saslfinger-1.0.3/000075500000000000000000000000001145626313200136515ustar00rootroot00000000000000saslfinger-1.0.3/ChangeLog000064400000000000000000000047431145626313200154330ustar00rootroot000000000000002008-10-04 09:02 p * saslfinger: Added /usr/pkg/lib/sasl2 as SASL config path 2007-01-29 23:29 p * install.sh: Fixed sha-bang in file 2005-11-28 22:55 p * saslfinger: Added Gentoo paths contributed by Tuan Van 2005-01-10 23:10 p * HISTORY, INSTALL, TODO, index.html, install.sh, saslfinger, saslfinger.1, saslfinger.1.xml: Added properties to all files, changed source paths for install script 2005-01-10 23:04 p * man, saslfinger, saslfinger.1, saslfinger.1.xml, script: Moved saslfinger.1.xml saslfinger.1 and saslfinger to top dir 2005-01-10 23:02 p * html, index.html: Moved index.html to top dir. 2005-01-10 22:13 p * CHANGES, HISTORY, script/saslfinger: Moved telnet test to the end of the script until I've found a solution to stop the script from stopping if the telnet test fails 2005-01-10 21:50 p * branches, tags, trunk: Removed stupid SVN default files 2005-01-10 21:49 p * script/saslfinger: fighting the telnet test... 2004-11-22 14:35 p * script/saslfinger: Added /etc/slackware-version as system descriptor to look for 2004-11-03 08:53 p * html/index.html: update for 0.9.8 downloads 2004-11-03 08:53 p * CHANGES: update of changes 2004-11-03 08:52 p * script/saslfinger: + Added netcat as alternative for the unstable telnet based SMTP test routine + Fixed "command not found" message when nc or netcat are not present + Fixed a typo in the routine that replaces sql_passwd entries with blanks; it used to grep for sql_pass, but not sql_passwd. 2004-11-02 19:33 p * CHANGES: Update of changes 2004-11-02 19:32 p * script/saslfinger: Fixed a misleading message when smtpd.conf is missing. 2004-10-29 10:21 p * CHANGES, TODO: Update for release 0.9.6 2004-10-29 10:20 p * script/saslfinger: Added nc as alternative for the instable telnet test 2004-10-28 14:57 p * script/saslfinger: Added support for FreeBSD Fixed a typo in the client debug section 2004-10-28 14:56 p * CHANGES, TODO: Created a Changelog and a todo list 2004-10-07 07:58 p * script/saslfinger: Added path for SASL on NetBSD Added search parameters for TLS configuration 2004-09-15 00:17 p * INSTALL: Another change... 2004-09-15 00:15 p * INSTALL: Just to test the mail script... 2004-09-14 23:58 p * INSTALL, html, html/index.html, install.sh, man, man/saslfinger.1, man/saslfinger.1.xml, script, script/saslfinger: Initial import 2004-09-14 20:36 root * branches, tags, trunk: Initial repository layout saslfinger-1.0.3/INSTALL000064400000000000000000000002771145626313200147100ustar00rootroot00000000000000# $Id: INSTALL 21 2005-01-10 23:10:54Z p $ Run ./install.sh to install saslfinger and its man page. Read "man 1 saslfinger", choose the mode, and type "saslfinger" to start collecting data. saslfinger-1.0.3/TODO000064400000000000000000000003201145626313200143340ustar00rootroot00000000000000# $Id: TODO 21 2005-01-10 23:10:54Z p $ TODO list for saslfinger + SASL pwcheck_method debugging Add routines to identify the choosen pwcheck_method and run debug tests on them e.g. "saslauthd -a foo -d" saslfinger-1.0.3/index.html000064400000000000000000000111461145626313200156510ustar00rootroot00000000000000 saslfinger - debugging SMTP AUTH in Postfix

saslfinger

saslfinger is a bash utility script that seeks to help you debugging your SMTP AUTH setup. It gathers various informations about Cyrus SASL and Postfix from your system and sends it to stdout.

Requirements

saslfinger has been tested with bash version 2.04 or greater on the following plattforms:

Usage

You must run saslfinger with one of the following options:

-c

If you run saslfinger with the option -c it will collect data required for client-side SMTP AUTH. Client-side SMTP AUTH is when Postfix smtp daemon uses SMTP AUTH to authenticate itself with a remote mail server that offers SMTP AUTH.

saslfinger will try to telnet to all hosts listed in smtp_sasl_password_maps, if it may read smtp_sasl_password_maps

The telnet test verifies your host is able to reach the remote servers and shows what AUTH mechanisms they offer - in some cases this is required to debug client-side SMTP AUTH.

Important: By default smtp_sasl_password_maps must be read-only to root, since these maps contain the usernames and passwords to authenticate. If you run saslfinger as root access will be no problem, but saslfinger will fail if you lack the permissions to access smtp_sasl_password_maps.

If you want to run the telnet test, but don't want to run saslfinger as root change permissions of smtp_sasl_password_maps so that the user running saslfinger may access smtp_sasl_password_maps while you debug.

*note: You don't need to worry about saslfinger doing anything with the username or password stored next to the remote hosts in your smtp_sasl_password_maps; saslfinger completely ignores these informations!

-h

If you run saslfinger with the option -h it will print a little help message that tells you about the options you can use.

-s

If you run saslfinger with the option -s it will collect data required for server-side SMTP AUTH. Server-side SMTP AUTH is when Postfix smtpd daemon offers SMTP AUTH to mail clients.

Patrick Koetter, patrick.koetter@state-of-mind.de
saslfinger-1.0.3/install.sh000075500000000000000000000021161145626313200156560ustar00rootroot00000000000000#!/bin/bash scriptname="saslfinger" man_paths=(/usr/share/man) # verify_man_page () # Check if the man page for this script has been installed and install it # if it isn't there. verify_man_page () { for man_path in ${man_paths[@]} do local man_source="${scriptname}.1" local man_dest="${man_path}/man1/${scriptname}.1" if ! [[ -e ${man_dest} ]]; then echo "Installing man page..." $(cp ${man_source} ${man_dest}) elif [[ ${man_dest} -ot ${man_source} ]]; then echo "Updating ${scriptname} man page..." $(cp ${man_source} ${man_dest}) else echo "${scriptname} man page is up to date. Nothing to do." fi done } verify_script () { local source_dir="${scriptname}" local install_dir="/usr/bin/${scriptname}" if ! [[ -e ${install_dir} ]]; then echo "Installing ${scriptname}..." `cp ${source_dir} ${install_dir}` `chmod 755 ${install_dir}` elif [[ ${install_dir} -ot ${source_dir} ]]; then echo "Updating ${scriptname}..." `cp -p -f ${source_dir} ${install_dir}` `chmod 755 ${install_dir}` else echo "${scriptname} is up to date. Nothing to do." fi } verify_script verify_man_page exit 0 saslfinger-1.0.3/saslfinger000075500000000000000000000201411145626313200157320ustar00rootroot00000000000000#!/bin/bash # # Name: # saslfinger # # Drafted by Ralf Hildebrandt # written by Patrick Koetter # Initial release: August, 13th 2004 - a Friday... ;) ##################################################################### # VARIABLES # ##################################################################### # set -e scriptname="${0##*/}" scriptversion=1.0.2 declare -a sasl_dirs valid_sasl_lib_names sasl_dirs=(/usr/lib/sasl \ /usr/lib64/sasl2 \ /var/lib/sasl \ /opt/lib/sasl \ /usr/lib/sasl2 \ /var/lib/sasl2 \ /opt/lib/sasl2 \ /usr/local/lib/sasl2 \ /etc/sasl2 \ /etc/cyrus-sasl \ /usr/pkg/lib \ /usr/pkg/lib/sasl2) sasl_libs=(libsasl.so libsasl2.so) ##################################################################### # COMMANDS AND FUNCTIONS # ##################################################################### export PATH="/bin:/sbin:/usr/bin:/usr/sbin:$PATH" function start () { echo "${scriptname} - postfix Cyrus sasl configuration $(date)" echo "version: ${scriptversion}" echo "mode: ${mode} SMTP AUTH" } function end () { echo "-- end of ${scriptname} output --" } function postconf_get () { postconf -h ${1}; } function get_saslpasswd () { postconf -h smtp_sasl_password_maps | sed -e s/^.*://; } function get_mail_version () { declare -a systems local systems=("/etc/redhat-release" "/etc/fedora-release" "/etc/slackware-version" "/etc/gentoo-release" "/etc/issue" "/etc/motd") echo "-- basics --" echo "Postfix: $(postconf_get mail_version)" for system in ${systems[@]}; do if [[ -e ${system} ]]; then echo "System: $(cat ${system})" break else continue fi done } function get_sasl_dirs () { local i=0 local sasldir="" for sasldir in ${sasl_dirs[@]}; do if [ -d ${sasldir} ]; then valid_sasldirs[$i]=${sasldir} let "i = $i + 1" fi done if ! [[ ${valid_sasldirs[@]} ]]; then echo -e "\aCould not find any valid Cyrus SASL directories." echo "Cyrus SASL is required to setup SMTP AUTH!" exit 72 fi } function get_sasl_support () { local sasllib="" echo "-- $1 is linked to --" for sasllib in ${sasl_libs[@]}; do local ldd_res="$(ldd "$(postconf_get daemon_directory)/${1}" | egrep -e "${sasllib}" 2>/dev/null)" if [ -n "${ldd_res}" ]; then echo "${ldd_res}" fi done } function get_smtp_dialogue () { echo "-- mechanisms on ${1} --" if echo "EHLO $HOSTNAME\r\nQUIT\r\n" | nc -w 1 -v ${1} 25 2>/dev/null | egrep "AUTH" 2>/dev/null; then echo elif echo "EHLO $HOSTNAME\r\nQUIT\r\n" | netcat -w 1 -v ${1} 25 2>/dev/null | egrep "AUTH" 2>/dev/null; then echo else (echo "EHLO $HOSTNAME"; sleep 2) | telnet ${1} 25 2>/dev/null | egrep "(AUTH)" fi } function get_maincf () { if test ${1} = "smtpd"; then local authparams="(^smtpd_sasl_*|broken_sasl_auth_clients|^smtpd_use_tls|^smtpd_tls_*)" elif test ${1} = "smtp"; then local authparams="(^smtp_sasl_*|^relayhost|^smtp_use_tls|^smtp_tls_*)" fi for daemon in ${1}; do echo "-- active SMTP AUTH and TLS parameters for ${1} --" if postconf -n | egrep -i ${authparams} 2> /dev/null; then continue else echo -e "\aNo active SMTP AUTH and TLS parameters for ${1} in main.cf!" echo "SMTP AUTH can't work!" exit 72 fi done } function get_sasl_apps () { active_services[0]="" if [[ $(egrep -v "^#.*smtpd_sasl_application_name" $(postconf_get config_directory)/master.cf |\ egrep "^.*smtpd_sasl_application_name" 2>/dev/null) ]]; then active_services=$(egrep -v "^#.*smtpd_sasl_application_name" $(postconf_get config_directory)/master.cf |\ egrep "^.*smtpd_sasl_application_name" | sed 's/.*-o smtpd_sasl_application_name=//g' | awk '{print $1}') else active_services[0]="smtpd" fi } function get_service_config () { # Add /etc/postfix/sasl to valid_sasldirs for Debian users. sasl_dirs[100]="/etc/postfix/sasl" local o=1 local sasldir="" local service="" for sasldir in ${sasl_dirs[@]}; do local i=1 for service in ${active_services[@]}; do if [ -e ${sasldir}/${service}.conf ]; then valid_services[$i$o]=${sasldir}/${service}.conf let "i = $i + 1" elif ! [ -e ${sasldir}/${service}.conf ]; then continue fi done let "o+=1" done if ! [[ ${valid_services[@]} ]]; then echo; echo -e "\aThere is no smtpd.conf that defines what SASL should do for Postfix." echo "SMTP AUTH can't work!"; echo exit 72 fi } function list_service_configs () { local smtpdconf="" for smtpdconf in ${valid_services[@]}; do echo "-- content of ${smtpdconf} --" cat ${smtpdconf} | sed -e 's/.*ldapdb_id.*/ldapdb_id: --- replaced ---/;s/.*sql_user:.*/sql_user: --- replaced ---/g;'\ -e 's/.*ldapdb_pw:.*/ldapdb_pw: --- replaced ---/g;s/.*sql_passwd:.*/sql_passwd: --- replaced ---/g' echo done } function list_sasl_dirs () { local sasldir="" for sasldir in ${valid_sasldirs[@]}; do echo "-- listing of ${sasldir} --"; ls -alL ${sasldir}; echo done } function get_mastercf () { echo "-- active services in $(postconf_get config_directory)/master.cf --" echo "$(egrep "(^# service type|\(yes\))" $(postconf_get config_directory)/master.cf)" echo "$(cat $(postconf_get config_directory)/master.cf | egrep -v "^#")" } function check_saslpasswd () { saslpasswd=$(postconf_get smtp_sasl_password_maps | sed -e s/^.*://) if ! [ $(get_saslpasswd) ]; then echo -e "\aCannot find the smtp_sasl_password_maps parameter in main.cf." echo "Client-side SMTP AUTH cannot work without this parameter!" exit 78 elif [ -e $(get_saslpasswd) ]; then echo "-- permissions for $(get_saslpasswd) --"; echo "`ls -al ${saslpasswd}`"; echo if [ -e $(get_saslpasswd).db ]; then echo "-- permissions for $(get_saslpasswd).db --"; echo "`ls -al ${saslpasswd}.db`"; echo if [ $(get_saslpasswd) -nt $(get_saslpasswd).db ]; then echo -e "\a$(get_saslpasswd).db is older than $(get_saslpasswd)!" echo "Run the following command as root to sync $(get_saslpasswd).db:" echo; echo -e "\tpostmap `postconf -h smtp_sasl_password_maps`"; echo exit 65 else echo "$(get_saslpasswd).db is up to date." fi else echo; echo -e "\aThere is no $(get_saslpasswd).db!" exit 78 fi elif ! [ -e $(get_saslpasswd) ]; then echo; echo -e "\aYou have set smtp_sasl_password_maps = ${saslpasswd}" echo "in main.cf, but $(get_saslpasswd) does not seem to be there." echo "Please check and run ${scriptname} again." exit 78 fi } function get_smtp_dialogue_wrapper () { local host="" if [ -r $(get_saslpasswd) ]; then for host in $(awk '!/^#/ {print $1}' ${saslpasswd}); do get_smtp_dialogue ${host}; echo done elif ! [ -r $(get_saslpasswd) ]; then echo -e "\aYou don't have the correct permissions to read $(get_saslpasswd)." echo "The telnet test, which gets the AUTH mechanisms offered by your remote" echo "MTA(s), requires reading this file. Become either root to access" echo "$(get_saslpasswd), or allow your current user, ${USER}, to read it."; echo exit 0 fi } function server () { mode="server-side" start; echo get_mail_version; echo get_sasl_support smtpd; echo get_maincf smtpd; echo get_sasl_dirs; echo list_sasl_dirs; echo get_sasl_apps; echo get_service_config; echo list_service_configs; echo get_mastercf; echo get_smtp_dialogue localhost; echo end; echo exit 0 } function client () { mode="client-side" start; echo get_mail_version; echo get_sasl_support smtp; echo get_maincf smtp; echo get_sasl_dirs; echo list_sasl_dirs; echo check_saslpasswd; echo get_mastercf; echo get_smtp_dialogue_wrapper; echo end; echo exit 0 } function usage () { echo; echo "saslfinger -s"; echo -e "\tCheck server-side SMTP AUTH configuration" echo; echo "saslfinger -c"; echo -e "\tCheck client-side SMTP AUTH configuration" echo; echo "saslfinger -h"; echo -e "\tPrint this message." echo; echo "Read man (1) saslfinger for a detailed discussion on what"; echo "${scriptname} may do for you." echo; exit 0 } no_args=0 if [ ${#} -eq ${no_args} ]; then echo; echo -e "\aUsage: `basename ${0}` [-chs]" echo "Use \"`basename ${0}` -h\" to find out what the options mean." echo; exit 65 fi while getopts "chs" option; do case ${option} in c ) client;; s ) server;; h ) usage;; esac done shift $(($OPTIND - 1)) exit 0 saslfinger-1.0.3/saslfinger.1000064400000000000000000000045661145626313200161030ustar00rootroot00000000000000.TH saslfinger 1 User Manuals .SH NAME saslfinger \- A utility to collect SMTP AUTH relevant configuration for Postfix .SH SYNOPSIS \fBsaslfinger [-chs] \f1 .SH DESCRIPTION saslfinger is a utility to collect SMTP AUTH relevant configuration for Postfix. Depending on how you run it, it will search for information on server-side or client-side SMTP AUTH configuration settings in Postfix and Cyrus SASL. .SH OPTIONS .TP \fB-c\f1 If you run saslfinger with the option \fB-c\f1 it will collect data required for client-side SMTP AUTH. Client-side SMTP AUTH is when Postfix smtp daemon uses SMTP AUTH to authenticate itself with a remote mail server that offers SMTP AUTH. saslfinger will try to telnet to all hosts listed in smtp_sasl_password_maps, if it may read smtp_sasl_password_maps The telnet test verifies your host is able to reach the remote servers and shows what AUTH mechanisms they offer - in some cases this is required to debug client-side SMTP AUTH. Important: By default smtp_sasl_password_maps must be read-only to root, since these maps contain the usernames and passwords to authenticate. If you run saslfinger as root access will be no problem, but saslfinger will fail if you lack the permissions to access smtp_sasl_password_maps. If you want to run the telnet test, but don't want to run saslfinger as root change permissions of smtp_sasl_password_maps so that the user running saslfinger may access smtp_sasl_password_maps while you debug. *note: You don't need to worry about saslfinger doing anything with the username or password stored next to the remote hosts in your smtp_sasl_password_maps; saslfinger completely ignores these informations! .TP \fB-h\f1 If you run saslfinger with the option \fB-h\f1 it will print a little help message that tells you about the options you can use. .TP \fB-s\f1 If you run saslfinger with the option \fB-s\f1 it will collect data required for server-side SMTP AUTH. Server-side SMTP AUTH is when Postfix smtpd daemon offers SMTP AUTH to mail clients. .SH FILES \fIsaslfinger\f1 - the script you need to run. \fIsaslfinger.1\f1 - the man page you are currently reading. .SH AUTHOR Patrick Koetter, , \fBhttp://www.state-of-mind.de\f1 You will find the newest version of saslfinger at \fBhttp://postfix.state-of-mind.de/patrick.koetter/saslfinger/\f1. .SH BUGS Please report bugs to saslfinger-1.0.3/saslfinger.1.xml000064400000000000000000000066561145626313200167040ustar00rootroot00000000000000 saslfinger [-chs]

saslfinger is a utility to collect SMTP AUTH relevant configuration for Postfix. Depending on how you run it, it will search for information on server-side or client-side SMTP AUTH configuration settings in Postfix and Cyrus SASL.

saslfinger - the script you need to run.

saslfinger.1 - the man page you are currently reading.

Patrick Koetter, <patrick.koetter@state-of-mind.de>,

You will find the newest version of saslfinger at .

Please report bugs to <patrick.koetter@state-of-mind.de>