New Installation Postifix Problem

[ranpel]

Hi,

I've banged this around for a bit now and really can not find any clean answers or new things to try. I've tried just about everything I've found in the forums ("that I've found" being key I hope)

Issue: SMTP AUTH: I can not auth for smtp in any of 25:TLS or 465:SSL (auth for client protocols are fine (POP/IMAP) thus my suspicion of postfix and things immediately postfix connected.

Issue One Log snip of auth attempts:
May 6 16:05:34 mail postfix/smtpd[2888]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
May 6 16:05:34 mail postfix/smtpd[2888]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
May 6 16:05:34 mail postfix/smtpd[2888]: warning: SASL authentication failure: no secret in database
May 6 16:05:34 mail postfix/smtpd[2888]: warning: mail.tradecaptureotc.com[172.16.249.163]: SASL NTLM authentication failed
May 6 16:05:34 mail postfix/smtpd[2888]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
May 6 16:05:34 mail last message repeated 4 times
May 6 16:05:34 mail postfix/smtpd[2888]: warning: SASL authentication failure: Password verification failed
May 6 16:05:34 mail postfix/smtpd[2888]: warning: mail.tradecaptureotc.com[172.16.249.163]: SASL PLAIN authentication failed
May 6 16:05:34 mail postfix/smtpd[2888]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasldb2: No such file or directory
May 6 16:05:34 mail last message repeated 5 times
May 6 16:05:34 mail postfix/smtpd[2888]: warning: mail.tradecaptureotc.com[172.16.249.163]: SASL LOGIN authentication failed
May 6 16:05:45 mail postfix/smtpd[2888]: lost connection after AUTH from mail.tradecaptureotc.com[172.16.249.163]

There is no other postfix running. The sasl libs should be zimbras (how to verify with certainty?) Postfix appears to be auth enabled (it wouldn't be trying otherwise would it?)

The fact that it seems to be looking for a sleepycat in /etc and not ldap (your sasl is complied to ldap yes?) makes me think the wrong sasl libs are linked in or the sys lib has a jump on it.

Any body have anything to try that might shake this cat free?

Thanks,

Randy

[ranpel]

Sorry about the dupe post.

Anyway.. I answered my own question; ldd on smtpd shows system sasl lib.

# ldd smtpd
linux-gate.so.1 => (0xffffe000)
libpcre.so.3 => /usr/lib/libpcre.so.3 (0xb7ef8000)
libldap-2.3.so.0 => /opt/zimbra/lib/libldap-2.3.so.0 (0xb7ebc000)
liblber-2.3.so.0 => /opt/zimbra/lib/liblber-2.3.so.0 (0xb7eaf000)
libmysqlclient.so.15 => /usr/lib/libmysqlclient.so.15 (0xb7cce000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7cba000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7c93000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7c7c000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7c65000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7c24000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7ae2000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7acb000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7ab8000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7977000)
libcrypt.so.1 => /lib/tls/i686/cmov/libcrypt.so.1 (0xb7948000)
/lib/ld-linux.so.2 (0xb7f1a000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7944000)

[ranpel]

That ldd was run as root. How can I verify the runtime lib is correct?

I have to be somewhat careful as there is another runtime requirement for this library. The system lib is one rev up too.

Is this the right track? If I move out the system lib is the probability high that this will fix smtpd auth?

[ranpel]

Hi,

Confirmed wrong sasl lib. Now I really do have a problem. I cannot move out the system sasl library. How can I effectively set LD_LIBRARY_PATH rules on the postfix installation binaries.. ??

So How to direct postfix to the appropriate libraries?

Anybody? Anyone? Beuller?

[lzmarine]

I get the following errors trying to send mail from my PDA:

Dec 19 11:41:05 mail postfix/smtpd[22877]: connect from 109.sub-75-197-165.myvzw.com[75.197.165.109]
Dec 19 11:41:05 mail postfix/smtpd[22877]: setting up TLS connection from 109.sub-75-197-165.myvzw.com[75.197.165.109]
Dec 19 11:41:05 mail postfix/smtpd[22877]: TLS connection established from 109.sub-75-197-165.myvzw.com[75.197.165.109]: SSLv3 with cipher RC4-MD5 (128/128 bits)
Dec 19 11:41:07 mail postfix/smtpd[22877]: warning: 109.sub-75-197-165.myvzw.com[75.197.165.109]: SASL NTLM authentication failed
Dec 19 11:41:07 mail postfix/smtpd[22877]: disconnect from 109.sub-75-197-165.myvzw.com[75.197.165.109]

A test of server capabilities shows NTLM is supported by Zimbra:

SMTP server: X.X.X.X
[S] 220 host.domain ESMTP Postfix
[C] EHLO localhost
[S] 250-host.domain
[S] 250-PIPELINING
[S] 250-SIZE 1048576000
[S] 250-VRFY
[S] 250-ETRN
[S] 250-STARTTLS
[S] 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
[S] 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
[S] 250 8BITMIME
[C] STARTTLS
[S] 220 Ready to start TLS
Cipher: DHE-RSA-AES256-SHA
Certificate information:
Subject: /C=US/ST=N/A/O=Zimbra Collaboration Suite/CN=host.domain
Issuer: /C=US/ST=N/A/L=N/A/O=Zimbra Collaboration Suite
[C] EHLO localhost
[S] 250-host.domain
[S] 250-PIPELINING
[S] 250-SIZE 1048576000
[S] 250-VRFY
[S] 250-ETRN
[S] 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
[S] 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
[S] 250 8BITMIME
[C] QUIT
[S] 221 Bye

I have no use nor need for NTLM, but my PDA prefers NTLM during negotiation and I cannot configure WinMobile6 not to use it if it thinks NTLM is available. I saw bug/rfe 8945, but I just want Zimbra not to list NTLM for authentication. I only see the "Enable authentication" and "TLS authentication only" check boxes on the MTA tab of the Zimbra admin page for global settings. Any configuration pointers would be great.

Thanks!

Blaine

[fultonj]

This just echo's izmarine's point about not seeing any way to not list NTLM for authentication but from the CLI. The following command shows more options than "Enable authentication" and "TLS authentication only" but do not have anything related to NTLM:

zmprov gs $server | grep -i auth

[todd_dsm]

This thread kinda trailed off. I'm seeing some of these entries (every 10m) in my logs as well. Here are some relevant settings:
GLOBAL/SERVER TAB:
TLS authentication only: checked
Enable clear text login: unchecked

Code:

# cat /var/log/maillog:
Dec 21 22:33:34 zerver postfix/smtpd[7561]: connect from unknown[10.0.0.104]
Dec 21 22:33:34 zerver postfix/smtpd[7561]: setting up TLS connection from unknown[10.0.0.104]
Dec 21 22:33:34 zerver postfix/smtpd[7561]: TLS connection established from unknown[10.0.0.104]: TLSv1 with cipher AES128-SHA (128/128 bits)
Dec 21 22:33:34 zerver postfix/smtpd[7561]: warning: SASL authentication failure: Password verification failed
Dec 21 22:33:34 zerver postfix/smtpd[7561]: warning: unknown[10.0.0.104]: SASL PLAIN authentication failed: authentication failure
Dec 21 22:33:34 zerver postfix/smtpd[7561]: disconnect from unknown[10.0.0.104]

my ldd looks like this: (bold are system libs)

Code:

zimbra@zerver ~]$ ldd /opt/zimbra/postfix-2.4.7.5z/libexec/smtpd
	libdb-4.2.so => /opt/zimbra/sleepycat-4.2.52.6/lib/libdb-4.2.so (0x00002b0c42275000)
	libpcre.so.0 => /lib64/libpcre.so.0 (0x0000003d5f800000)
	libldap-2.3.so.0 => /opt/zimbra/lib/libldap-2.3.so.0 (0x00002b0c42543000)
	liblber-2.3.so.0 => /opt/zimbra/lib/liblber-2.3.so.0 (0x00002b0c4278d000)
	libmysqlclient.so.15 => /opt/zimbra/lib/libmysqlclient.so.15 (0x00002b0c4299d000)
	libz.so.1 => /usr/lib64/libz.so.1 (0x0000003d60c00000)
	libm.so.6 => /lib64/libm.so.6 (0x0000003d60400000)
	libsasl2.so.2 => /opt/zimbra/cyrus-sasl-2.1.23.3z/lib/libsasl2.so.2 (0x00002b0c42cf8000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00002b0c42f10000)
	libssl.so.0.9.8 => /opt/zimbra/openssl-0.9.8k/lib/libssl.so.0.9.8 (0x00002b0c4312c000)
	libcrypto.so.0.9.8 => /opt/zimbra/openssl-0.9.8k/lib/libcrypto.so.0.9.8 (0x00002b0c43378000)
	libnsl.so.1 => /lib64/libnsl.so.1 (0x0000003d61c00000)
	libresolv.so.2 => /lib64/libresolv.so.2 (0x0000003d62000000)
	libc.so.6 => /lib64/libc.so.6 (0x0000003d5f000000)
	libcrypt.so.1 => /lib64/libcrypt.so.1 (0x0000003d61000000)
	libdl.so.2 => /lib64/libdl.so.2 (0x0000003d5f400000)
	/lib64/ld-linux-x86-64.so.2 (0x0000003d5ec00000)

===

Now, if the above settings (TLS authentication only: checked, Enable clear text login: unchecked) are resposible for this behaviour that is understandable. With the possible exception that if these are the settings then the log should not be filled up with these constant reminders.

If not, what's the definitive answer on this scenario?

Thanks in advance,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.