Category: nuxx.net

Getting SMTP authentication working with Postfix via authdaemond on FreeBSD 7.0 without occasional, useless errors in /var/log/messages has just caused me an hour of frustration. Therefore, I wish to document what I had to do to make it work right:

First off, Postfix (mail/postfix) and courier-authlib with MySQL support (security/courier-authlib with AUTH_MYSQL set in the config) must be installed. Setting up courier-authlib to talk to a MySQL db is beyond the scope of this document, but it basically involves setting the following lines:

/usr/local/etc/authlib/authdaemonrc:

authmodulelist="authmysql"

/usr/local/etc/authlib/authmysqlrc:

MYSQL_SERVER localhost
MYSQL_SOCKET /tmp/mysql.sock
MYSQL_PORT 0
MYSQL_OPT 0
MYSQL_USERNAME mail
MYSQL_PASSWORD [OBSCURED]
MYSQL_DATABASE mail
MYSQL_USER_TABLE mailbox
MYSQL_CRYPT_PWFIELD password
MYSQL_UID_FIELD uid
MYSQL_GID_FIELD gid
MYSQL_LOGIN_FIELD pobox
MYSQL_HOME_FIELD homedir
MYSQL_MAILDIR_FIELD CONCAT(homedir,'/',maildir,'/')
MYSQL_QUOTA_FIELD quota
MYSQL_NAME_FIELD name

After that is set, Postfix’s main.cf must have SASL enabled with smtpd_sasl_auth_enable = yes. Next, the following smtpd.conf must be placed in /usr/local/etc/sasl2:

/usr/local/etc/sasl2/smtpd.conf

pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path: /var/run/authdaemond/socket

auxprop_plugin: mysql
sql_select: select password from users where email = '%u@%r'

Now, here’s the stupid part. See those last two lines, auxprop_plugin: mysql and sql_select: select...? They don’t do anything, and that SELECT statement won’t even return anything useful on my db. Without them there SMTP AUTH works great. However, if you don’t have those lines there, Postfix will regularly complain loudly with errors such as these:

Sep 4 21:30:02 banstyle postfix/smtpd[47677]: sql_select option missing
Sep 4 21:30:02 banstyle postfix/smtpd[47677]: auxpropfunc error no mechanism available

Please note that with authdaemond, CRAM-MD5 and DIGEST-MD5 authentication mechanisms won’t work. (These would normally be set with mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5.) If enabled they will appear available but won’t work.

One final thing… Want to know how to be sure that the server is notifying clients that it supports authentication? Just simply telnet to port 25 on your mail server and type in EHLO domain.com. The AUTH LOGIN PLAIN and AUTH=LOGIN PLAIN lines show you that plain-text authentication is now available:

c0nsumer@banstyle:~> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banstyle.nuxx.net ESMTP Postfix
EHLO nuxx.net
250-banstyle.nuxx.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

2 Comments

Tomorrow I will begin the move away from Waveform Technology to Clear Rate Communications. Within the last six months I have been having a number of weird problems (to be detailed at a later time) with Waveform, prompting the move to a new provider. At the same time I’ll be moving to a much faster box, banstyle.nuxx.net. Provided everything goes as planned I’ll be moved over to the new box by the end of next week.

This means that, during the move, all of you who I host stuff for will be down for a little while. If there are any problems, just get a hold of me and we’ll sort it out.

Leave a Comment

I’ve just disabled Postgrey on nuxx.net to see how things go without it. I’d like to work on more aggressively filtering spam, particularly after conversations with some other individuals about how greylisting isn’t a proper / scalable solution.

Worst case I’ll just turn it back on, but ideally I’d like to simply get filtering working even better.

Leave a Comment

You all know those shiny download tools which open loads of connections on a file to try and get it quicker? Those are crappy and put lots of unneeded load on servers. Here’s an example:

I host this simple page for a friend of mine in the UK for when he needs US-based hosting or some place high speed to distribute files from. As part of this he hosts the animations found on this page, which overall aren’t very big. However, someone in Thailand (125.24.191.195) is deciding to get them as quickly as possible using some stupid download tool.

What I see is that the workload on the httpd is at ~277, up from it’s typical of 2 or 3. netstat shows lots and lots and lots of connections (currently 276) from that box, all of them established.

The http log currently shows 9291 these:

125.24.191.195 rowla.dyndns.org - [11/Jun/2008:16:58:34 -0400] "GET /justin/img/piston_std4.mpg HTTP/1.1" 200 32768 "http://www.wis.co.uk/justin/deltic-engine.html" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

Load on the box itself is .23, which is tolerable, so I’ll probably let this continue. If it’s still going at midnight I’ll take some action, but for now it’s just a bit of irritation. Yes, I know I could limit connections on a per-IP basis, but I prefer not to do this unless it’s actually a problem. If I do need to block that IP, I’ll probably just fail to return anything on that vhost to that netblock. Hopefully they’ll finish getting their file sooner than that.

If you’d like to see it, here’s the current netstat: netstat_11jun2008_1.txt
Here’s a capture of a minute or so of 45 seconds of traffic with that address. Note that each GET results in a whole conversation of only 10k or so: 11jun2008_weird_1.cap.gz

Leave a Comment

Thanks to everyone who wished me a happy birthday today. You all made me smile lots. (Yes, I do share a birthday with Karl Marx, and yes, I am now 30.)

I received the SiI3124-based disk controller mentioned earlier, but it didn’t wish me a happy birthday. In fact, it just didn’t work as I hoped. For some reason its on-board option ROM isn’t starting up when the rest of the computer does, so it’s not initializing the disks and making the main BIOS aware of their existence. This prevents me from booting off of them. FreeBSD can talk to the disks on it just fine, but without the BIOS it’s not useful to me.

When I tried the card in my MAME cabinet and it works fine there, so I think something like the following is occurring: The on-board SATA / RAID controller is a SiI3114, and when I disable this via the BIOS, perhaps this somehow disables the SiI3124? Or, perhaps when the controller is enabled, the option ROM from one is interfering with the other? After all, the SiI3114 BIOS still loads and displays. I did also try changing the PCI enumeration order and tried the cards in other PCI-X slots and the lone PCI slot, and none of that produced positive results. The SiI3114 always enumerates first (or not at all?).

As a test I put a classic Adaptec AHA-2940UW (can you believe this card is more than 10 years old at this point?) card in the box and its option ROM displayed just fine. So, the motherboard seems to handle disk controllers in slots, just not this one.

Instead of the SiI3124-based card I really would like a 3ware 9550SXU-4LP, but its $319.99 price tag is a bit hard to stomach. Maybe I’ll just return the card and stick with the onboard controller and software RAID.

Oh, and if you want to see them, there are more photos of the Koutech PSA421 in banstyle.nuxx.net here on page 3 of my gallery.

4 Comments