| View previous topic :: View next topic |
| Author |
Message |
Weejoker
n00b
Joined: 11 Sep 2002
Posts: 69
Location: Scotsman in England
|
 Posted: Fri Nov 05, 2004 9:51 pm Post subject: [SOLVED] Cyrus-SASL + Postfix + Auth plain |
 |
|
Hi all,
I've been trying for sometime now to get my Postfix secured again with SSL via Cyrus-SASL. It has worked before, but for some reason it has stopped working recently... 
The main issue is that even the basic authentication methods (AUTH PLAIN) are failing like this:
| Code: | [postfix/smtpd] < a.localnet[192.168.0.2]: auth plain <encoded username/password>
[postfix/smtpd] smtpd_sasl_authenticate: sasl_method plain, init_response <encoded username/password>
[postfix/smtpd] smtpd_sasl_authenticate: decoded initial response <cleartext username>
[postfix/smtpd] warning: SASL authentication failure: Can only find author/en (no password)
[postfix/smtpd] warning: a.localnet[192.168.0.2]: SASL plain authentication failed |
Now the SASL sublayer I am using is definitely working, as it works with testsaslauthd, so my suspicion moves to the smtpd.conf files I have (within /etc/sasl2/ & /usr/lib/sasl2/) and the postfix setup:
| Code: | # /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login |
| Code: | # /etc/postfix/main.cf
...
# SASL stuff
smtpd_sasl_auth_enable = yes
smtpd_sasl_application_name = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated, reject |
And thats it really - I just want the SASL stuff to authenticate me, as I can build on the rest of the encryption stuff. What really confuses me is that the saslauth daemon IS working correctly, so there must be something wrong/stupid/missing in the above config files surely? 
If anyone can help me, I'll be very appreciative. 
John
Last edited by Weejoker on Sat Nov 06, 2004 5:06 pm; edited 1 time in total |
|
| Back to top |
|
 |
langthang
Retired Dev
Joined: 27 Nov 2003
Posts: 620
|
| Posted: Sat Nov 06, 2004 12:46 am Post subject: |
|
|
| post your /etc/conf.d/saslauthd and /etc/pam.d/saslauthd (mask username, password, etc) |
|
| Back to top |
|
|
Weejoker
n00b
Joined: 11 Sep 2002
Posts: 69
Location: Scotsman in England
|
| Posted: Sat Nov 06, 2004 12:46 pm Post subject: |
|
|
Hi langthang, 
Here is my /etc/conf.d/saslauthd and /etc/pam.d/saslauthd (untouched). I have tested 'testsaslauthd' successfully, but maybe thats thrown me off a bit. Anyway:
/etc/conf.d/saslauthd
| Code: | SASLAUTH_MECH=shadow
SASLAUTHD_OPTS="-a ${SASLAUTH_MECH} -r -V" |
/etc/pam.d/saslauthd
| Code: | #%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth |
Something at the back of my mind is telling me that I have screwed-up somewhere. 
John |
|
| Back to top |
|
|
Weejoker
n00b
Joined: 11 Sep 2002
Posts: 69
Location: Scotsman in England
|
| Posted: Sat Nov 06, 2004 5:06 pm Post subject: |
|
|
Fixed it.
When you have two problems working together against you, it makes it near-impossible to solve them:
* Encoding passwords by hand (mimencode) can be troublesome when certain character sequences aren't interpreted the way you'd like/think... Use an email client that can interpret strings/text correctly for you (as opposed to echo & printf on the command-line)!
* Damn "realm" support - switch it off/set to null if at all possible in both saslauthd and postfix:
| Code: | # /etc/postfix/main.cf
...
smtpd_sasl_local_domain = [--blank--]
...
|
| Code: | # /etc/conf.d/saslauthd
# Notice how there is no '-r' in the OPTS...
SASLAUTH_MECH=shadow
SASLAUTHD_OPTS="-a ${SASLAUTH_MECH}" |
John |
|
| Back to top |
|
|
|
Networking & Security
