webmin: chrooted postfix and saslauthd run into problems in Debian 7

Hello

Seems the current deployed configuration is not compatible when enabling chroot on Postfix, resulting such these errors:

postfix/smtpd[8673]: connect from [127.0.0.1] postfix/smtpd[8673]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory postfix/smtpd[8673]: warning: [127.0.0.1]: SASL LOGIN authentication failed: generic failure postfix/smtpd[8673]: disconnect from [127.0.0.1]

The problem arises because postfix insists on looking up saslauthd lock files in /var/run/saslauthd, yet these have moved to /var/spool/postfix/var/run/saslauthd.

Even after adding: saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux or saslauthd_path: /var/run/saslauthd/mux to /etc/postfix/sasl/smtpd.conf the problem persists (tried remote SMTP mail clients and roundcube).

You may say, this can be fixed with a symlink or mount bind - this is partially true and will work until the next reboot. Then the system clears /var/run and new directory has to be created with respective symlink or mount bind. Permanent entry in /etc/fstab still won’t solve it and you’l end up with a boot hang (press ctrl+d).

Instead of chrooting saslauthd, the fix seems to be leave it at default path, and then changing the /etc/default/saslauthd options accordingly. This hovewer leaves saslauthd out of the chroot, so a mount bind will be required.

SEE LAST POSTS FOR FINAL FIXES

Note that Symlinks do not work on chroot. The following method is inefective - you’l have to use a mount bind.

Create directory for new mount point: mkdir -p /var/spool/postfix/var/run Set ownership and permissions:

chown -R root:sasl /var/spool/postfix/var/
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var
adduser postfix sasl

Create symlink for chrooted saslauthd:

ln -s  /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
chown -h root:sasl /var/spool/postfix/var/run/saslauthd

These also won’t work because the symlinks are reversed: http://blog.wains.be/2006/11/18/postfix-chroot-sasl-authentication-saslauthd/ http://www.jimmy.co.at/weblog/?p=52

About this issue

  • Original URL
  • State: open
  • Created 11 years ago
  • Comments: 15

Most upvoted comments

Final configuration for a non-chrooted saslauthd and (optional) chrooted Postfix follows in this comment. The setup will work wether postfix is chrooted or not – when chrooted, just apply the additional optional config, which should make postfix safer to use.

from here on, mandatory for both chrooted and non-chrooted postfix

saslauthd non-chrooted:

Reminder: saslauthd should be non-chrooted for the setup to be simple and work.

Set parameters for saslauthd in /etc/default/saslauthd: Before (Incorrect):

OPTIONS="-c -m /var/run/saslauthd"
(or)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

After (Correct):

OPTIONS="-c -m /var/run/saslauthd -r"

Standard Postfix configuration:

Create a pam file for smtp/postfix, equal to dovecot. The missing file will result in login failure of postfix in pam if other’s file is hardened (/etc/pam.d/smtp):

#
# /etc/pam.d/smtp - PAM behavior for postfix
#
#%PAM-1.0

@include common-auth
@include common-account
@include common-session

This probably should be a separate issue but i’ll include here as it’s related.

Add postfix user to the sasl group: adduser postfix sasl

from here on, optional…(chrooted postfix)

Add binding for saslauthd in Postfix chroot:

Add a permanent mount point to /etc/fstab: /var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind defaults,nodev,noauto,bind 0 0 Note: noauto = no attempt to mount what can’t be mounted on early boot = no error/hang

Create directory for new mount point: mkdir -p /var/spool/postfix/var/run/saslauthd

Set ownership and permissions:

chown -R root:sasl /var/spool/postfix/var/
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var

Then mount it: mount /var/spool/postfix/var/run/saslauthd

Add mount command /etc/rc.local to be run at boot (after all daemons):

# Mount saslauthd bind point at postfix chroot
mount /var/spool/postfix/var/run/saslauthd

https://wiki.debian.org/PostfixAndSASL http://blog.brachium-system.net/archives/16-Postfix-with-SASL-Authentication-in-Debian.html

Finish Postfix chrooted configuration:

Configure sasl binding for postfix (/etc/postfix/sasl/smtpd.conf): Incorrect: saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux or nothing Correct: saslauthd_path: /var/run/saslauthd/mux

Configure postfix to work in chrooted environment (/etc/postfix/master.cf):

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

Debian stock configuration (unsecure):

smtp      inet  n       -       -       -       -       smtpd

Virtualmin configuration (sasl only):

smtp    inet    n   -   -   -   -   smtpd -o smtpd_sasl_auth_enable=yes
submission  inet    n   -   -   -   -   smtpd -o smtpd_sasl_auth_enable=yes

New configuration (also added TLS):

#
# Custom configuration
# See /etc/services
#

# SMTP (25/TCP)
smtp       inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes
# Submission (587/TCP+UDP)
submission inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes
# SMTPS/SSMTP (465/TCP) (deprecated, disabled)
#smtps      inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes

Notes:

  • The y flag on 5th column denotes chroot=yes.
  • Services were taken from /etc/services.
  • TLS forced on SMTPS/465, as expected.

EDIT: fixed some settings

END

+6
lpalgarvio on Apr 28, 2015

FWIW, on a fresh install of Ubuntu 18.04 and Webmin/Virtualmin (latest), Postfix is not running in chroot and this simplified subset sufficed:

  1. Replace any references to /var/spool/postfix/var/run/saslauthd with /var/run/saslauthd in /etc/default/saslauthd
  2. systemctl restart saslauthd
+2
curiousercreative on Feb 19, 2020

Always weird when you get a notification on a bug from over a decade ago that’s still open.

+1
darkpixel on Apr 18, 2024

this post realy helped me out. but when using debian, there is no rc.local anymore but there are workarrounds.

i created a service for this as followed:

nano /etc/systemd/system/saslauthd_mount_bind.service

[Unit]
Description=Bind Mount for SASL Auth Daemon Socket
After=saslauthd.service
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/bin/mount -o bind /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
[Install]
WantedBy=multi-user.target

systemctl enable saslauthd_mount_bind.service

systemctl start saslauthd_mount_bind.service

+1
ekseiw on Apr 18, 2024
Read more comments on GitHub
← webmesh: err: sendto: destination address required
webmin: CPU Temps not showing for AMD Ryzen Threadripper 3970X. →