Postfix + Cyrus SASL + Authdaemond

So I'm writing this post because it annoys me to get burned by such a stupid problem and I want it written down somewhere so the next time 10 years from now that I decide to reinstall Gentoo and run my mail server on it, I'll know why I can't successfully do SMTP authentication.

Background:

I've been hosting my own mail for a while now. I've had a pretty decently built tower case server built by Kingstar USA and it has been running non-stop since like 2003. It's gone through some iterations and at some point about 6 or 7 years ago I consolidate a bunch of services onto this server and installed Postfix, Courier, Postgres, and Cyrus-SASL in order for postfix to do SMTP auth. I previously had been using Cyrus for my IMAP/POP3/Auth entirely but I wasn't very happy with it so I decided to migrate to Courier and followed this guide. I remember there being some configuration pains but I didn't document any of them and was just happy that everything's working.

Fast forward to a month or so ago and the power supply on the server died, the first non-harddrive related hardware malfunction in 15 something years. I rush to buy a new one and install it and it turned back on but became increasingly flakey ever since; reboots randomly, turns itself off randomly, sometimes having to powercycle a few times before it finally boots, among some of the more serious afflictions. So that meant it was time for an upgrade. Kingstar only builds rackmounts these days so I had to find another source for a higher end powerful desktop that had the cheapest possible graphics, a certain amount of RAM, several gigabit ethernet interfaces, configurable drives and no OS. After getting some quotes I settled on Thinkmate. There was some issues, they were kind of slow although this was over the holiday season, and the first server they sent me didn't work (not exactly a good start) but I finally got Gentoo installed and started the arduous process of migrating all the files, packages, and configuration settings to the new box. This thing does a dozen other things aside from email so it took a while and I wanted to be thorough. Miraculously, everything worked after the first reboot, except for email.

The Problems:

The first problem was not being able to authenticate to IMAP or POP3. It was related to STARTTLS. I configured an SSL port and was able to log in that way but all of my other users are still using STARTTLS from the 443 port so I had to fix this. The problem?

# ls -l /usr/share/dhparams.pem
ls: cannot access /usr/share/dhparams.pem': No such file or directory

Turns out Courier couldn't initialize a TLS handshake without it. With the dhparams, Courier was able to STARTTLS and everyone was able to log in and check their email.

Then another problem surfaced: I wasn't able to send email through SMTP. I have it setup so that when you try to issue AUTH in postfix, it'll use SASL (Cyrus) and SASL will pass the request through to Authdaemond (Courier-Authlib). This was working fine on the old machine but I was getting these errors in the logs:

Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin Parse the username test
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin try and connect to a host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin trying to open db '' on host ''
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin could not connect to host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin couldn't connect to any host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin Parse the username test
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin try and connect to a host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin trying to open db '' on host ''
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin could not connect to host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin couldn't connect to any host
Feb 1 13:52:23 benito postfix/smtpd[9905]: warning: unknown[10.2.3.4]: SASL PLAIN authentication failed: generic failure
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin Parse the username test
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin try and connect to a host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin trying to open db '' on host ''
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin could not connect to host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin couldn't connect to any host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin Parse the username test
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin try and connect to a host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin trying to open db '' on host ''
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin could not connect to host
Feb 1 13:52:23 benito postfix/smtpd[9905]: sql plugin couldn't connect to any host
Feb 1 13:52:23 benito postfix/smtpd[9905]: warning: unknown[10.2.3.4]: SASL LOGIN authentication failed: generic failure

This seemed to indicate that postfix and SASL couldn't talk to Courier. I made sure the socket was accessible to the postfix user. I even tried compiling a newer version of cyrus-sasl that had a postgres sql bug fixed but got a different error message that said essentially the same thing; couldn't connect to any host.

After a little more digging around and reading forums and documentation, I noticed this bit in the same guide that started me on this journey in the section about installing cyrus-sasl and its USE flags:

Whatever database choice was made before, support for it will be built here as well. If for any reason, mostly security, the additional database code is not wanted, it is possible to emerge without any of the database useflags set.
The database USE flags should also be removed if going via courier-authlib rather than directly to the database, as cyrus-sasl will continually log errors when compiled with SQL support without being configured to use it.

And I had all of the sql related USE flags set in cyrus-sasl since that was what the global flags were set to use. I added this to my /etc/portage/package.use:

dev-libs/cyrus-sasl -mysql -postgres

recompiled it and restarted and it's fixed. So to my future self that decided to continue the Gentoo+Postfix+SASL+Courier+Postgres thing: don't compile cyrus-sasl with SQL support. Maybe this annoyance will go away the next time I had to configure this.

Filed under: Computers


HOME, CONTACT, TWITTER