I need help with Kopano and Postfix/SASL using LDAP

bee.support

Hey Community,

right now I’m pretty close of going insane. I am desperately trying to get the following to work:

OS:Debian 10
Kopano: Kopano Core 11.0.2.51
Mail Client: Thunderbird (port 25, STARTTLS)

In Thunderbird and on mobile Postfix (SASL) authentification against our LDAP won’t work. Right now Kopano Webapp and Thunderbird work like a charm. But as soon as I enable “#smtpd_sasl_auth_enable = yes” in my “main.cfg” I can no longer sent mails. Through Thunderbird. /var/log/mail.log says

warning: SASL authentication failure: Password verification failed
SASL PLAIN authentication failed: authentication failure
SASL LOGIN authentication failed: authentication failure

This is my first Kopano Server together with a LDAP Server.

Saslauth seems to be working against the LDAP.

testsaslauth -u user -p pass prints out “OK “Success””. Same for -s smtp and -s smtpd.

The System itself can see all ldap user. “id ldapuser” prints all the informations.
saslauthd is up and running.

saslauthd.service - LSB: saslauthd startup script
   Loaded: loaded (/etc/init.d/saslauthd; generated)
   Active: active (running) since Wed 2022-05-25 16:16:28 CEST; 3s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3383 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS)
    Tasks: 5 (limit: 4915)
   Memory: 4.0M
   CGroup: /system.slice/saslauthd.service
           ├─3404 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -r -n 5
           ├─3405 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -r -n 5
           ├─3406 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -r -n 5
           ├─3407 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -r -n 5
           └─3408 /usr/sbin/saslauthd -a ldap -c -m /var/run/saslauthd -r -n 5

Mai 25 16:16:28 kopano systemd[1]: Starting LSB: saslauthd startup script...
Mai 25 16:16:28 kopano saslauthd[3404]:                 : master pid is: 3404
Mai 25 16:16:28 kopano saslauthd[3404]:                 : listening on socket: /var/run/saslauthd/mux
Mai 25 16:16:28 kopano saslauthd[3383]: Starting SASL Authentication Daemon: saslauthd.
Mai 25 16:16:28 kopano systemd[1]: Started LSB: saslauthd startup script.

I can’t get this to work at all. My guess is that postfix is asking the wrong service because I saw it looking for /etc/sasldb2 when i was watching with strace. (which is not maintained)
My configs are the following

main.cf - it looks terrible after several people tried to fix it. I removed sensitive data

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = [removed] ESMTP
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtpd_use_tls = no
smtpd_tls_auth_only = no
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_mandatory_ciphers = high
smtpd_tls_protocols =
smtpd_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_cert_file= /etc/letsencrypt/live/mail.domain.de/fullchain.pem
smtpd_tls_key_file= /etc/letsencrypt/live/mail.domain.de/privkey.pem
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# SASL Authentifizierung
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_type = cyrus
smtpd_sasl_path = /var/run/saslauthd/mux
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_unlisted_recipient
smtpd_sender_restrictions = reject_unknown_sender_domain reject_unlisted_sender permit_sasl_authenticated

# smtp client
smtp_helo_name = removed
smtp_tls_protocols = !SSLv2,!SSLv3

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

virtual_alias_domains = 

virtual_alias_maps = unionmap:{hash:/etc/postfix/virtual,
        ldap:/etc/postfix/ldap.groups,
        ldap:/etc/postfix/ldap.distlist,
        ldap:/etc/postfix/ldap.virtual,
        ldap:/etc/postfix/ldap.external_aliases,
        ldap:/etc/postfix/ldap.sharedfolderremote,
        ldap:/etc/postfix/ldap.sharedfolderlocal_aliases,
        ldap:/etc/postfix/ldap.virtual_mailbox,
        ldap:/etc/postfix/ldap.sharedfolderlocal}

virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains,
	
virtual_mailbox_maps = ldap:/etc/postfix/ldap.virtual_mailbox,
        ldap:/etc/postfix/ldap.sharedfolderlocal

virtual_transport = lmtp:[localhost]:2003

#canonical_maps = hash:/etc/postfix/canonical
#relocated_maps = hash:/etc/postfix/relocated

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

myhostname = [HOSTNAME]

myorigin = /etc/mailname
mydestination = $myhostname, kopano.[domain].de, localhost.[domain].de, localhost, kopano
mynetworks = [internal network]/16 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [external ip]/32
mailbox_size_limit = 0
message_size_limit = 50000000
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

virtual_mailbox_base = /home/kopano/

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -        n       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -        n       -       -       smtpd
  -o syslog_name=postfix/submission
#  -o smtpd_etrn_restrictions=reject
#  -o smtpd_enforce_tls=yes
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_sasl_authenticated_header=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -        n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

/etc/saslauth.conf

ldap_servers: ldap://IPOFSERVER:7389
ldap_mech: PLAIN LOGIN
ldap_search_base: DC=[DOMAIN],DC=de
ldap_timeout: 10
ldap_filter: uid=%u
ldap_bind_dn: [removed]
ldap_password: [removed]
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

/etc/default/saslauthd

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="ldap"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
#MECH_OPTIONS="-O /etc/saslauthd.conf"
MECH_OPTIONS=""
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/run/saslauthd -r"

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: login plain
saslauthd_path: /var/run/saslauthd/mux
allow_plaintext: true
log_level: 7

I’m not able to get any specific type of error out of any log file. Strace won’t help either.
Maybe someone can find the failure in those configs.

Thanks for everyone who tries to help.

Kind regards
Markus

scheini72

Hi @bee-support ,
I think this is a postfix issue, not kopano.
Perhaps the solution is with the chroot of postfix in Debian10, you should use /var/spool/postfix/var/run/saslauthd

cheers
scheini72

P.S.: If you want I can share my working configuration via personal message

smhaller

@bee-support
Hi Markus

As @scheini72 highlighted, I would also point in this direction. It took me also a long time to get all working correctly.

Regards
Stefan

kt1

Similar issue here a few days ago, the following fixed it:

ucr commit /etc/default/saslauthd
service saslauthd restart

Regards,
Karsten

bee.support

@scheini72 that would be great :) Still mind boggling as it won’t work when “testsaslauth” works without a flaw.

scheini72

@bee-support
just found out, thers are no private message possbible.
Here my cleansed files.
Did you put as well postfix into the sasl group

saslauthd.conf:

# meine config für sasl
# Servers
ldap_servers: ldap://localhost:389/

# Identity
ldap_bind_dn: <bind-user>
ldap_password: <password>x
ldap_auth_method: bind

# Search
ldap_search_base: <search-base>

saslauthd-postfix:

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon for Postfix"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="ldap"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=10

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

main.cf:

# damit steht Postfix offen im Netz (Einschalter
inet_interfaces = all
#inet_interfaces = loopback-only
inet_protocols = all
#switch on local bind only (to avoid sneding)
#smtp_bind_address = localhost

[...]
# Hier kommen alle Einstellungen, damit mein Benutzer überprüfut wird
#hiermit fangen wir an, nur bestimmte Luete (uns) den Server benutzen zu lassne
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_path = smtpd
# security level encrypt funktioniert nicht wegen z-push und wbapp
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
[...]
smtpd_tls_auth_only = yes
#smtp_tls_security_level = encrypt
smtp_tls_security_level = may
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
#smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_mandatory_ciphers = high
[...]
smtpd_relay_restrictions = 
		permit_sasl_authenticated 
		permit_mynetworks 
		defer_unauth_destination

[...]
# Wir liefern Alles an Kopano über den lmtp über file socket
#virtual_transport = lmtp:127.0.0.1:2003
#mailbox_transport = lmtp:127.0.0.1:2003
virtual_transport = lmtp:[::1]:2003
mailbox_transport = lmtp:[::1]:2003

#helo restriction,
smtpd_helo_restrictions = 
		permit_mynetworks 
		permit_sasl_authenticated 
		reject_invalid_hostname 
		reject_non_fqdn_hostname
		reject_unauth_destination
		reject_non_fqdn_sender
		reject_non_fqdn_recipient
	        reject_unknown_recipient_domain
 		reject_invalid_hostname
		reject_rbl_client zen.spamhaus.org
		reject_unauth_pipelining
		permit

smtpd_recipient_restrictions = 
		permit_mynetworks
		permit_sasl_authenticated 
		reject_unauth_destination
		# SPF has to be AFTER "reject_unauth_destination
		check_sender_access  hash:/etc/postfix/sender_check
		check_policy_service unix:private/policyd-spf
		check_policy_service inet:localhost:10023
#		check_policy_service inet:localhost:12346

#Spammer ablehnen
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_delay_reject = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
[...]

master.cf

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_security_options=noplaintext
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       y       -       -       qmqpd
pickup    unix  n       -       y       60      1       pickup
cleanup   unix  n       -       y       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       y       1000?   1       tlsmgr
rewrite   unix  -       -       y       -       -       trivial-rewrite
bounce    unix  -       -       y       -       0       bounce
defer     unix  -       -       y       -       0       bounce
trace     unix  -       -       y       -       0       bounce
verify    unix  -       -       y       -       1       verify
flush     unix  n       -       y       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       y       -       -       smtp
relay     unix  -       -       y       -       -       smtp
        -o syslog_name=postfix/$service_name
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       y       -       -       showq
error     unix  -       -       y       -       -       error
retry     unix  -       -       y       -       -       error
discard   unix  -       -       y       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       y       -       -       lmtp
anvil     unix  -       -       y       -       1       anvil
scache    unix  -       -       y       -       1       scache
postlog   unix-dgram n  -       n       -       1       postlogd
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix	-	n	n	-	2	pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
policyd-spf  unix  -       n       n       -       0       spawn
    user=policyd-spf argv=/usr/bin/policyd-spf

smtp.conf:

pwcheck_method: saslauthd
mech_list: plain login

ldap_servers: ldap://localhost:389/
ldap_search_base: <search-base>
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: <bind-user>
ldap_password: <bind-password>
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

cheers