saslauthd: Permission denied (external SMTP AUTH broken)

[Miz]

Version 4.0.5_GA_518.RHEL4 Dec 18, 2006

- All Zimbra services running (minus Perdition, not used)
- All webservices working properly
- HTTPS mode
- Custom port
- SASL URL is correct (zimbra_url)
- zimbraMtaAuthURL is correct

- libexec/zmfixperms has been run successfully
- all services have been recently restarted

/var/log/zimbra.log:

Code:

Jan 10 11:59:39 nobox postfix/smtpd[12391]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Jan 10 11:59:39 nobox postfix/smtpd[12391]: warning: wherever.tld[ip.ip.ip.ip]: SASL LOGIN authentication failed

Additional info:

Code:

$ ls -ld /opt/zimbra/cyrus-sasl/state
drwxr-x---  2 zimbra zimbra 4096 Jan 10 11:59 /opt/zimbra/cyrus-sasl/state

$ ls -l /opt/zimbra/cyrus-sasl/state
total 4
srwxrwxrwx  1 zimbra zimbra 0 Jan 10 11:59 mux
-rw-------  1 zimbra zimbra 0 Jan 10 11:59 mux.accept
-rw-------  1 zimbra zimbra 6 Jan 10 11:59 saslauthd.pid

Using:
Thunderbird 1.5.0.9, TLS

Help?

[bobby]

add this line to /etc/syslog.conf and then restart (kill -1) syslogd:
auth.* -/var/log/zimbra.log

that will send the saslauthd logging there instead of nowhere. go ahead and post the output of these commands as well:

su - zimbra
zmprov getServer nobox.whatever.com | grep -e Mode -e Auth -e Port
cat ~/cyrus-sasl/etc/saslauthd.conf*

[Miz]

I have successfully upgraded to Version 4.5.0_GA_612.RHEL4 Jan 15, 2007 today, but this problem remains.

Info requested:

Code:

[zimbra@mail ~]$ zmprov getServer mail.whatever.tld | grep -e Mode -e Auth -e Port
zimbraAdminPort: 7071
zimbraImapBindPort: 143
zimbraImapProxyBindPort: 143
zimbraImapSSLBindPort: 993
zimbraImapSSLProxyBindPort: 993
zimbraLmtpBindPort: 7025
zimbraMailMode: https
zimbraMailPort: 73
zimbraMailSSLPort: 74
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: mail.whatever.tld
zimbraMtaAuthURL: https://mail.whatever.tld:74/service/soap/
zimbraMtaTlsAuthOnly: TRUE
zimbraNotifyBindPort: 7035
zimbraNotifySSLBindPort: 7036
zimbraPop3BindPort: 110
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLBindPort: 995
zimbraPop3SSLProxyBindPort: 995
zimbraRemoteManagementPort: 22
zimbraSmtpPort: 25
[zimbra@mail ~]$ cat ~/cyrus-sasl/etc/saslauthd.conf
zimbra_url: https://mail.whatever.tld:74/service/soap/
zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
zimbra_cert_check: off

Attempted login:

Code:

Jan 18 16:04:59 mail postfix/smtpd[3880]: connect from somewhere.at.comcast.net[9.8.7.6]
Jan 18 16:04:59 mail postfix/smtpd[3880]: setting up TLS connection from somewhere.at.comcast.net[9.8.7.6]
Jan 18 16:04:59 mail postfix/smtpd[3880]: TLS connection established from somewhere.at.comcast.net[9.8.7.6]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Jan 18 16:05:28 mail postfix/smtpd[3880]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Jan 18 16:05:28 mail postfix/smtpd[3880]: warning: SASL authentication failure: Password verification failed
Jan 18 16:05:28 mail postfix/smtpd[3880]: warning: somewhere.at.comcast.net[9.8.7.6]: SASL PLAIN authentication failed
Jan 18 16:05:28 mail postfix/smtpd[3880]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Jan 18 16:05:28 mail postfix/smtpd[3880]: warning: somewhere.at.comcast.net[9.8.7.6]: SASL LOGIN authentication failed
Jan 18 16:05:31 mail postfix/smtpd[3880]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Jan 18 16:05:31 mail postfix/smtpd[3880]: warning: SASL authentication failure: Password verification failed
Jan 18 16:05:31 mail postfix/smtpd[3880]: warning: somewhere.at.comcast.net[9.8.7.6]: SASL PLAIN authentication failed
Jan 18 16:05:31 mail postfix/smtpd[3880]: warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied
Jan 18 16:05:31 mail postfix/smtpd[3880]: warning: somewhere.at.comcast.net[9.8.7.6]: SASL LOGIN authentication failed
Jan 18 16:06:01 mail pam_loginuid[4059]: set_loginuid failed opening loginuid

/etc/syslog.conf

Code:

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
# added by openldap2.3-2.3.27 rpm Fri Nov 17 17:39:36 EST 2006
local0.*                -/var/log/zimbra.log
auth.*                  -/var/log/zimbra.log
mail.*                -/var/log/zimbra.log

I verified that syslogd restarted as a result of the kill command, after editing the syslog.conf, and made the change before attempting to log in via SMTP/TLS again.

[Miz]

/opt/zimbra/conf/smtpd.crt is:

Code:

-rwx------  1 zimbra zimbra 1078 Jan 18 10:24 /opt/zimbra/conf/smtpd.crt

And appears to be a well-formed certificate.

/opt/zimbra/cyrus-sasl/lib/sasl2 is:

Code:

#
# This is ${cyrus-sasl-prefix}/lib/sasl2/smtpd.conf
#
log_level: 3
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
saslauthd_path: /opt/zimbra/cyrus-sasl/state/mux

I uncommented the saslauthd_path and restarted Zimbra's saslauthd using zmsaslauthdctl restart

This resulted in saslauthd finally logging, but these are the only lines it spit out:

Code:

Jan 18 16:20:11 mail saslauthd[9609]: detach_tty      : master pid is: 9609
Jan 18 16:20:11 mail saslauthd[9609]: ipc_init        : listening on socket: /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/state/mux

[anand]

On my system, I see:

Code:

$ ls -al /opt/zimbra/cyrus-sasl/state/
total 12
drwxr-xr-x  2 zimbra zimbra 4096 Jan 16 15:49 .
drwxr-xr-x  8 root   zimbra 4096 Jan 16 15:43 ..
srwxrwxrwx  1 zimbra zimbra    0 Jan 16 15:49 mux
-rw-------  1 zimbra zimbra    0 Jan 16 15:49 mux.accept
-rw-------  1 zimbra zimbra    6 Jan 16 15:49 saslauthd.pid

What do you have?

[Miz]

Code:

# ls -al /opt/zimbra/cyrus-sasl/state
total 12
drwxr-x---  2 zimbra zimbra 4096 Jan 18 16:30 .
drwxr-xr-x  8 root   zimbra 4096 Jan 18 10:23 ..
srwxrwxrwx  1 zimbra zimbra    0 Jan 18 16:30 mux
-rw-------  1 zimbra zimbra    0 Jan 18 16:30 mux.accept
-rw-------  1 zimbra zimbra    6 Jan 18 16:30 saslauthd.pid

[Miz]

Code:

[root@mail SPECS]# cat /opt/zimbra/cyrus-sasl/state/saslauthd.pid 
13905
[root@mail SPECS]# ps 13905
  PID TTY      STAT   TIME COMMAND
13905 ?        Ss     0:00 /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/sbin/saslauthd -r -a zimbra
[root@mail SPECS]# grep 13905 /var/log/zimbra.log 
Jan 18 16:30:49 mail saslauthd[13905]: detach_tty      : master pid is: 13905
Jan 18 16:30:49 mail saslauthd[13905]: ipc_init        : listening on socket: /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/state/mux

[anand]

How about:

Code:

# ldd /opt/zimbra/postfix/libexec/smtpd  | grep sasl
        libsasl2.so.2 => /opt/zimbra/cyrus-sasl/lib/libsasl2.so.2 (0x0000002a95a00000)

Path to the socket is hard coded in SASL client libs (I think), and this will tell us if you are using the lib that came with Zimbra or not.

Infact the sure fire way to check this is to find a live "smtpd" process and pmap it.

Code:

 # pmap 12314 | grep sasl2.so
0000002a95a00000     88K r-x--  /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/lib/libsasl2.so.2.0.21
0000002a95a16000   1024K -----  /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/lib/libsasl2.so.2.0.21
0000002a95b16000      4K rw---  /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/lib/libsasl2.so.2.0.21

[Miz]

Code:

# ldd /opt/zimbra/postfix/libexec/smtpd | grep sasl
        libsasl2.so.2 => /opt/zimbra/cyrus-sasl/lib/libsasl2.so.2 (0xb7d65000)

Now there's an interesting find...

No smptd.

I had one a minute ago.

Code:

postfix   1033  0.0  0.3  7048 2576 ?        S    17:08   0:00 smtpd -n 127.0.0.1:10025 -t inet -u -o content_filter  -o local_recipient_maps  -o virtual_mailbox_maps  -o virtual_alias_maps  -o relay_recipient_maps  -o smtpd_restriction_classes  -o smtpd_delay_reject no -o smtpd_client_restrictions permit_mynetworks,reject -o smtpd_helo_restrictions  -o smtpd_sender_restrictions  -o smtpd_recipient_restrictions permit_mynetworks,reject -o mynetworks_style host -o mynetworks 127.0.0.0/8 -o strict_rfc821_envelopes yes -o smtpd_error_sleep_time 0 -o smtpd_soft_error_limit 1001 -o smtpd_hard_error_limit 1000 -o smtpd_client_connection_count_limit 0 -o smtpd_client_connection_rate_limit 0 -o receive_override_options no_header_body_checks,no_unknown_recipient_checks,no_address_mappings

[root@mail ~]# pmap 1033
[root@mail ~]#

Code:

[root@mail ~]# ps aux | grep smtp
root      2951  0.0  0.0  3732  668 pts/9    R+   17:11   0:00 grep smtp
[root@mail ~]# ps aux | grep postfix
root     13860  0.0  0.2  6556 1700 ?        Ss   16:30   0:00 /opt/zimbra/postfix-2.2.9/libexec/master
postfix  13880  0.0  0.2  6604 1684 ?        S    16:30   0:00 pickup -l -t fifo -u
postfix  13881  0.0  0.2  6636 1768 ?        S    16:30   0:00 qmgr -l -t fifo -u
postfix  14631  0.0  0.2  6600 1752 ?        S    16:33   0:00 tlsmgr -l -t unix -u
postfix   1027  0.0  0.2  6592 1684 ?        S    17:08   0:00 proxymap -t unix -u
postfix   1028  0.0  0.2  6612 1896 ?        S    17:08   0:00 trivial-rewrite -n rewrite -t unix -u
postfix   1303  0.0  0.2  6600 1684 ?        S    17:10   0:00 showq -t unix -u
root      2953  0.0  0.0  3736  672 pts/9    R+   17:11   0:00 grep postfix

Code:

$ zmcontrol status
Host mail.whatever.tld
        antispam                Running
        antivirus               Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        mta                     Running
        snmp                    Running
        spell                   Running

[Miz]

I hit up 'master' (Postfix).

Close enough?

Code:

b7d56000     76K r-x--  /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/lib/libsasl2.so.2.0.21
b7d69000      4K rw---  /opt/zimbra/cyrus-sasl-2.1.21.ZIMBRA/lib/libsasl2.so.2.0.21