|
在給實驗室的mail服務器增加smtp認證的時候,遇到的一些問題,記錄一些解決的過程,方便後來人;-)
錯誤一:
查看/var/log/mail.log:
Feb 26 23:39:57 vd postfix/smtpd[2323]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
postfix沒有找到saslauthd的工作目錄,由於postfix的工作目錄默認在/var/spool/postfix/var/run/saslauthd中;而saslauthd默認的工作目錄為/var/run/saslauthd中,從而導致postfix無法連接saslauthd服務。
解決方法:
1. 設置saslauthd的工作目錄為/var/spool/postfix/var/run/saslauthd
2. 創建符號鏈接,將/var/run/saslauthd鏈接到/var/spool/postfix/var/run/saslauthd
由於testsaslauthd也是採用saslauthd的默認目錄,所以如果saslauthd的工作目錄不在/var/run/saslauthd的話,就會無法連接saslauthd服務,需要通過-f選項來指定工作目錄;或者是創建一個符號連接。
pact518:/var/log# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u test -r pact518.hit.edu.cn -p xxxxxx
0: OK "Success."
錯誤二:
查看/var/log/mail.log:
Feb 26 23:47:23 vd postfix/smtpd[2405]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
文件/var/spool/postfix/var/run/saslauthd目錄或者是/var/run/saslauthd目錄的權限問題。
解決方法:
1、修改目錄的權限
2、將postfix添加到sasl組中
錯誤三:
查看/var/log/mail.log:
- 92739 Feb 26 00:17:17 pact518 postfix/smtpd[30644]: warning: unknown[118.203.19.156]: SASL PLAIN authentication failed: authentication failure
複製代碼
考慮就是對LDAP的輸入有誤:
查看/var/log/auth.log:
Feb 27 10:30:57 pact518 saslauthd[11030]: Entry not found (mail=wangyao).
Feb 27 10:30:57 pact518 saslauthd[11030]: Authentication failed for wangyao: User not found (-6)
Feb 27 10:30:57 pact518 saslauthd[11030]: do_auth : auth failure: [user=wangyao] [service=imap] [realm=] [mech=ldap] [reason=Unknown]
發現是mail=wangyao這個entry在ldap中不存在,實際上我們的entry應該是 mail=wangyao@pact518.hit.edu.cn
這也就是說我們的ldap_filter有問題,需要修改ldap_filter。
Q.: Why do you run saslauthd with the -r flag?
A.: Because my users authenticate as "user@domain", not "user". If you are in trouble check /var/log/auth.log .
> >If you append the domainname as REALM, which you do by setting
> >smtpd_sasl_local_domain this way, you need to run at least saslauthd
> >2.1.19 with the "-r" switch.
可見saslauthd中的-r選項與postfix/main.cf中的smtp_sasl_local_domain字段相互結合,控制著ldap的輸入。
dn: uid=test,dc=pact518,dc=hit,dc=edu,dc=cn
如果設置了saslauthd的-r選項和smtp_sasl_local_domain的話,postfix會自動的在smtp認證用戶名的後面加上@domain,這樣ldap的輸入就變成了
user@domain,根據%u表示輸入,現在%u=user@domain,也就是mail的形式:
ldap_filter: mail=%u
如果沒有設置smtp_sasl_local_domain的話,ldap的輸入只是user,%u=user,ldap中uid=user,也就是uid的形式:
ldap_filter: uid=%u
關於ldap_filter中的%u的含義,可以man ldap_table進行查看:
query_filter (default: mailacceptinggeneralid=%s)
The RFC2254 filter used to search the directory,
where %s is a substitute for the address Postfix is
trying to resolve, e.g.
query_filter = (&(mail=%s)(paid_up=true))
This parameter supports the following '%' expan-
sions:
%% This is replaced by a literal '%' character.
(Postfix 2.2 and later).
%s This is replaced by the input key. RFC 2254
quoting is used to make sure that the input
key does not add unexpected metacharacters.
%u When the input key is an address of the form
user@domain, %u is replaced by the (RFC
2254) quoted local part of the address.
Otherwise, %u is replaced by the entire
search string. If the localpart is empty,
the search is suppressed and returns no
results.
%d When the input key is an address of the form
user@domain, %d is replaced by the (RFC
2254) quoted domain part of the address.
Otherwise, the search is suppressed and
returns no results.
%[SUD] The upper-case equivalents of the above
expansions behave in the query_filter param-
eter identically to their lower-case
counter-parts. With the result_format param-
eter (previously called result_filter see
the COMPATIBILITY section and below), they
expand to the corresponding components of
input key rather than the result value.
The above %S, %U and %D expansions are
available with Postfix 2.2 and later.
%[1-9] The patterns %1, %2, ... %9 are replaced by
the corresponding most significant component
of the input key's domain. If the input key
is user@mail.example.com, then %1 is com, %2
is example and %3 is mail. If the input key
is unqualified or does not have enough
domain components to satisfy all the speci-
fied patterns, the search is suppressed and
returns no results.
The above %1, ..., %9 expansions are avail-
able with Postfix 2.2 and later.
The "domain" parameter described below limits the
input keys to addresses in matching domains. When
the "domain" parameter is non-empty, LDAP queries
for unqualified addresses or addresses in non-
matching domains are suppressed and return no
results.
NOTE: DO NOT put quotes around the query_filter
parameter.
===================================================
登錄測試
1. base64編碼
perl -MMIME::Base64 -e 'print encode_base64("wangyao")'
BTW:這裡使用echo "wangyao" | base64不行(echo默認會帶上'\n',需要使用-n選項).
debian-wangyao:~$ perl -MMIME::Base64 -e 'print encode_base64("wangyao")'
d2FuZ3lhbw==
debian-wangyao:~$ echo -n wangyao | base64
d2FuZ3lhbw==
debian-wangyao:~$ echo wangyao | base64
d2FuZ3lhbwo=
2. telnet localhost 25
- wangyao@wangyao-laptop:~$ telnet 202.118.236.130 25
- Trying 202.118.236.130...
- Connected to 202.118.236.130.
- Escape character is '^]'.
- 220 pact518.hit.edu.cn ESMTP Postfix (Debian/GNU)
- ehlo pact518.hit.edu.cn
- 250-pact518.hit.edu.cn
- 250-PIPELINING
- 250-SIZE 30000000
- 250-VRFY
- 250-ETRN
- 250-STARTTLS
- 250-AUTH LOGIN PLAIN
- 250-AUTH=LOGIN PLAIN
- 250-ENHANCEDSTATUSCODES
- 250-8BITMIME
- 250 DSN
- auth login
- 334 VXNlcm5hbWU6
- xxxxxxxxxxxx
- 334 UGFzc3dvcmQ6
- yyyyyyyyyyyy
- 235 2.7.0 Authentication successful
- quit
- 221 2.0.0 Bye
- Connection closed by foreign host.
複製代碼
參考:
http://doc.linuxpk.com/54681.html
http://wlx.westgis.ac.cn/322/
http://www.freeworld.net.cn/Article/Catalog117/34151.html
http://www.postfix.org/ldap_table.5.html
|
|