问题[sasl](server)

我已设置Postfix以将Dovecot SASL用于PAM和 Unix 用户，并将 Dovecot LDA (LMTP) 用于本地邮箱存储。经过一些测试，原来收到的邮件被拒绝，原因是：

错误：[user] 的 passdb 查找失败：配置的 passdbs 不支持凭据查找

这既麻烦又麻烦——我选择了基于 PAM 的身份验证，因为我发现的所有消息来源都表明这是最简单、最可靠的方式。我现在很难解决问题所在 - 我不确定这是否真的是 PAM 的问题，或者我的配置是否有问题。

日志

doveadm查找测试：

$ doveadm auth lookup [user]
Error: passdb lookup failed for [user]: Configured passdbs don't support credentials lookups

查找测试后的 Dovecot 调试日志：

$ cat /var/log/dovecot/dovecot-debug.log | tail -5
[date][time] auth: Debug: master in: PASS    1       [user]  service=doveadm debug
[date][time] auth: Debug: pam([user]): Performing passdb lookup
[date][time] auth: Debug: pam([user]): passdb doesn't support credential lookups
[date][time] auth: Debug: pam([user]): Finished passdb lookup
[date][time] auth: Debug: passdb out: FAIL   1       reason=Configured passdbs don't support credentials lookups

相关配置

/etc/dovecot/conf.d/10-auth.conf文件：

auth_username_format = %Ln
auth_mechanisms = plain login
!include auth-system.conf.ext

/etc/dovecot/conf.d/auth-system.conf.ext文件：

passdb {
    driver = pam 
    args = session=yes failure_show_msg=yes dovecot
}
userdb {
    driver = static
    args = uid=vmail gid=vmail home=/var/vmail/%n
}

该/etc/pam.d/dovecot文件是 Rocky Linux（与 RHEL 相同，与 Fedora 相同）Dovecot 软件包附带的默认文件：

#%PAM-1.0
auth       required     pam_nologin.so
auth       include      password-auth
account    include      password-auth
session    include      password-auth

但是，我也尝试了Dovecot PAM 官方文档建议的配置，但没有产生任何不同的结果。我对我的其余配置很有信心，因为我花了很多时间研究这些选项，但我仍然几乎不了解 PAM 配置......

所有日志都指出问题出在 Dovecot SASL 本身，而不是 Postfix 或 Dovecot 配置。任何建议将不胜感激。

我已经设置 Postfix 在基于 Ubuntu 的系统上使用 SASL 进行身份验证。我通过遵循一些食谱来做到这一点，但主要是准备了很多文档。

有一点可行，但我不明白它是如何工作的，它是基于 postfix 网站上的一个配方。我已经创建了文件/etc/postfix/sasl/smtpd.conf，我理解它是一个 SASL，而不是 Postfix，配置文件。在使用 Postfix 时，SASL 如何知道要检查此位置的配置？我不必配置 SASL 来指向这个目录，所以它是硬编码的吗？SASL 是否会在其他目录中搜索配置？

我正在尝试让 SMTP-AUTH 在 Mint Linux 20.2 机器上运行，但无法进行身份验证。我已经安装了 Cyrus sasl2，并且显然配置正确 -testsaslauthd -u <user> -p <password> -s smtp返回0: OK "Success."但是当我尝试使用相同的凭据从我的客户端发送邮件时，sendmail 无法进行身份验证。让我感到好奇的是，当我使用testsaslauthd身份验证日志时会生成条目，但是当 Sendmail 尝试时，什么都没有。尝试testsaslauthd从非 root 上下文中使用也会导致没有身份验证条目，这让我相信要么sendmail没有足够的权限连接到 sasl 守护进程，要么它不知道该管道在哪里并且猜错了. 所以我想问题是，如何sendmail找到那个管道，当它这样做时它是谁？

我正在尝试在网络中的 Pi 上使用 SENDMAIL (v8.15) 将邮件转发到我的 SendGrid 帐户。这是必需的，因为我网络上的旧网络摄像头无法使用 SendGrid 所需的非常长的密码。

基本的 SENDMAIL 工作正常，但连接到 SendGrid 时未使用 AUTH LOGIN。我已经安装了sasl2-bin软件包。如何“链接”SENDMAIL 以使用机器上安装的 SASL？在这种情况下，当 SENDMAIL 作为客户端运行时，是否还需要 SASL？

我的authinfo文件包含：

 AuthInfo:smtp.sendgrid.net "U:api.key" "P=cGFzc3dvcmQ=" "M:LOGIN PLAIN"

sendmail.mc除了我的文件中的以下内容外，几乎所有其他内容都是开箱即用的：

FEATURE(`authinfo')
define(`RELAY_MAILER_ARGS',`TCP $h 25')dnl
define(`SMART_HOST',`smtp.sendgrid.net')dnl
define(`confAUTH_MECHANISMS',`EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_OPTIONS',`A')dnl

重建和重新启动后，我仍然得到：

AUTH=client，可用机制不满足要求

AUTH=client，relay=smtp.sendgrid.net.，临时失败，连接中止

stat=Deferred：临时 AUTH 失败。

我使用 TCPDUMP 跟踪流量，并在 SendGrid 的 EHLO 响应后看到：

250-smtp.sendgrid.net
250-8BITMIME
250-PIPELINING
250-SIZE 31457280
250-STARTTLS
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN

Pi 发送 QUIT 命令。它没有尝试AUTH LOGIN。

使 SENDMAIL 作为客户端使用 AUTH LOGIN 需要什么？

由于我一直在构建邮件服务器，因此我有另一个问题正在处理中，我无法在谷歌中找到，所以我期待我会在这里得到答案

所以更新是我创建了一个带有后缀的邮件服务器，使用 cyrus 使用 sasl 进行身份验证，现在我在其中附加了一个 imap 服务器，所以对于我使用 dovecot 的过程。

到目前为止，我发现我的 smtp 设置很好并且可以按我的意愿工作，但是 dovecot 是否存在一些错误

我的配置如下

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost, <interface ip>
inet_protocols = ipv4
local_recipient_maps = mysql:/etc/postfix/mysql-local.cf
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = ossnepal.com
myhostname = fqdn.mydomain.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/fqdn.mydomain.com/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/fqdn.mydomain.com/privkey.pem
smtpd_tls_security_level = encrypt
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-alias.cf, mysql:/etc/postfix/mysql-check_email.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-users.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

百胜安装鸽舍*

鸽舍-n

# 2.2.36 (1f10bfa63): /etc/dovecot/dovecot.conf
    # Pigeonhole version 0.4.24 (124e06aa)
    # OS: Linux 3.10.0-1160.15.2.el7.x86_64 x86_64 CentOS Linux release 7.9.2009 (Core) xfs
    # Hostname: fqdn.mydomain.com
    auth_mechanisms = plain login
    first_valid_uid = 1000
    mail_gid = vmail
    mail_location = maildir:/var/vmail/%d/%n
    mail_privileged_group = vmail
    mail_uid = vmail
    managesieve_notify_capability = mailto
    managesieve_sieve_capability = fileinto reject envelope encoded-character vacation subaddress comparator-i;ascii-numeric relational regex imap4flags copy include variables body enotify environment mailbox date index ihave duplicate mime foreverypart extracttext
    mbox_write_locks = fcntl
    namespace inbox {
      inbox = yes
      location = 
      mailbox Drafts {
        special_use = \Drafts
      }
      mailbox Junk {
        special_use = \Junk
      }
      mailbox Sent {
        special_use = \Sent
      }
      mailbox "Sent Messages" {
        special_use = \Sent
      }
      mailbox Trash {
        special_use = \Trash
      }
      prefix = 
    }
    passdb {
      driver = pam
    }
    passdb {
      args = /etc/dovecot/dovecot-sql.conf.ext
      driver = sql
    }
    plugin {
      sieve = file:~/sieve;active=~/.dovecot.sieve
    }
    service auth-worker {
      user = vmail
    }
    service auth {
      unix_listener /var/spool/postfix/private/auth {
        group = postfix
        mode = 0600
        user = postfix
      }
      unix_listener auth-userdb {
        mode = 0600
        user = vmail
      }
      user = dovecot
    }
    service imap-login {
      inet_listener imaps {
        port = 993
        ssl = yes
      }
    }
    service lmtp {
      unix_listener /var/spool/postfix/private/dovecot-lmtp {
        group = postfix
        mode = 0600
        user = postfix
      }
    }
    service pop3-login {
      inet_listener pop3s {
        port = 995
        ssl = yes
      }
    }
    ssl = required
    ssl_cert = </etc/letsencrypt/live/fqdn.mydomain.com/fullchain.pem
    ssl_key =  # hidden, use -P to show it
    userdb {
      driver = passwd
    }
    userdb {
      args = uid=vmail gid=vmail home=/var/vmail/%d/%n allow_all_users=yes
      driver = static
    }

猫 /etc/dovecot/dovecot-sql.conf.ext

driver = mysql
connect = host=127.0.0.1 dbname=mailserver user=user password=secret
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM users WHERE email='%u';

tail -f /var/log/maillog

Feb 12 16:02:42 fqdn postfix/smtpd[9116]: connect from unknown[212.70.149.71]
Feb 12 16:02:43 fqdn postfix/smtpd[9116]: disconnect from unknown[212.70.149.71]
Feb 12 16:03:14 fqdn postfix/smtpd[9135]: connect from unknown[192.168.1.1]
Feb 12 16:03:14 fqdn postfix/smtpd[9131]: connect from unknown[192.168.1.1]
Feb 12 16:03:14 fqdn postfix/smtpd[9147]: connect from unknown[192.168.1.1]
Feb 12 16:03:14 fqdn postfix/smtpd[9137]: connect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9116]: connect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9136]: connect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn dovecot: imap-login: Aborted login (no auth attempts in 1 secs): user=<>, rip=192.168.1.1, lip=111.11.11.22, session=</BNE9CC7qOl0WuTK>
Feb 12 16:03:15 fqdn postfix/smtpd[9135]: improper command pipelining after EHLO from unknown[192.168.1.1]: QUIT\r\n
Feb 12 16:03:15 fqdn postfix/smtpd[9131]: improper command pipelining after EHLO from unknown[192.168.1.1]: QUIT\r\n
Feb 12 16:03:15 fqdn postfix/smtpd[9131]: disconnect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9135]: disconnect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn dovecot: imap-login: Aborted login (no auth attempts in 1 secs): user=<>, rip=192.168.1.1, lip=111.11.11.22, session=<LBZE9CC7qul0WuTK>
Feb 12 16:03:15 fqdn postfix/smtpd[9137]: improper command pipelining after EHLO from unknown[192.168.1.1]: QUIT\r\n
Feb 12 16:03:15 fqdn postfix/smtpd[9147]: improper command pipelining after EHLO from unknown[192.168.1.1]: QUIT\r\n
Feb 12 16:03:15 fqdn postfix/smtpd[9136]: improper command pipelining after EHLO from unknown[192.168.1.1]: QUIT\r\n
Feb 12 16:03:15 fqdn postfix/smtpd[9116]: improper command pipelining after EHLO from unknown[192.168.1.1]: QUIT\r\n
Feb 12 16:03:15 fqdn postfix/smtpd[9147]: disconnect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9136]: disconnect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9137]: disconnect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9116]: disconnect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9135]: connect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9148]: connect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn dovecot: pop3-login: Aborted login (no auth attempts in 1 secs): user=<>, rip=192.168.1.1, lip=111.11.11.22, session=<xxxE9CC7qel0WuTK>
Feb 12 16:03:15 fqdn postfix/smtpd[9135]: lost connection after CONNECT from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9148]: lost connection after CONNECT from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9135]: disconnect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn postfix/smtpd[9148]: disconnect from unknown[192.168.1.1]
Feb 12 16:03:15 fqdn dovecot: pop3-login: Aborted login (no auth attempts in 0 secs): user=<>, rip=192.168.1.1, lip=111.11.11.22, session=<ME1E9CC7q+l0WuTK>



Feb 12 16:03:56 fqdn dovecot: imap-login: Disconnected (auth failed, 3 attempts in 20 secs): user=<user>, method=PLAIN, rip=192.168.1.1, lip=111.11.11.22, TLS, session=<KPmR9SC7tOl0WuTK>
Feb 12 16:04:16 fqdn dovecot: imap-login: Disconnected (auth failed, 3 attempts in 20 secs): user=<[email protected]>, method=PLAIN, rip=192.168.1.1, lip=111.11.11.22, TLS, session=<BRG99iC7tel0WuTK>

我已允许数据库 993,995,143,80,443,25,587,465,110 中的每个必需端口.....

我的表结构与此站点一样

http://blog.vettore.org/centos-7-or-rhel-very-simple-configuration-of-a-mailserver-with-postfix-dovecot-mysql-part-1/

我已按照本文进行设置

https://www.linode.com/docs/guides/email-with-postfix-dovecot-and-mariadb-on-centos-7/

所以我一直在构建一个邮件服务器，我已经设置了 postfix 和一个数据库，现在我想要的是 cyrus 应该从我已经设置了一个数据库的数据库中验证我的邮件服务器用户，现在我遇到了一些问题

yum -y install cyrus-sasl*

我的后缀 -n 看起来像这样

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
cyrus_sasl_config_path = /etc/sasl2/
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = localhost, 192.168.1.1
inet_protocols = ipv4
local_recipient_maps = mysql:/etc/postfix/mysql-local.cf
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = domain.com
myhostname = my.domain.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_security_level = may
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/server.crt
smtpd_tls_key_file = /etc/postfix/ssl/server.key
smtpd_tls_security_level = may
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-aliases.cf
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-users.cf

我的 postconf -M 看起来像这样

smtp       inet  n       -       n       -       -       smtpd
submission inet  n       -       n       -       -       smtpd 
-o smtpd_sasl_security_options=noanonymous
 -o smtpd_sasl_auth_enable=yes 
-o broken_sasl_auth_clients=yes 
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject 
-o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       n       -       -       smtpd
 -o smtpd_sasl_security_options=noanonymous 
-o smtpd_sasl_auth_enable=yes 
-o broken_sasl_auth_clients=yes 
-o syslog_name=postfix/smtps 
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject 
-o milter_macro_daemon_name=ORIGINATING
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache

}

猫 /etc/sasl2/smtpd.conf

{

pwcheck_method: saslauthd
auxprop_plugin: mysql
mech_list: PLAIN LOGIN
sql_engine: mysql
sql_hostnames: 127.0.0.1, localhost
sql_user: postfix
sql_passwd: password
sql_database: server
sql_select: SELECT password FROM users WHERE email = '%u'

}

现在的问题是当我尝试从 mysql 时，我无法验证数据库的用户

猫 /etc/imapd.conf

configdirectory: /var/lib/imap
partition-default: /var/spool/imap
admins: cyrus
sievedir: /var/lib/imap/sieve
sendmail: /usr/sbin/sendmail
hashimapspool: true
sasl_pwcheck_method: saslauthd
sasl_mech_list: PLAIN LOGIN
allowplaintext: no
defaultdomain: mail
tls_cert_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_key_file: /etc/pki/cyrus-imapd/cyrus-imapd.pem
tls_ca_file: /etc/pki/tls/certs/ca-bundle.crt
# uncomment this if you're operating in a DSCP environment (RFC-4594)
# qosmarking: af13

猫 /etc/cyrus.conf

# standard standalone server implementation

START {
  # do not delete this entry!
  recover       cmd="ctl_cyrusdb -r"

  # this is only necessary if using idled for IMAP IDLE
  idled         cmd="idled"
}

# UNIX sockets start with a slash and are put into /var/lib/imap/sockets
SERVICES {
  # add or remove based on preferences
  imap          cmd="imapd" listen="imap" prefork=5
  imaps         cmd="imapd -s" listen="imaps" prefork=1
  pop3          cmd="pop3d" listen="pop3" prefork=3
  pop3s         cmd="pop3d -s" listen="pop3s" prefork=1
  sieve         cmd="timsieved" listen="sieve" prefork=0

  # these are only necessary if receiving/exporting usenet via NNTP
#  nntp         cmd="nntpd" listen="nntp" prefork=3
#  nntps                cmd="nntpd -s" listen="nntps" prefork=1

  # at least one LMTP is required for delivery
#  lmtp         cmd="lmtpd" listen="lmtp" prefork=0
  lmtpunix      cmd="lmtpd" listen="/var/lib/imap/socket/lmtp" prefork=1

  # this is only necessary if using notifications
#  notify       cmd="notifyd" listen="/var/lib/imap/socket/notify" proto="udp" prefork=1
}

EVENTS {
  # this is required
  checkpoint    cmd="ctl_cyrusdb -c" period=30

  # this is only necessary if using duplicate delivery suppression,
  # Sieve or NNTP
  delprune      cmd="cyr_expire -E 3" at=0400

  # this is only necessary if caching TLS sessions
  tlsprune      cmd="tls_prune" at=0400
}

所以任何人都可以让我摆脱这个问题谢谢....

PS（已解决：截至 2021 年 3 月的 Alpine Linux 解决方案，cyrus-sasl 2.1.27-r12 中的修复位于边缘分支中。3.13 只有 cyrus-sasl 2.1.27-r10。

PS：我知道有类似的帖子，但它们非常过时，就像 2015 年一样。我的问题是 2021 年，去年还在工作。

我在 alpine:edge docker 容器中使用带有 sasldb2 的后缀。但最近（2021 年 1 月）我发现它停止工作了。情况很奇怪，因为相同的 /etc/sasl2/sasldb2 文件适用于 saslauthd，但如果我使用 auxprop 设置则不会。

使用 sasldb2（不工作）

/etc/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN

后缀日志：

Jan 17 07:46:07 johnsiu postfix/smtpd[108]: connect from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Couldn't fetch entry from /etc/sasl2/sasldb2
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Password verification failed
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: mail-ej1-x635.google.com[2a00:1450:4864:20::635]: SASL PLAIN authentication failed: generic failure
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: lost connection after AUTH from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: disconnect from mail-ej1-x635.google.com[2a00:1450:4864:20::635] ehlo=2 starttls=1 auth=0/1 commands=3/4

使用 saslauthd（工作）

/etc/sasl2/smtpd.conf    
pwcheck_method: saslauthd
mech_list: PLAIN

手动运行 saslauthd：

saslauthd -a sasldb -d

输出：

saslauthd[125] :num_procs : 5
saslauthd[125] :mech_option: NULL
saslauthd[125] :run_path : /run/saslauthd
saslauthd[125] :auth_mech : sasldb
saslauthd[125] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[125] :master pid is: 0
saslauthd[125] :listening on socket: /run/saslauthd/mux
saslauthd[125] :using process model
saslauthd[125] :forked child: 126
saslauthd[125] :forked child: 127
saslauthd[125] :forked child: 128
saslauthd[125] :forked child: 129
saslauthd[125] :acquired accept lock

saslauthd[125] :released accept lock
saslauthd[129] :acquired accept lock
saslauthd[125] :auth success: [user=test] [service=smtp] [realm=example.org] [mech=sasldb]
saslauthd[125] :response: OK

后缀日志：

Jan 17 07:48:41 johnsiu postfix/smtpd[120]: connect from mail-ej1-x631.google.com[2a00:1450:4864:20::631]
Jan 17 07:48:42 johnsiu postfix/smtpd[120]: disconnect from mail-ej1-x631.google.com[2a00:1450:4864:20::631] ehlo=2 starttls=1 auth=1 quit=1 commands=5

操作系统版本

# cat /etc/os-release

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.13.0_alpha20201218
PRETTY_NAME="Alpine Linux edge"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

已安装的软件包

apk list -I|sort

WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/community: No such file or directory
alpine-baselayout-3.2.0-r8 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.2-r0 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.12.0-r3 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
ca-certificates-bundle-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
cyrus-sasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-crammd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-digestmd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gs2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gssapiv2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-login-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-ntlm-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-scram-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
gdbm-1.19-r0 x86_64 {gdbm} (GPL-3.0-or-later) [installed]
heimdal-libs-7.7.0-r4 x86_64 {heimdal} (BSD-3-Clause) [installed]
icu-libs-67.1-r2 x86_64 {icu} (MIT ICU Unicode-TOU) [installed]
krb5-conf-1.0-r2 x86_64 {krb5-conf} (MIT) [installed]
libc-utils-0.7.2-r3 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
libcom_err-1.45.6-r1 x86_64 {e2fsprogs} (GPL-2.0-or-later AND LGPL-2.0-or-later AND BSD-3-Clause AND MIT) [installed]
libcrypto1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libgcc-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libsasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
libssl1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libstdc++-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libtls-standalone-2.9.1-r1 x86_64 {libtls-standalone} (ISC) [installed]
lmdb-0.9.27-r0 x86_64 {lmdb} (OLDAP-2.8) [installed]
musl-1.2.2_pre6-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.2_pre6-r0 x86_64 {musl} (MIT BSD GPL2+) [installed]
ncurses-libs-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
ncurses-terminfo-base-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
postfix-3.5.8-r0 x86_64 {postfix} (IPL-1.0 EPL-2.0) [installed]
readline-8.1.0-r0 x86_64 {readline} (GPL-2.0-or-later) [installed]
scanelf-1.2.6-r1 x86_64 {pax-utils} (GPL-2.0-only) [installed]
sqlite-libs-3.34.0-r1 x86_64 {sqlite} (Public-Domain) [installed]
ssl_client-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
tzdata-2020f-r0 x86_64 {tzdata} (Public-Domain) [installed]
zlib-1.2.11-r3 x86_64 {zlib} (Zlib) [installed]

我不确定这是 alpine 发行版问题、后缀问题还是 cyrus-sasl 问题。

我的 docker 容器：https ://hub.docker.com/repository/docker/jsiu/postfix

更新到 postfix 3.5.9-r0 后问题仍然存在。

测试结果：

/ # ls -lh /run/saslauthd/
total 4K
srwxrwxrwx    1 root     root           0 Feb 18 02:36 mux
-rw-------    1 root     root           0 Feb 18 02:36 mux.accept
-rw-------    1 root     root           4 Feb 18 02:36 saslauthd.pid

以下语法有效：

/ # testsaslauthd -f /run/saslauthd/mux -r **** -u **** -p ****

但以下不起作用：

/ # testsaslauthd -f /run/saslauthd/mux -s"smtpd" -u"****@****" -p"****"
0: NO "authentication failed"

尝试了单引号，双引号，无引号，空格，密码但结果相同。

'saslauthd -a sasldb -d' 失败尝试的输出：

/etc/postfix # saslauthd -a sasldb -d
saslauthd[195] :num_procs  : 5
saslauthd[195] :mech_option: NULL
saslauthd[195] :run_path   : /run/saslauthd
saslauthd[195] :auth_mech  : sasldb
saslauthd[195] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[195] :master pid is: 0
saslauthd[195] :listening on socket: /run/saslauthd/mux
saslauthd[195] :using process model
saslauthd[195] :forked child: 196
saslauthd[196] :acquired accept lock
saslauthd[195] :forked child: 197
saslauthd[195] :forked child: 198
saslauthd[195] :forked child: 199


saslauthd[198] :acquired accept lock
saslauthd[196] :released accept lock
saslauthd[196] :auth failure: [user=****@****] [service=smtpd] [realm=] [mech=sasldb] [reason=Unknown]
saslauthd[196] :response: NO

尽管我已经找到了两个 答案，但我无法弄清楚如何实际实施它们，并且至少其中一个并没有真正回答这个问题。因此，如果有人有任何经验可以分享，我将非常感激。

我有一台运行 Postfix 的服务器（Ubuntu 18.04）。我已经使用 postfwd 对 SASL 发件人进行速率限制，并使用 Amavis 和其他东西来扫描来自本地机器/网络（例如来自 Web 服务器）的传出邮件。没关系，在 main.cf 中看起来像这样：

smtpd_sender_restrictions =
    check_client_access cidr:/etc/postfix/internal_clients_filter,
    permit_mynetworks, 
    reject_unknown_sender_domain

在 master.cf 中

senderCheck  unix  -       n       n       -       15       spawn
  user=nobody argv=/opt/policyd/src/policyd.pl  max_idle=30 max_use=50 daemon_timeout=50

127.0.0.1:10025 inet    n    -    n    -    -    smtpd
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_data_restrictions=
    -o smtpd_end_of_data_restrictions=
    -o local_header_rewrite_clients=
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o smtpd_milters=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

如何以与本地发件人相同的方式将 SASL 发件人（根据定义不在我的网络上）通过垃圾邮件和恶意软件扫描？

我有一个带有postfix,dovecot并mysql在 Debian buster 上运行的邮件服务器。

到目前为止，一切工作正常，但我想设置一个场景，其中 SASL 身份验证的登录名与收件人域的用户部分不同。

例子：

Login name used for SASL auth: myusername
Sender email address: [email protected]

使用 dovecot 的身份验证工作正常，因为我在 dovecot 中将登录名用作变量。

但在 postfix 实际提交电子邮件之前，我想验证发件人地址是否真的由登录的用户拥有。因此，我在 master.cf 中的提交服务中添加了smtpd_sender_login_maps选项，指向一个 mysql 表。

  -o smtpd_sender_login_maps=proxy:mysql:/etc/postfix/mysql/sender-login-maps.cf

根据 postfix 的 mysql-table 手册（http://www.postfix.org/mysql_table.5.html），唯一可用的变量是 %s, %u, %d - 它们都与发件人地址有关，即：

%s = [email protected]
%u = sender
%d = domain.com

有没有办法在我的 SQL 查询中使用原始 SASL 登录名 ( 'myusername' )？

我设置了 Postfix，以便我的虚拟用户的邮箱（maildir 格式）设置如下：

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> ls -l /var/mail/
total 4
drwxr-sr-x 5 postfix postfix 4096 Dec  2 12:27 pistam.eu

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> ls -l /var/mail/domain.eu/
total 12
drwx--S--- 5 postfix postfix 4096 Dec  2 12:10 user_1
drwx--S--- 5 postfix postfix 4096 Dec  1 22:35 user_2

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> ls -l /var/mail/domain.eu/user_1/
total 12
drwx--S--- 2 postfix postfix 4096 Dec  2 12:27 cur
drwx--S--- 2 postfix postfix 4096 Dec 13 15:17 new
drwx--S--- 2 postfix postfix 4096 Dec 13 15:17 tmp

现在我正在设置 Dovecot 服务器 (IMAPS/SASL)，我想使用一个系统用户来管理所有 Postfix 虚拟用户的所有邮箱。我看到了许多管理员创建用户vmail的文章，例如：

# useradd -r -m -d /home/vmail vmail

他们通过将这两行设置为/etc/dovecot/conf.d/10-master.conf：

mail_access_groups = vmail
default_login_user = vmail

但在我的案例中，组postfix有“setuid”位，这意味着这些文件夹将始终由 user 操作postfix。

那么创建用户有什么意义vmail呢？为什么不直接使用用户postfixfor Dovecot 来代替呢？这样做有风险吗？Dovecot 安装过程还创建了这两个用户：

┌───┐
│ # │ root > myserver > ~
└─┬─┘
  └─> cat /etc/passwd | grep dove
dovecot:x:112:118:Dovecot mail server,,,:/usr/lib/dovecot:/usr/sbin/nologin
dovenull:x:113:119:Dovecot login user,,,:/nonexistent:/usr/sbin/nologin

为什么不使用其中之一？配置文件中也有这两个提示/etc/dovecot/conf.d/10-master.conf：

# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull

# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot