.cn -p xxxxxx
0: OK "Success."
错误二:
查看/var/log/mail.log:
Feb 26 23:47:23 vd postfix/smtpd[2405]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
文件/var/spool/postfix/var/run/saslauthd目录或者是/var/run/saslauthd目录的权限问题。
解决方法:
1、修改目录的权限
2、将postfix添加到sasl组中
错误三:
查看/var/log/mail.log:
92739 Feb 26 00:17:17 pact518 postfix/smtpd[30644]: warning: unknown[118.203.19.156]: SASL PLAIN authentication failed: authentication failure
考虑就是对LDAP的输入有误:
查看/var/log/auth.log:
Feb 27 10:30:57 pact518 saslauthd[11030]: Entry not found (mail=wangyao).
Feb 27 10:30:57 pact518 saslauthd[11030]: Authentication failed for wangyao: User not found (-6)
Feb 27 10:30:57 pact518 saslauthd[11030]: do_auth : auth failure: [user=wangyao] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
发现是mail=wangyao这个entry在ldap中不存在,实际上我们的entry应该是 mail=wangyao@pact518.hit.edu.cn
这也就是说我们的ldap_filter有问题,需要修改ldap_filter。
Q.: Why do you run saslauthd with the -r flag?
A.: Because my users authenticate as "user@domain", not "user". If you are in trouble check /var/log/auth.log .
> >If you append the domainname as REALM, which you do by setting
> >smtpd_sasl_local_domain this way, you need to run at least saslauthd
> >2.1.19 with the "-r" switch.
可见saslauthd中的-r选项与postfix/main.cf中的smtp_sasl_local_domain字段相互结合,控制着ldap的输入。
dn: uid=test,dc=pact518,dc=hit,dc=edu,dc=cn
如果设置了saslauthd的-r选项和smtp_sasl_local_domain的话,postfix会自动的在smtp认证用户名的后面加上@domain,这样ldap的输入就变成了
user@domain,根据%u表示输入,现在%u=user@domain,也就是mail的形式:
ldap_filter: mail=%u
如果没有设置smtp_sasl_local_domain的话,ldap的输入只是user,%u=user,ldap中uid=user,也就是uid的形式:
ldap_filter: uid=%u
关于ldap_filter中的%u的含义,可以man ldap_table进行查看:
query_filter (default: mailacceptinggeneralid=%s)
The RFC2254 filter used to search the directory,
where %s is a substitute for the address Postfix is
trying to resolve, e.g.
query_filter = (&(mail=%s)(paid_up=true))
This parameter supports the following '%' expan-
sions:
%% This is replaced by a literal '%' character.
(Postfix 2.2 and later).
%s This is replaced by the input key. RFC 2254
quoting is used to make sure that the input
key does not add unexpected metacharacters.
%u When the input key is an address of the form
user@domain, %u is replaced by the (RFC
2254) quoted local part of the address.
Otherwise, %u is replaced by the entire
search string. If the localpart is empty,
the search is suppressed and returns no
results.
%d When the input key is an address of the form
user@domain, %d is replaced by the (RFC
2254) quoted domain part of the address.
Otherwise, the search is suppressed and
returns no results.
%[SUD] The upper-case equivalents of the above
expansions behave in the query_filter param-
eter identically to their lower-case
counter-parts. With the result_format param-
eter (previously called result_filter see
the COMPATIBILITY section and below), they
expand to the corresponding components of
input key rather than the result value.
The above %S, %U and %D expansions are
available with Postfix 2.2 and later.
%[1-9] The patterns %1, %2, ... %9 are replaced by
the corresponding most significant component
of the input key's domain. If the input key
is user@mail.example.com, then %1 is com, %2
is example and %3 is mail. If the input key
is unqualified or does not have enough
domain components to satisfy all the speci-
fied patterns, the search is suppressed and
returns no results.
The above %1, ..., %9 expansions are avail-
able with Postfix 2.2 and later.
The "domain" parameter described below limits the
input keys to addresses in matching domains. When
the "domain" parameter is non-empty, LDAP queries
for unqualified addresses or addresses in non-
matching domains are suppressed and return no
results.
NOTE: DO NOT put quotes around the query_filter
parameter.
===================================================
登录测试
1. base64编码
perl -MMIME::Base64 -e 'print encode_base64("wangyao")'
BTW:这里使用echo "wangyao" | base64不行(echo默认会带上'\n',需要使用-n选项).
debian-wangyao:~$ perl -MMIME::Base64 -e 'print encode_base64("wangyao")'
d2FuZ3lhbw==
debian-wangyao:~$ echo -n wangyao | base64
d2FuZ3lhbw==
debian-wangyao:~$ echo wangyao | base64
d2FuZ3lhbwo=
2. telnet smtp登录
wangyao@wangyao-laptop:~$ telnet 202.118.236.130 25
Trying 202.118.236.130...
Connected to 202.118.236.130.
Escape character is '^]'.
220 pact518.hit.edu.cn ESMTP Postfix (Debian/GNU)
ehlo pact518.hit.edu.cn
250-pact518.hit.edu.cn
250-PIPELINING
250-SIZE 30000000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
auth login
334 VXNlcm5hbWU6
xxxxxxxxxxxx
334 UGFzc3dvcmQ6
yyyyyyyyyyyy
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye
Connection closed by foreign host.
参考:
阅读(8167) | 评论(0) | 转发(0) |
