开源与专有关系 db mgt 系统的优缺点是什么？

Question

Michael Moser

Asked: 2018-01-17 14:05:56 +0800 CST2018-01-17 14:05:56 +0800 CST 2018-01-17 14:05:56 +0800 CST

使用 pam_mysql 的 Postfix SMTP SASL 身份验证不能接受电子邮件地址作为用户名

772

我目前正在尝试一个项目来更新现有的后缀部署。我在针对 smtp 对用户进行身份验证时遇到问题。

我遇到的主要问题是我们的后缀用户数据库是完全合格的（[email protected]）。但是，当尝试使用 AUTH PLAIN 进行身份验证时，@ 符号以及 . 被截断。如果我用 testaslauth 测试一个用户帐户，我会得到一个成功的结果。

我遇到的第二个问题实际上是了解 saslauth 和 pam 服务在哪里使用它们各自的 mysql 配置。我已经阅读了许多关于如何设置的文章，但我不清楚我是否需要这些配置中的一种、另一种或两种配置。

以下是我可以立即发布的所有相关配置/日志记录（注意：系统、域和用户名已被清理）：

操作系统版本：

mose@postfix ~ $ cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core)

后缀版本：

mose@postfix ~ $ postconf -v | grep 'mail_version = '
postconf: $smtpd_tls_security_level in main.cf validates smtpd_tls_security_level=value in master.cf:submission.inet
mail_version = 2.10.1

成功测试来自 cli 的凭据：

mose@postfix ~ $ testsaslauthd -u [email protected] -p password -s smtp
0: OK "Success."

通过 telnet 验证失败：

mose@postfix ~ $ openssl s_client -starttls smtp -crlf -connect postfix.example.com:587
<SSL Output truncated for brevity>
EHLO example.com
250-postfix.example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN bW9zZS5jb20AbW9zZS5jb20AcGFzc3dvcmQ=
535 5.7.8 Error: authentication failed: authentication failure

记录，请注意我将用户名传递为 [email protected]，但是 mysql 查找将其显示为“[email protected]”：

mose@postfix ~ $ sudo tail /var/log/secure
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option verbose is set to "1"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.host is set to "localhost"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.database is set to "postfix"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.db_user is set to "mysql"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.db_passwd is set to "password"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.password_crypt is set to "1"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.table is set to "mailboxes"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.where_clause is set to "status = 1"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.user_column is set to "login"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - option users.password_column is set to "password"
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_sm_authenticate() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_open_db() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_open_db() returning 0.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_check_passwd() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_format_string() called
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_quick_escape() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - SELECT password FROM mailboxes WHERE login = '[email protected]' AND (status = 1)
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - SELECT returned no result.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_check_passwd() returning 1.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_sql_log() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_sql_log() returning 0.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_converse() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_open_db() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_check_passwd() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_format_string() called
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_quick_escape() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - SELECT password FROM mailboxes WHERE login = '[email protected]' AND (status = 1)
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - SELECT returned no result.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_check_passwd() returning 1.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_sql_log() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_sql_log() returning 0.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_sm_authenticate() returning 10.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_release_ctx() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_destroy_ctx() called.
Jan 16 17:53:42 postfix saslauthd[7437]: pam_mysql - pam_mysql_close_db() called.

SASLAuthD 配置为使用 PAM：

mose@postfix ~ $ sudo grep -v \# /etc/sysconfig/saslauthd
SOCKETDIR=/run/saslauthd
MECH=pam
FLAGS="-r"

SMTPD 配置为使用 MySQL 插件：

mose@postfix ~ $ ll /etc/postfix/sasl/smtpd.conf
lrwxrwxrwx 1 root root 21 Jan 11 17:24 /etc/postfix/sasl/smtpd.conf -> /etc/sasl2/smtpd.conf

mose@postfix ~ $ sudo cat /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login cram-md5 digest-md5
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: localhost
sql_user: mysql 
sql_passwd: password 
sql_database: postfix
sql_verbose: yes
sql_select: select password from mailboxes where login = '%u@%r' and status='1'
sql_usessl: no
log_level: 3

PAM 配置为使用 MySQL：

mose@postfix ~ $ sudo cat /etc/pam.d/smtp
#%PAM-1.0
auth       required     pam_nologin.so
auth       sufficient   pam_mysql.so config_file=/etc/postfix/mysql/pam.conf
account    sufficient   pam_mysql.so config_file=/etc/postfix/mysql/pam.conf
password   required     pam_deny.so

mose@postfix ~ $ sudo cat /etc/postfix/mysql/pam.conf
verbose = 1;
users.host = localhost;
users.database = postfix;
users.db_user = mysql;
users.db_passwd = password;
users.password_crypt = 1;
users.table = postfix_mailboxes;
users.where_clause = status = 1;
users.user_column = login;
users.password_column = password;

完整的后缀配置转储：

mose@postfix ~ $ sudo postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = no
inet_interfaces = $myhostname, localhost, 10.100.0.11
inet_protocols = ipv4
local_recipient_maps =
mail_owner = postfix
mailbox_command = procmail -a "$EXTENSION"
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination =
mydomain = example.com
myhostname = postfix.example.com
mynetworks = 127.0.0.0/8, 10.100.0.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen/access.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map = pcre:$config_directory/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_greet_banner = $myhostname [POSTSCREEN] ESMTP $mail_name
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
postscreen_whitelist_interfaces = static:all
proxy_read_maps = $virtual_mailbox_maps $virtual_alias_maps $virtual_mailbox_domains #$transport_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
relay_domains =
relayhost =
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_helo_timeout = 5
smtp_host_lookup = native
smtp_sasl_auth_enable = yes
smtpd_banner = $myhostname [SMTPD] ESMTP $mail_name
smtpd_delay_reject = no
smtpd_error_sleep_time = 30
smtpd_hard_error_limit = 20
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/postfix/gd_bundle-g2-g1.crt
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 10800s
strict_rfc821_envelopes = yes
tls_random_exchange_name = /var/lib/postfix/prng_exch
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/autoreply.cf, proxy:mysql:/etc/postfix/mysql/aliases.cf, proxy:mysql:/etc/postfix/mysql/groups.cf
virtual_gid_maps = static:101
virtual_mailbox_base = /
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/mailboxes.cf
virtual_minimum_uid = 110532
virtual_uid_maps = static:110532

我可以看到我可以在 SASLAuth mysql 设置（%u@%r）中定义用户格式的位置，但我还没有看到 pam_mysql 上支持相同的任何文档。

任何帮助表示赞赏。

编辑：在做出他推荐的更改后，我偶然发现了一个有类似问题的人，但是用户名仍然没有正确输入......

pam_mysql 文档

我还对照这篇文章检查了我的设置，我能看到的唯一区别是我拥有的 pam_mysql 来自以下存储库：http: //repo.iotti.biz/CentOS/$releasever

mose@postfix ~ $ sudo yum info pam_mysql --enablerepo=lux
Loaded plugins: fastestmirror, langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Loading mirror speeds from cached hostfile
 * base: mirrors.lga7.us.voxel.net
 * extras: mirror.cs.pitt.edu
 * updates: mirror.cogentco.com
Installed Packages
Name        : pam_mysql
Arch        : x86_64
Epoch       : 1
Version     : 0.8.1
Release     : 0.22.el7.lux
Size        : 96 k
Repo        : installed
From repo   : lux
Summary     : PAM module for auth UNIX users using MySQL data base
URL         : http://sf.net/projects/pam-mysql/
License     : GPLv2+
Description : Pam_mysql aims to provide a backend neutral means of authenticating
            : users against an MySQL database.

1 个回答

Voted

Michael Moser · Answer 1 · 2018-01-23T18:57:30+08:00

Best Answer

Michael Moser

2018-01-23T18:57:30+08:002018-01-23T18:57:30+08:00

我在标志中添加了“-r -c”。还发现 @ 符号在测试时没有被正确转义。一切都按预期工作。

0

使用 pam_mysql 的 Postfix SMTP SASL 身份验证不能接受电子邮件地址作为用户名

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

使用 pam_mysql 的 Postfix SMTP SASL 身份验证不能接受电子邮件地址作为用户名

1 个回答

相关问题