Hello
Seems the current deployed configuration is not compatible when enabling chroot on Postfix, resulting such these errors:
postfix/smtpd[8673]: connect from [127.0.0.1]
postfix/smtpd[8673]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
postfix/smtpd[8673]: warning: [127.0.0.1]: SASL LOGIN authentication failed: generic failure
postfix/smtpd[8673]: disconnect from [127.0.0.1]
The problem arises because postfix insists on looking up saslauthd lock files in /var/run/saslauthd, yet these have moved to /var/spool/postfix/var/run/saslauthd.
Even after adding:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
or
saslauthd_path: /var/run/saslauthd/mux
to /etc/postfix/sasl/smtpd.conf the problem persists (tried remote SMTP mail clients and roundcube).
You may say, this can be fixed with a symlink or mount bind - this is partially true and will work until the next reboot. Then the system clears /var/run and new directory has to be created with respective symlink or mount bind. Permanent entry in /etc/fstab still won't solve it and you'l end up with a boot hang (press ctrl+d).
Instead of chrooting saslauthd, the fix seems to be leave it at default path, and then changing the /etc/default/saslauthd options accordingly. This hovewer leaves saslauthd out of the chroot, so a mount bind will be required.
SEE LAST POSTS FOR FINAL FIXES
Note that Symlinks do not work on chroot. The following method is inefective - you'l have to use a mount bind.
Create directory for new mount point:
mkdir -p /var/spool/postfix/var/run
Set ownership and permissions:
chown -R root:sasl /var/spool/postfix/var/
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var
adduser postfix sasl
Create symlink for chrooted saslauthd:
ln -s /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
chown -h root:sasl /var/spool/postfix/var/run/saslauthd
These also won't work because the symlinks are reversed:
http://blog.wains.be/2006/11/18/postfix-chroot-sasl-authentication-saslauthd/
http://www.jimmy.co.at/weblog/?p=52
Update,
Found a fix for chrooted saslauthd.
Seems that in /etc/postfix/sasl/smtpd.conf the option saslauthd_path is relative to the postfix chroot. It won't accept full paths -- http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam
I'm figuring the mount bind probably should still be needed for one thing or another.
ie, testsaslauthd complains about not finding the path unless you specify it:
testsaslauthd -u username -p password -f /var/run/saslauthd/mux -s smtp
btw, tested the symlink method and it didn't worked as i thought -- the chroot does not let postfix go up in the path.
However, since one may use saslauthd for other services other than Postfix, such as Memcached (login yay!), LDAP, IRC and XMPP implementations:
http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
I think it should be left non-chrooted, just as it is suggested in Debian Wiki:
https://wiki.debian.org/PostfixAndSASL
That way it can be accessed by other services without requiring major reconfiguration.
Final configuration for a non-chrooted saslauthd and (optional) chrooted Postfix follows in this comment.
The setup will work wether postfix is chrooted or not -- when chrooted, just apply the additional optional config, which should make postfix safer to use.
_from here on, mandatory for both chrooted and non-chrooted postfix_
Reminder: saslauthd should be non-chrooted for the setup to be simple and work.
Set parameters for saslauthd in /etc/default/saslauthd:
Before (Incorrect):
OPTIONS="-c -m /var/run/saslauthd"
(or)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
After (Correct):
OPTIONS="-c -m /var/run/saslauthd -r"
Create a pam file for smtp/postfix, equal to dovecot. The missing file will result in login failure of postfix in pam if other's file is hardened (/etc/pam.d/smtp):
#
# /etc/pam.d/smtp - PAM behavior for postfix
#
#%PAM-1.0
@include common-auth
@include common-account
@include common-session
This probably should be a separate issue but i'll include here as it's related.
Add postfix user to the sasl group:
adduser postfix sasl
_from here on, optional...(chrooted postfix)_
Add a permanent mount point to /etc/fstab:
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind defaults,nodev,noauto,bind 0 0
Note: noauto = no attempt to mount what can't be mounted on early boot = no error/hang
Create directory for new mount point:
mkdir -p /var/spool/postfix/var/run/saslauthd
Set ownership and permissions:
chown -R root:sasl /var/spool/postfix/var/
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var
Then mount it:
mount /var/spool/postfix/var/run/saslauthd
Add mount command /etc/rc.local to be run at boot (after all daemons):
# Mount saslauthd bind point at postfix chroot
mount /var/spool/postfix/var/run/saslauthd
https://wiki.debian.org/PostfixAndSASL
http://blog.brachium-system.net/archives/16-Postfix-with-SASL-Authentication-in-Debian.html
Configure sasl binding for postfix (/etc/postfix/sasl/smtpd.conf):
Incorrect:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
or nothing
Correct:
saslauthd_path: /var/run/saslauthd/mux
Configure postfix to work in chrooted environment (/etc/postfix/master.cf):
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
Debian stock configuration (unsecure):
smtp inet n - - - - smtpd
Virtualmin configuration (sasl only):
smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
New configuration (also added TLS):
#
# Custom configuration
# See /etc/services
#
# SMTP (25/TCP)
smtp inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes
# Submission (587/TCP+UDP)
submission inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes
# SMTPS/SSMTP (465/TCP) (deprecated, disabled)
#smtps inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes
Notes:
EDIT: fixed some settings
END
solving the mount problem at boot...
Thanks man... this helped.
Finally..... Thank you
Thanks alot for this, even 5 years later this guide still works, and so detailed, i just had this exact issue, and this worked flawless
FWIW, on a fresh install of Ubuntu 18.04 and Webmin/Virtualmin (latest), Postfix is not running in chroot and this simplified subset sufficed:
/var/spool/postfix/var/run/saslauthd with /var/run/saslauthd in /etc/default/saslauthdsystemctl restart saslauthd
Most helpful comment
Final configuration for a non-chrooted saslauthd and (optional) chrooted Postfix follows in this comment.
The setup will work wether postfix is chrooted or not -- when chrooted, just apply the additional optional config, which should make postfix safer to use.
_from here on, mandatory for both chrooted and non-chrooted postfix_
saslauthd non-chrooted:
Reminder: saslauthd should be non-chrooted for the setup to be simple and work.
Set parameters for saslauthd in /etc/default/saslauthd:
Before (Incorrect):
After (Correct):
Standard Postfix configuration:
Create a pam file for smtp/postfix, equal to dovecot. The missing file will result in login failure of postfix in pam if other's file is hardened (/etc/pam.d/smtp):
This probably should be a separate issue but i'll include here as it's related.
Add postfix user to the sasl group:
adduser postfix sasl_from here on, optional...(chrooted postfix)_
Add binding for saslauthd in Postfix chroot:
Add a permanent mount point to /etc/fstab:
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind defaults,nodev,noauto,bind 0 0Note: noauto = no attempt to mount what can't be mounted on early boot = no error/hang
Create directory for new mount point:
mkdir -p /var/spool/postfix/var/run/saslauthdSet ownership and permissions:
Then mount it:
mount /var/spool/postfix/var/run/saslauthdAdd mount command /etc/rc.local to be run at boot (after all daemons):
https://wiki.debian.org/PostfixAndSASL
http://blog.brachium-system.net/archives/16-Postfix-with-SASL-Authentication-in-Debian.html
Finish Postfix chrooted configuration:
Configure sasl binding for postfix (/etc/postfix/sasl/smtpd.conf):
Incorrect:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/muxor nothing
Correct:
saslauthd_path: /var/run/saslauthd/muxConfigure postfix to work in chrooted environment (/etc/postfix/master.cf):
Debian stock configuration (unsecure):
Virtualmin configuration (sasl only):
New configuration (also added TLS):
Notes:
EDIT: fixed some settings
END