Webmin: chrooted postfix and saslauthd run into problems in Debian 7

Created on 21 Aug 2013  路  7Comments  路  Source: webmin/webmin

Hello

Seems the current deployed configuration is not compatible when enabling chroot on Postfix, resulting such these errors:

postfix/smtpd[8673]: connect from [127.0.0.1]
postfix/smtpd[8673]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
postfix/smtpd[8673]: warning: [127.0.0.1]: SASL LOGIN authentication failed: generic failure
postfix/smtpd[8673]: disconnect from [127.0.0.1]

The problem arises because postfix insists on looking up saslauthd lock files in /var/run/saslauthd, yet these have moved to /var/spool/postfix/var/run/saslauthd.

Even after adding:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
or
saslauthd_path: /var/run/saslauthd/mux
to /etc/postfix/sasl/smtpd.conf the problem persists (tried remote SMTP mail clients and roundcube).

You may say, this can be fixed with a symlink or mount bind - this is partially true and will work until the next reboot. Then the system clears /var/run and new directory has to be created with respective symlink or mount bind. Permanent entry in /etc/fstab still won't solve it and you'l end up with a boot hang (press ctrl+d).

Instead of chrooting saslauthd, the fix seems to be leave it at default path, and then changing the /etc/default/saslauthd options accordingly. This hovewer leaves saslauthd out of the chroot, so a mount bind will be required.

SEE LAST POSTS FOR FINAL FIXES

Note that Symlinks do not work on chroot. The following method is inefective - you'l have to use a mount bind.

Create directory for new mount point:
mkdir -p /var/spool/postfix/var/run
Set ownership and permissions:

chown -R root:sasl /var/spool/postfix/var/
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var
adduser postfix sasl

Create symlink for chrooted saslauthd:

ln -s  /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
chown -h root:sasl /var/spool/postfix/var/run/saslauthd

These also won't work because the symlinks are reversed:
http://blog.wains.be/2006/11/18/postfix-chroot-sasl-authentication-saslauthd/
http://www.jimmy.co.at/weblog/?p=52

Most helpful comment

Final configuration for a non-chrooted saslauthd and (optional) chrooted Postfix follows in this comment.
The setup will work wether postfix is chrooted or not -- when chrooted, just apply the additional optional config, which should make postfix safer to use.

_from here on, mandatory for both chrooted and non-chrooted postfix_

saslauthd non-chrooted:

Reminder: saslauthd should be non-chrooted for the setup to be simple and work.

Set parameters for saslauthd in /etc/default/saslauthd:
Before (Incorrect):

OPTIONS="-c -m /var/run/saslauthd"
(or)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

After (Correct):

OPTIONS="-c -m /var/run/saslauthd -r"

Standard Postfix configuration:

Create a pam file for smtp/postfix, equal to dovecot. The missing file will result in login failure of postfix in pam if other's file is hardened (/etc/pam.d/smtp):

#
# /etc/pam.d/smtp - PAM behavior for postfix
#
#%PAM-1.0

@include common-auth
@include common-account
@include common-session

This probably should be a separate issue but i'll include here as it's related.

Add postfix user to the sasl group:
adduser postfix sasl

_from here on, optional...(chrooted postfix)_

Add binding for saslauthd in Postfix chroot:

Add a permanent mount point to /etc/fstab:
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind defaults,nodev,noauto,bind 0 0
Note: noauto = no attempt to mount what can't be mounted on early boot = no error/hang

Create directory for new mount point:
mkdir -p /var/spool/postfix/var/run/saslauthd

Set ownership and permissions:

chown -R root:sasl /var/spool/postfix/var/
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var

Then mount it:
mount /var/spool/postfix/var/run/saslauthd

Add mount command /etc/rc.local to be run at boot (after all daemons):

# Mount saslauthd bind point at postfix chroot
mount /var/spool/postfix/var/run/saslauthd

https://wiki.debian.org/PostfixAndSASL
http://blog.brachium-system.net/archives/16-Postfix-with-SASL-Authentication-in-Debian.html

Finish Postfix chrooted configuration:

Configure sasl binding for postfix (/etc/postfix/sasl/smtpd.conf):
Incorrect:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
or nothing
Correct:
saslauthd_path: /var/run/saslauthd/mux

Configure postfix to work in chrooted environment (/etc/postfix/master.cf):

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

Debian stock configuration (unsecure):

smtp      inet  n       -       -       -       -       smtpd

Virtualmin configuration (sasl only):

smtp    inet    n   -   -   -   -   smtpd -o smtpd_sasl_auth_enable=yes
submission  inet    n   -   -   -   -   smtpd -o smtpd_sasl_auth_enable=yes

New configuration (also added TLS):

#
# Custom configuration
# See /etc/services
#

# SMTP (25/TCP)
smtp       inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes
# Submission (587/TCP+UDP)
submission inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes
# SMTPS/SSMTP (465/TCP) (deprecated, disabled)
#smtps      inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes

Notes:

  • The y flag on 5th column denotes chroot=yes.
  • Services were taken from /etc/services.
  • TLS forced on SMTPS/465, as expected.

EDIT: fixed some settings

END

All 7 comments

Update,

Found a fix for chrooted saslauthd.

Seems that in /etc/postfix/sasl/smtpd.conf the option saslauthd_path is relative to the postfix chroot. It won't accept full paths -- http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam

I'm figuring the mount bind probably should still be needed for one thing or another.
ie, testsaslauthd complains about not finding the path unless you specify it:
testsaslauthd -u username -p password -f /var/run/saslauthd/mux -s smtp

btw, tested the symlink method and it didn't worked as i thought -- the chroot does not let postfix go up in the path.

However, since one may use saslauthd for other services other than Postfix, such as Memcached (login yay!), LDAP, IRC and XMPP implementations:
http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer

I think it should be left non-chrooted, just as it is suggested in Debian Wiki:
https://wiki.debian.org/PostfixAndSASL

That way it can be accessed by other services without requiring major reconfiguration.

Final configuration for a non-chrooted saslauthd and (optional) chrooted Postfix follows in this comment.
The setup will work wether postfix is chrooted or not -- when chrooted, just apply the additional optional config, which should make postfix safer to use.

_from here on, mandatory for both chrooted and non-chrooted postfix_

saslauthd non-chrooted:

Reminder: saslauthd should be non-chrooted for the setup to be simple and work.

Set parameters for saslauthd in /etc/default/saslauthd:
Before (Incorrect):

OPTIONS="-c -m /var/run/saslauthd"
(or)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

After (Correct):

OPTIONS="-c -m /var/run/saslauthd -r"

Standard Postfix configuration:

Create a pam file for smtp/postfix, equal to dovecot. The missing file will result in login failure of postfix in pam if other's file is hardened (/etc/pam.d/smtp):

#
# /etc/pam.d/smtp - PAM behavior for postfix
#
#%PAM-1.0

@include common-auth
@include common-account
@include common-session

This probably should be a separate issue but i'll include here as it's related.

Add postfix user to the sasl group:
adduser postfix sasl

_from here on, optional...(chrooted postfix)_

Add binding for saslauthd in Postfix chroot:

Add a permanent mount point to /etc/fstab:
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind defaults,nodev,noauto,bind 0 0
Note: noauto = no attempt to mount what can't be mounted on early boot = no error/hang

Create directory for new mount point:
mkdir -p /var/spool/postfix/var/run/saslauthd

Set ownership and permissions:

chown -R root:sasl /var/spool/postfix/var/
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var

Then mount it:
mount /var/spool/postfix/var/run/saslauthd

Add mount command /etc/rc.local to be run at boot (after all daemons):

# Mount saslauthd bind point at postfix chroot
mount /var/spool/postfix/var/run/saslauthd

https://wiki.debian.org/PostfixAndSASL
http://blog.brachium-system.net/archives/16-Postfix-with-SASL-Authentication-in-Debian.html

Finish Postfix chrooted configuration:

Configure sasl binding for postfix (/etc/postfix/sasl/smtpd.conf):
Incorrect:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
or nothing
Correct:
saslauthd_path: /var/run/saslauthd/mux

Configure postfix to work in chrooted environment (/etc/postfix/master.cf):

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

Debian stock configuration (unsecure):

smtp      inet  n       -       -       -       -       smtpd

Virtualmin configuration (sasl only):

smtp    inet    n   -   -   -   -   smtpd -o smtpd_sasl_auth_enable=yes
submission  inet    n   -   -   -   -   smtpd -o smtpd_sasl_auth_enable=yes

New configuration (also added TLS):

#
# Custom configuration
# See /etc/services
#

# SMTP (25/TCP)
smtp       inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes
# Submission (587/TCP+UDP)
submission inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes
# SMTPS/SSMTP (465/TCP) (deprecated, disabled)
#smtps      inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes

Notes:

  • The y flag on 5th column denotes chroot=yes.
  • Services were taken from /etc/services.
  • TLS forced on SMTPS/465, as expected.

EDIT: fixed some settings

END

solving the mount problem at boot...

Thanks man... this helped.

Finally..... Thank you

Thanks alot for this, even 5 years later this guide still works, and so detailed, i just had this exact issue, and this worked flawless

FWIW, on a fresh install of Ubuntu 18.04 and Webmin/Virtualmin (latest), Postfix is not running in chroot and this simplified subset sufficed:

  1. Replace any references to /var/spool/postfix/var/run/saslauthd with /var/run/saslauthd in /etc/default/saslauthd
  2. systemctl restart saslauthd
Was this page helpful?
0 / 5 - 0 ratings