John Siu's questions

我们收到很多事件 ID 4735，如下所示：

Subject:
    Security ID:        SYSTEM
    Account Name:       xxx$
    Account Domain:     xxx
    Logon ID:       0x3E7

Group:
    Security ID:        BUILTIN\Administrators
    Group Name:     Administrators
    Group Domain:       Builtin

Changed Attributes:
    SAM Account Name:   -
    SID History:        -

Additional Information:
    Privileges:     -
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{xxx}" />
    <EventID>4735</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13826</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2023-10-13T16:56:50.930730000Z" />
    <EventRecordID>113144987</EventRecordID>
    <Correlation ActivityID="{xxx}" />
    <Execution ProcessID="840" ThreadID="10404" />
    <Channel>Security</Channel>
    <Computer>xxx</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">Administrators</Data>
    <Data Name="TargetDomainName">Builtin</Data>
    <Data Name="TargetSid">S-xxx</Data>
    <Data Name="SubjectUserSid">S-xxx</Data>
    <Data Name="SubjectUserName">xxx$</Data>
    <Data Name="SubjectDomainName">xxx</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="PrivilegeList">-</Data>
    <Data Name="SamAccountName">-</Data>
    <Data Name="SidHistory">-</Data>
  </EventData>
</Event>

根据文档，“此事件记录在 Active Directory 域本地组的域控制器上，以更改组中标识的安全本地组。” 但是，它似乎不包含有关更改内容的信息。“PrivilegeList”、“SamAccountName”、“SidHistory”均为“-”

我们在 DC 和成员服务器中都看到了这一点。

有人有线索吗？

PS（已解决：截至 2021 年 3 月的 Alpine Linux 解决方案，cyrus-sasl 2.1.27-r12 中的修复位于边缘分支中。3.13 只有 cyrus-sasl 2.1.27-r10。

PS：我知道有类似的帖子，但它们非常过时，就像 2015 年一样。我的问题是 2021 年，去年还在工作。

我在 alpine:edge docker 容器中使用带有 sasldb2 的后缀。但最近（2021 年 1 月）我发现它停止工作了。情况很奇怪，因为相同的 /etc/sasl2/sasldb2 文件适用于 saslauthd，但如果我使用 auxprop 设置则不会。

使用 sasldb2（不工作）

/etc/sasl2/smtpd.conf

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN

后缀日志：

Jan 17 07:46:07 johnsiu postfix/smtpd[108]: connect from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Couldn't fetch entry from /etc/sasl2/sasldb2
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: SASL authentication failure: Password verification failed
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: warning: mail-ej1-x635.google.com[2a00:1450:4864:20::635]: SASL PLAIN authentication failed: generic failure
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: lost connection after AUTH from mail-ej1-x635.google.com[2a00:1450:4864:20::635]
Jan 17 07:46:08 johnsiu postfix/smtpd[108]: disconnect from mail-ej1-x635.google.com[2a00:1450:4864:20::635] ehlo=2 starttls=1 auth=0/1 commands=3/4

使用 saslauthd（工作）

/etc/sasl2/smtpd.conf    
pwcheck_method: saslauthd
mech_list: PLAIN

手动运行 saslauthd：

saslauthd -a sasldb -d

输出：

saslauthd[125] :num_procs : 5
saslauthd[125] :mech_option: NULL
saslauthd[125] :run_path : /run/saslauthd
saslauthd[125] :auth_mech : sasldb
saslauthd[125] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[125] :master pid is: 0
saslauthd[125] :listening on socket: /run/saslauthd/mux
saslauthd[125] :using process model
saslauthd[125] :forked child: 126
saslauthd[125] :forked child: 127
saslauthd[125] :forked child: 128
saslauthd[125] :forked child: 129
saslauthd[125] :acquired accept lock

saslauthd[125] :released accept lock
saslauthd[129] :acquired accept lock
saslauthd[125] :auth success: [user=test] [service=smtp] [realm=example.org] [mech=sasldb]
saslauthd[125] :response: OK

后缀日志：

Jan 17 07:48:41 johnsiu postfix/smtpd[120]: connect from mail-ej1-x631.google.com[2a00:1450:4864:20::631]
Jan 17 07:48:42 johnsiu postfix/smtpd[120]: disconnect from mail-ej1-x631.google.com[2a00:1450:4864:20::631] ehlo=2 starttls=1 auth=1 quit=1 commands=5

操作系统版本

# cat /etc/os-release

NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.13.0_alpha20201218
PRETTY_NAME="Alpine Linux edge"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://bugs.alpinelinux.org/"

已安装的软件包

apk list -I|sort

WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/main: No such file or directory
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/edge/community: No such file or directory
alpine-baselayout-3.2.0-r8 x86_64 {alpine-baselayout} (GPL-2.0-only) [installed]
alpine-keys-2.2-r0 x86_64 {alpine-keys} (MIT) [installed]
apk-tools-2.12.0-r3 x86_64 {apk-tools} (GPL-2.0-only) [installed]
busybox-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
ca-certificates-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
ca-certificates-bundle-20191127-r5 x86_64 {ca-certificates} (MPL-2.0 AND MIT) [installed]
cyrus-sasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-crammd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-digestmd5-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gs2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-gssapiv2-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-login-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-ntlm-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
cyrus-sasl-scram-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
gdbm-1.19-r0 x86_64 {gdbm} (GPL-3.0-or-later) [installed]
heimdal-libs-7.7.0-r4 x86_64 {heimdal} (BSD-3-Clause) [installed]
icu-libs-67.1-r2 x86_64 {icu} (MIT ICU Unicode-TOU) [installed]
krb5-conf-1.0-r2 x86_64 {krb5-conf} (MIT) [installed]
libc-utils-0.7.2-r3 x86_64 {libc-dev} (BSD-2-Clause AND BSD-3-Clause) [installed]
libcom_err-1.45.6-r1 x86_64 {e2fsprogs} (GPL-2.0-or-later AND LGPL-2.0-or-later AND BSD-3-Clause AND MIT) [installed]
libcrypto1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libgcc-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libsasl-2.1.27-r10 x86_64 {cyrus-sasl} (custom) [installed]
libssl1.1-1.1.1i-r0 x86_64 {openssl} (OpenSSL) [installed]
libstdc++-10.2.1_pre1-r3 x86_64 {gcc} (GPL-2.0-or-later LGPL-2.1-or-later) [installed]
libtls-standalone-2.9.1-r1 x86_64 {libtls-standalone} (ISC) [installed]
lmdb-0.9.27-r0 x86_64 {lmdb} (OLDAP-2.8) [installed]
musl-1.2.2_pre6-r0 x86_64 {musl} (MIT) [installed]
musl-utils-1.2.2_pre6-r0 x86_64 {musl} (MIT BSD GPL2+) [installed]
ncurses-libs-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
ncurses-terminfo-base-6.2_p20210109-r0 x86_64 {ncurses} (MIT) [installed]
postfix-3.5.8-r0 x86_64 {postfix} (IPL-1.0 EPL-2.0) [installed]
readline-8.1.0-r0 x86_64 {readline} (GPL-2.0-or-later) [installed]
scanelf-1.2.6-r1 x86_64 {pax-utils} (GPL-2.0-only) [installed]
sqlite-libs-3.34.0-r1 x86_64 {sqlite} (Public-Domain) [installed]
ssl_client-1.32.0-r8 x86_64 {busybox} (GPL-2.0-only) [installed]
tzdata-2020f-r0 x86_64 {tzdata} (Public-Domain) [installed]
zlib-1.2.11-r3 x86_64 {zlib} (Zlib) [installed]

我不确定这是 alpine 发行版问题、后缀问题还是 cyrus-sasl 问题。

我的 docker 容器：https ://hub.docker.com/repository/docker/jsiu/postfix

更新到 postfix 3.5.9-r0 后问题仍然存在。

测试结果：

/ # ls -lh /run/saslauthd/
total 4K
srwxrwxrwx    1 root     root           0 Feb 18 02:36 mux
-rw-------    1 root     root           0 Feb 18 02:36 mux.accept
-rw-------    1 root     root           4 Feb 18 02:36 saslauthd.pid

以下语法有效：

/ # testsaslauthd -f /run/saslauthd/mux -r **** -u **** -p ****

但以下不起作用：

/ # testsaslauthd -f /run/saslauthd/mux -s"smtpd" -u"****@****" -p"****"
0: NO "authentication failed"

尝试了单引号，双引号，无引号，空格，密码但结果相同。

'saslauthd -a sasldb -d' 失败尝试的输出：

/etc/postfix # saslauthd -a sasldb -d
saslauthd[195] :num_procs  : 5
saslauthd[195] :mech_option: NULL
saslauthd[195] :run_path   : /run/saslauthd
saslauthd[195] :auth_mech  : sasldb
saslauthd[195] :using accept lock file: /run/saslauthd/mux.accept
saslauthd[195] :master pid is: 0
saslauthd[195] :listening on socket: /run/saslauthd/mux
saslauthd[195] :using process model
saslauthd[195] :forked child: 196
saslauthd[196] :acquired accept lock
saslauthd[195] :forked child: 197
saslauthd[195] :forked child: 198
saslauthd[195] :forked child: 199


saslauthd[198] :acquired accept lock
saslauthd[196] :released accept lock
saslauthd[196] :auth failure: [user=****@****] [service=smtpd] [realm=] [mech=sasldb] [reason=Unknown]
saslauthd[196] :response: NO

如何配置 systemd journal-remote 以侦听特定端口？

我能找到的只是命令行示例。根据手册页，journal-remote.conf 中似乎没有任何选项。