Dec 29, 2023: iRedMail-1.6.8 has been released.

**smshev** · 2017-12-25 14:12:35

smshev
Member
Offline

From: Russia
Registered: 2015-10-25
Posts: 29

Topic: logwatch Connections (secure-log)

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Debian 8.9 (3.16.43-2+deb8u5 (2017-09-19) x86_64 GNU/Linux)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? no, with iRedAdmin
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi.
Recently in the daily message to the postmaster mailbox from the logwatch service i see the following problem:
--------------------- Connections (secure-log) Begin ------------------------

**Unmatched Entries**
postfix/smtp: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb: 244 Time(s)
postfix/smtp: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied: 244 Time(s)
slapcat: DIGEST-MD5 common mech free: 1 Time(s)
slapcat: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb: 1 Time(s)
slapcat: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb: 1 Time(s)
slapcat: auxpropfunc error invalid parameter supplied: 1 Time(s)
slapcat: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied: 1 Time(s)
slapd: DIGEST-MD5 common mech free: 1 Time(s)
slapd: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb: 1 Time(s)
slapd: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb: 1 Time(s)
slapd: auxpropfunc error invalid parameter supplied: 1 Time(s)
slapd: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied: 1 Time(s)

---------------------- Connections (secure-log) End -------------------------

what does this mean and how to get rid of it?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**ZhangHuangbin** · 2017-12-26 14:30:13

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,793

Re: logwatch Connections (secure-log)

You have to check log files (/var/log/*) to figure out why OpenLDAP (slapd) throw these errors.

**smshev** · 2017-12-26 15:24:04

smshev
Member
Offline

From: Russia
Registered: 2015-10-25
Posts: 29

Re: logwatch Connections (secure-log)

ZhangHuangbin wrote:

You have to check log files (/var/log/*) to figure out why OpenLDAP (slapd) throw these errors.

these errors occurs only in /var/log/auth.log

# tail -f auth.log
Dec 26 10:01:01 server CRON[9484]: pam_unix(cron:session): session closed for user root
Dec 26 10:01:01 server CRON[9485]: pam_unix(cron:session): session closed for user root
Dec 26 10:01:02 server CRON[9487]: pam_unix(cron:session): session closed for user root
Dec 26 10:01:03 server CRON[9486]: pam_unix(cron:session): session closed for user root
Dec 26 10:01:50 server sshd[9591]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:02:10 server postfix/smtp[9596]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec 26 10:02:10 server postfix/smtp[9596]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec 26 10:02:26 server postfix/smtp[9609]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec 26 10:02:26 server postfix/smtp[9609]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec 26 10:02:50 server sshd[9699]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:03:50 server sshd[9854]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:04:33 server postfix/smtp[9870]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec 26 10:04:33 server postfix/smtp[9870]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec 26 10:04:36 server postfix/smtp[9893]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec 26 10:04:36 server postfix/smtp[9893]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec 26 10:04:50 server sshd[9955]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:05:01 server CRON[9957]: pam_unix(cron:session): session opened for user sogo by (uid=0)
Dec 26 10:05:02 server CRON[9957]: pam_unix(cron:session): session closed for user sogo
Dec 26 10:05:50 server sshd[10059]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:06:50 server sshd[10156]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:07:50 server sshd[10263]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:08:50 server sshd[10429]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:09:01 server CRON[10431]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 26 10:09:01 server CRON[10431]: pam_unix(cron:session): session closed for user root
Dec 26 10:09:50 server sshd[10566]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:10:01 server CRON[10568]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Dec 26 10:10:01 server CRON[10569]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 26 10:10:01 server CRON[10570]: pam_unix(cron:session): session opened for user sogo by (uid=0)
Dec 26 10:10:01 server CRON[10569]: pam_unix(cron:session): session closed for user root
Dec 26 10:10:01 server CRON[10570]: pam_unix(cron:session): session closed for user sogo
Dec 26 10:10:03 server CRON[10568]: pam_unix(cron:session): session closed for user www-data
Dec 26 10:10:50 server sshd[10687]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:11:50 server sshd[10786]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:12:50 server sshd[10880]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:13:50 server sshd[11037]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:14:35 server postfix/smtp[11060]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec 26 10:14:35 server postfix/smtp[11060]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec 26 10:14:50 server sshd[11139]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:15:01 server CRON[11143]: pam_unix(cron:session): session opened for user sogo by (uid=0)
Dec 26 10:15:02 server CRON[11143]: pam_unix(cron:session): session closed for user sogo
Dec 26 10:15:39 server postfix/smtp[11198]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec 26 10:15:39 server postfix/smtp[11198]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec 26 10:15:50 server sshd[11246]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:16:29 server postfix/smtp[11258]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied
Dec 26 10:16:29 server postfix/smtp[11258]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb
Dec 26 10:16:50 server sshd[11343]: Connection closed by 192.168.3.8 [preauth]
Dec 26 10:17:01 server CRON[11345]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 26 10:17:01 server CRON[11345]: pam_unix(cron:session): session closed for user root

How can I determine the cause?

**ZhangHuangbin** · 2017-12-26 15:31:45

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,793

Re: logwatch Connections (secure-log)

No idea, seems your Postfix is configured to use 'cyrus' as SASL authentication source. Please show us output of command "postconf -n" for troubleshooting.

**smshev** · 2017-12-26 15:45:17

smshev
Member
Offline

From: Russia
Registered: 2015-10-25
Posts: 29

Re: logwatch Connections (secure-log)

# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks.pcre
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
header_checks = pcre:/etc/postfix/header_checks.prce
inet_interfaces = all
inet_protocols = ipv4
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 100000000
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain
mydomain = server.corp.domain.com
myhostname = server.corp.domain.com
mynetworks = 192.168.0.0/16,127.0.0.1
mynetworks_style = host
myorigin = server.corp.domain.com
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions $sender_dependent_relayhost_maps
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap/relay_domains.cf
relayhost = [smtp.timeweb.ru]:25
sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = proxy:ldap:/etc/postfix/ldap/sender_dependent_relayhost_maps_domain.cf, proxy:ldap:/etc/postfix/ldap/sender_dependent_relayhost_maps_user.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = domain.com
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf
smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unlisted_sender, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, check_sender_access pcre:/etc/postfix/sender_access.pcre
smtpd_tls_CAfile = /etc/letsencrypt/live/server.corp.domain.com/fullchain.pem
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/server.corp.domain.com/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_key_file = /etc/letsencrypt/live/server.corp.domain.com/privkey.pem
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:ldap:/etc/postfix/ldap/transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/etc/postfix/ldap/catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

my mail domain - "domain.com" and FQDN of server is "server.corp.domain.com"

**ZhangHuangbin** · 2017-12-27 14:25:17

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,793

Re: logwatch Connections (secure-log)

Postfix config file seems fine, no idea yet.

Please show us command output:

postconf -a
postconf -m

**smshev** · 2017-12-27 19:07:24

smshev
Member
Offline

From: Russia
Registered: 2015-10-25
Posts: 29

Re: logwatch Connections (secure-log)

# postconf -a
cyrus
dovecot

# postconf -m
btree
cidr
environ
fail
hash
internal
ldap
memcache
nis
pcre
proxy
regexp
sdbm
socketmap
sqlite
static
tcp
texthash
unix

**ZhangHuangbin** · 2017-12-31 20:25:06

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 30,793

Re: logwatch Connections (secure-log)

No idea ...

Dec 29, 2023: iRedMail-1.6.8 has been released.

logwatch Connections (secure-log)

Posts: 8

1 Topic by smshev 2017-12-25 14:12:35

Topic: logwatch Connections (secure-log)

2 Reply by ZhangHuangbin 2017-12-26 14:30:13

Re: logwatch Connections (secure-log)

3 Reply by smshev 2017-12-26 15:24:04

Re: logwatch Connections (secure-log)

4 Reply by ZhangHuangbin 2017-12-26 15:31:45

Re: logwatch Connections (secure-log)

5 Reply by smshev 2017-12-26 15:45:17

Re: logwatch Connections (secure-log)

6 Reply by ZhangHuangbin 2017-12-27 14:25:17

Re: logwatch Connections (secure-log)

7 Reply by smshev 2017-12-27 19:07:24

Re: logwatch Connections (secure-log)

8 Reply by ZhangHuangbin 2017-12-31 20:25:06

Re: logwatch Connections (secure-log)

Posts: 8