# Postfix SASL



## NeHe (Oct 18, 2013)

Hi guys,

I've been banging my head against a wall for the last few days trying to get Postfix SASL working.  I thought I had a good understanding of what needed to be done, but I apparently have no clue what I'm doing.

I want outside users to be able to authenticate (TLS later).

The problem I'm seeing in the logs is as follows:

```
warning: SASL authentication failure: no user in db
```
I've found 1001 web sites talking about this issue, but I haven't found a fix that works for me.

I am using:
FreeBSD 9.x (64 bit)
Postfix 2.10.1,1 (PCRE, SASL2, TLS)
cyrus-imapd-2.4.17_4
cyrus-sasl-2.1.26_2 (authdaemond, obsolete_cram_attr, {all mechs})

Cyrus is authenticating against SASL just fine (sasldb2.db). When I do the following test I see the results below:

```
[CMD]smtptest -a {username} localhost[/CMD]
S: 220 mail.{company}.com ESMTP Postfix
C: EHLO smtptest
S: 250-mail.{company}.com
S: 250-PIPELINING
S: 250-SIZE 20480000
S: 250-ETRN
S: 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
S: 250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250 DSN
Please enter your password:
C: AUTH PLAIN ********************
S: 235 2.7.0 Authentication successful
Authenticated.
Security strength factor: 0
```

It looks like I'm authenticating properly against SASL.

In /usr/local/etc/postfix/main.cf I have:

```
smtpd_sasl_auth_enable          = yes
broken_sasl_auth_clients        = yes
smtpd_sasl_local_domain         = proxy.domain.local
smtpd_sasl_security_options     = noanonymous

smtpd_relay_restrictions        = permit_mynetworks,
                                  permit_sasl_authenticated,
                                  reject_unauth_destination
```

In /usr/local/lib/sasl2/smtpd.conf I have:

```
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
```
I don't know if I'm missing something (I very well could be), if I'm going about this the wrong way, etc?  Any help would be greatly appreciated.

I would prefer not to use saslauthd (I've had issues with it in the past... crashing). Can anyone with experience on this topic help me out / give me some guidance?

Also, if there are other files you need to see, please let me know.


----------



## quintessence (Oct 21, 2013)

Hi,

Can you authenticate against your local domain from your configuration, i.e.

```
smtpd_sasl_local_domain         = proxy.domain.local
```
instead of localhost?

`smtptest -a {username} proxy.domain.local`

You can check also if your <username> exist in the database with `sasldblistusers2`.

Some verbosity added in smtpd.conf won't be a bad idea.

```
log_level: 9
```
 in /usr/local/lib/sasl2/smtpd.conf.


----------



## NeHe (Oct 21, 2013)

Hi @quintessence,

Really appreciate the reply. So things have gotten rather weird. I found that I had to add permit_sasl_authenticated to smtpd_recipient_restrictions. I also decided to try authentication using saslauthd while discovering this. I discovered that saslauthd appeared to authenticate without the "no user in db" warning.

I then switched back to auxprop and sasldb in smtpd.conf and found that it was authenticating properly (appears to be), but I am still seeing this "no user in db" in my maillog.

Perhaps I can just ignore it and blissfully be on my way, but it bothers me that I'm seeing this and I want to know a) if I should be seeing it and b) what is causing this message.

Without rambling too much, I can authenticate using `smtptest -a {username} proxy.domain.local` and my main.cf already has 
	
	



```
smtpd_sasl_local_domain = proxy.domain.local
```

My user name does exist in sasldblistusers2.

I will add the suggested logging.

Again, I really appreciate you taking the time to help out with this, feel free to ask me anything about the setup.


----------



## quintessence (Oct 22, 2013)

Hi,

Just tested to enable Sasldb instead Saslauthd (btw, I've also had problems with crashing in the past on one old box, since then I didn't meet any problems with Saslauthd, so I'm using it). However, this warning is harmless, don't worry if you authenticate successfully. 
After checking in the source I've found this warning is returned by ndbm interface (work/cyrus-sasl-2.1.26/lib/db_ndbm.c), so if you don't want to see this warning just recompile cyrus-sasl port by placing X(tick/mark) on BDB support. In that way its libs will be builded without ndbm support:

```
.if ${PORT_OPTIONS:MBDB}
USE_BDB=        yes
INVALID_BDB_VER=2
CONFIGURE_ARGS+=--with-dblib=berkeley \
                --with-bdb-libdir=${BDB_LIB_DIR} \
                --with-bdb-incdir=${BDB_INCLUDE_DIR} \
                --with-bdb=${BDB_LIB_NAME}
SASLDB_NAME=    sasldb2
[B].else[/B] [I]###(here if you didn't place mark/tick on BDB support, your port will be builded with ndbm support, which causes the warning[/I]
CONFIGURE_ARGS+=--with-dblib=ndbm
SASLDB_NAME=    sasldb2.db
.endif
```

But after rebuilding the port you should recreate your Sasl database (all users, passwords, chown it to 644 or changing owner and so on), new file is /usr/local/etc/sasldb2 instead of /usr/local/etc/sasl2db.db

This is only if you don't want to see this harmless but filling log warning.

With ndbm support (no tick on BDB support):

```
/usr/local/etc/sasldb2.db: Berkeley DB 1.85 (Hash, version 2, native byte-order)
```

Without ndbm support (tick on BDB support):

```
/usr/local/etc/sasldb2: Berkeley DB (Hash, version 8, native byte-order)
```

I can confirm warning dissapears by placing X on BDB support:

```
Oct 22 02:17:55 priv postfix/smtpd[54093]: watchdog_pat: 0x80281fe30
Oct 22 02:17:55 priv postfix/smtpd[54093]: vstream_fflush_some: fd 9 flush 205
Oct 22 02:17:57 priv postfix/smtpd[54093]: vstream_buf_get_ready: fd 9 got 57
Oct 22 02:17:57 priv postfix/smtpd[54093]: < [I][hidden][/I]: auth plain [I][hidden][/I]
Oct 22 02:17:57 priv postfix/smtpd[54093]: xsasl_cyrus_server_first: sasl_method plain, init_response [I][hidden][/I]
Oct 22 02:17:57 priv postfix/smtpd[54093]: xsasl_cyrus_server_first: decoded initial response
Oct 22 02:17:57 priv postfix/smtpd[54093]: > [I][hidden][/I]:[B][I]235 2.7.0 Authentication successful[/I][/B]
```

With default options, i.e without X on BDB support warning appears, but you still authenticate successfully:

```
Oct 22 02:28:28 priv postfix/smtpd[62422]: watchdog_pat: 0x80281fe30
Oct 22 02:28:28 priv postfix/smtpd[62422]: vstream_fflush_some: fd 14 flush 205
Oct 22 02:28:33 priv postfix/smtpd[62422]: vstream_buf_get_ready: fd 14 got 57
Oct 22 02:28:33 priv postfix/smtpd[62422]: < [I][hidden][/I]: auth plain [I][hidden][/I]
Oct 22 02:28:33 priv postfix/smtpd[62422]: xsasl_cyrus_server_first: sasl_method plain, init_response [I][hidden][/I]
Oct 22 02:28:33 priv postfix/smtpd[62422]: xsasl_cyrus_server_first: decoded initial response
Oct 22 02:28:33 priv postfix/smtpd[62422]: [B][I]warning: SASL authentication failure: no user in db[/I][/B]
Oct 22 02:28:33 priv postfix/smtpd[62422]: > [I][hidden][/I]: [B][I]235 2.7.0 Authentication successful[/I][/B]
```


----------



## NeHe (Oct 22, 2013)

Hi @quintessence,

Your suggestions have completely resolved the issue! On that note, I REALLY (yes... caps) wanted to thank you for taking the time to respond. I've posted this question to quite a few forums, the BSD questions list and have even emailed a few online Guru's with no response what-so-ever. I was beginning to feel as if no one was going to respond to my post on here as well.

It's funny too because at one point I had compiled BDB support into both cyrus-sasl2 and postfix, but then noticed saslauthd was no longer showing any users (which of course threw me into a panic thinking I'd have to restore the sasldb2.db from backup). It never occurred to me that I would have to add the users again. As well, I had worries that messing with SASL would break my working IMAP setup (which it did not).

Once again, thank you, thank you, thank you.  I wish there was a way to magically add a link to your response on all the sites I've seen this questions asked (why I am I seeing "no user in DB")!

In regards to saslauthd and the issues I had back in the day (crashing)... to be fair, it was back when I was using *Free*BSD 5.x (the dark ages)... I guess I got a bad taste in my mouth for saslauthd after that and never bothered to try it again. Good to know it's now stable (a fallback to keep in mind).


----------



## NeHe (Oct 22, 2013)

*S*orry, I meant sasldblistusers2 was not showing any users, not saslauthd


----------

