Hi all, I am new here on this forum and hoping for some help. I have a mail server and that had been running for the last decade or so without much problems other than the yearly SSL certificate refresh. Until I decided to do an Debian apt full-upgrade like I have done before with success, but not this time. Due to an broken SSH connection while running the upgrade it left the server in a terrible state. That was two and halve month ago and I have been working on it to get it up and running again to no avail. All the information on the net I can find is either outdated or incomplete. I will start with saslauthd, also the TLS certificates are a problem with courier-imap-ssl and postfix. saslauthd will not run : Apr 09 16:29:37 mail.qrp.nl systemd[1]: Starting saslauthd.service - SASL Authentication Daemon... Apr 09 16:29:37 mail.qrp.nl saslauthd[20409]: : master pid is: 20409 Apr 09 16:29:37 mail.qrp.nl saslauthd[20409]: : listening on socket: /var/spool/postfix/var/run/saslauthd//mux Apr 09 16:29:37 mail.qrp.nl systemd[1]: saslauthd.service: Can't open PID file '/run/saslauthd/saslauthd.pid' (yet?) after start: No such file or directory Apr 09 16:31:07 mail.qrp.nl systemd[1]: saslauthd.service: start operation timed out. Terminating. Apr 09 16:31:07 mail.qrp.nl saslauthd[20409]: : master exited: 20409 Apr 09 16:31:07 mail.qrp.nl systemd[1]: saslauthd.service: Failed with result 'timeout'. Apr 09 16:31:07 mail.qrp.nl systemd[1]: Failed to start saslauthd.service - SASL Authentication Daemon. It can not create the pid file. root@mail:/etc/postfix# cat /etc/default/saslauthd START=YES DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="pam" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd/" But running the from the command line : root@mail:/etc/postfix# saslauthd -c -m /var/spool/postfix/var/run/saslauthd/ -r -V -n 5 -a pam saslauthd[20511] :num_procs : 5 saslauthd[20511] :mech_option: NULL saslauthd[20511] :run_path : /var/spool/postfix/var/run/saslauthd/ saslauthd[20511] :auth_mech : pam saslauthd[20511] :mmaped shared memory segment on file: /var/spool/postfix/var/run/saslauthd//cache.mmap saslauthd[20511] :bucket size: 92 bytes saslauthd[20511] :stats size : 36 bytes saslauthd[20511] :timeout : 28800 seconds saslauthd[20511] :cache table: 944764 total bytes saslauthd[20511] :cache table: 1711 slots saslauthd[20511] :cache table: 10266 buckets saslauthd[20511] :flock file opened at /var/spool/postfix/var/run/saslauthd//cache.flock saslauthd[20511] :using accept lock file: /var/spool/postfix/var/run/saslauthd//mux.accept root@mail:/etc/postfix# ll /var/spool/postfix/var/run/saslauthd/ total 928 -rw------- 1 root root 0 Apr 9 16:50 cache.flock -rw------- 1 root root 945152 Apr 9 16:50 cache.mmap srwxrwxrwx 1 root root 0 Apr 9 16:50 mux -rw------- 1 root root 0 Apr 9 16:50 mux.accept -rw------- 1 root root 6 Apr 9 16:50 saslauthd.pid root@mail:/etc/postfix# ll /var/spool/postfix/var/run/ total 4 drwxr-xr-x 2 root sasl 4096 Apr 9 16:50 saslauthd I just do not see where the problem is. Roelof
Ok, got the sasl deamon running but can not authenticate a user, I know the user is in the mysql database which is up and running : testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u x AT x.x -p password Apr 09 18:17:12 mail.qrp.nl saslauthd[20969]: pam_unix(imap:auth): check pass; user unknown Apr 09 18:17:12 mail.qrp.nl saslauthd[20969]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Apr 09 18:17:14 mail.qrp.nl saslauthd[20969]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Apr 09 18:17:14 mail.qrp.nl saslauthd[20969]: auth failure: [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
If I use a local user, the same I use with SSH to login, I do get a OK success when testing with testsaslauthd But when I use a user in the mysql database I get a NO authentication failed. So the mysql backend/plugin is not working ? root@mail:/etc/postfix# cat sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login allow_plaintext: true auxprop_plugin: sql sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: xx sql_passwd: xx sql_database: mail sql_select: select password from users where email = '%uAT%r' The mysql database is active and show all the domains and users when I check with mysql -u xx -p xx mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mail | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.01 sec) mysql> use mail; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> show tables; +----------------+ | Tables_in_mail | +----------------+ | domains | | forwardings | | transport | | users | +----------------+ 4 rows in set (0.00 sec) mysql> select * from users; +-------------------------+---------------+----------+ | email | password | quota | +-------------------------+---------------+----------+ | xxATxx.xx | xxxxxxxxx | 10485760 | +-------------------------+---------------+----------+ How can I solve this ? Roelof
From journalctl -f when I run testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u xxATxx.xx -p xx : Apr 11 11:40:49 mail.qrp.nl saslauthd[20969]: pam_unix(imap:auth): check pass; user unknown Apr 11 11:40:49 mail.qrp.nl saslauthd[20969]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Apr 11 11:40:51 mail.qrp.nl saslauthd[20969]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure Apr 11 11:40:51 mail.qrp.nl saslauthd[20969]: auth failure: [service=imap] [realm=] [mech=pam] [reason=PAM auth error]
I don't think this is correct. The method should be auxprop which you define further down in the config to use sql. When using saslauthd the system tries PAM Authentication which you can see in the logs:
I started on a new server (ironically the one that has been running "empty" in parallel with the old email server) with an install of courier-ssl-imap/postfix/saslauthd/mysql. Hoping I can get that working soon. Roelof
Hi All, An update on my progress on installing the new email server. I have got the postfix part running and it is accepting/denying smtp connections from the internet. Had an issue with one domain that was not propagating to other DNS servers, that turned out to be a DNSsec setting. At the moment a test with testsaslauthd will try to validate the password with pam_mysql against the linux user (/etc/passwd) but not against the email user in the mysql database. I have not figured this one out yet. All settings seem to be ok. I have got the correct settings in /etc/pam.d/smtp : auth required pam_mysql.so and /etc/postfix/sasl/smtpd.conf Roelof
Why don't you just use ISPConfig for your setup? It would take care of the whole setup. If you only want a mailserver system then mailcow might be a good choice. Otherwise i would advise you to use a solid stack based on postfix, dovecot, rspamd, redis, mysql for everything.
ISPconfig does not support courier(-imap) according to some posts about a move to dovecot. What do you mean with "solid stack based" ?
Why do you need courier? Dovecot is more modern, flexible and robust then courier anyways. A solid stack of software components that your mail system runs on. A modern mail server stack uses these componetes: Postfix Dovecot rspamd mysql redis I would argue that this is the go-to setup for hosting mail services on a open stack nowadays. And ISPConfig is providing you with this stack out of the box plus some other quality of life stuff and easily managable through the ISPConfig Webpanel.
I have been running courier on the old server for years and have spend way to much time on the this project. I do not want to start with a new software package of which I do not know a thing about on how to do the setup/config. Second all my emails are written to and stored in courier-imap directories which makes copying form the old to the new server "easy". I can not do a imap-copy/backup/restore from the old server obviously, no imap access. But still I need to get the saslauthd to pam_mysql combo working. Roelof
Hi, So imap access has been working now for a few weeks now. Setting up the TLS certificates was what was needed to get it working. Just the saslauthd to pam thing is not working and I still do not understand why not. Roelof
Hi, Finally I got the setup working : After a lot of searching/reading I found an option 'debug' which I added to /etc/pam.d/smtp. And it turned out that the pam_mysql was trying to authenticate to the mysql database, the error was an authentication failure. I then tried to authenticate with a known wrong user name which produced a user not known error. I found that the crypt option in /etc/pam.d/smtp was set to 3, I changed this to 1. And then I got a TLS error from Evolution, this turned out to be a setting when sending email that needs to be 'starttls after connecting' for my setup. Roelof
