| View previous topic :: View next topic |
| Author |
Message |
dziegler
n00b
Joined: 24 Oct 2002
Posts: 10
|
 Posted: Mon May 05, 2003 3:58 am Post subject: Postfix with Auth |
 |
|
I'm trying to get postfix to use auth, but I'm really banging my head against the wall with it not working. I've followed a few guides, but they all seem to not work (for me at least). Here's what I've got...
(relevant) main.cf:
| Code: |
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
permit_auth_destination, reject
smtpd_sasl_security_options = noanonymous
#smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
#smtpd_tls_auth_only = yes
|
/usr/lib/sasl2/smtpd.conf AND /etc/postfix/sasl/smtpd.conf:
| Code: |
pwcheck_method: saslauthd
|
/etc/pam.d/smtp AND /etc/pam.d/smtpd:
| Code: |
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
|
When I try to auth, I get this:
| Code: |
220 ziegler.ws ESMTP Postfix
EHLO foo
250-ziegler.ws
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-XVERP
250 8BITMIME
AUTH PLAIN xxxxxxxxxxxxxxxxxx
535 Error: authentication failed
|
I can't figure out why it won't authorize successfully. What I'd like to have happen is that Postfix uses SASL to verify the password, which uses PAM to verify the password. I think that the problem is that SASL doesn't know to use PAM to verify the password, but I can't figure out how to change that. Does anyone have any advice? I'm happy to try anything anyone suggests. Thank you so much for your help! |
|
| Back to top |
|
 |
scrllock
Tux's lil' helper
Joined: 14 Oct 2002
Posts: 102
|
| Posted: Mon May 05, 2003 12:22 pm Post subject: |
|
|
From the gentoo virtual mail-hosting guide:
| Quote: | Note: Now for some reason, sasl will not play nicely with pam against the shadow file. I banged my head against this problem for, well, a long time. If anyone knows why sasl will not auth against the shadow file in its current gentoo incarnation, please email me as I'd love to hear a solution to this.
|
|
|
| Back to top |
|
|
mglauche
Retired Dev
Joined: 25 Apr 2002
Posts: 564
Location: Germany
|
| Posted: Mon May 05, 2003 12:56 pm Post subject: |
|
|
| is saslauthd running ? and how did u invoke saslauthd ? |
|
| Back to top |
|
|
dziegler
n00b
Joined: 24 Oct 2002
Posts: 10
|
| Posted: Mon May 05, 2003 1:39 pm Post subject: |
|
|
| Well now I am confused. I gave up last night and went to bed. This morning, I really am not sure what I did, but it magically started working. Thanks for your help. FWIW, yes, I was running saslauthd (using the standard gentoo init script). If anyone's wondering what any of my configuration files look like or anything, feel free to ask, and I'll do my best to help you. |
|
| Back to top |
|
|
Woody2143
n00b
Joined: 26 Mar 2003
Posts: 19
Location: Atlanta, GA
|
| Posted: Fri May 09, 2003 5:05 am Post subject: Well What do you know... Postfix + SASL + PAM Works... |
|
|
Well guys, I worked on this most of the day starting with this thread... I can say for a fact that it does work. Though to be honest like the guy before me, I'm not sure why. Here is my setup, please don't laugh to much....
Like I said, I started with the above post and found more information through google...
/etc/postfix/main.cf
| Code: | # To fix problems with Outlook and older mail clients
broken_sasl_auth_clients = yes
# I'm not gonna explain everything, this is simple...
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
permit_auth_destination, reject
# This option will keep you from being an open relay
smtpd_sasl_security_options = noanonymous
# For some reason in posts on a debian mailing list
# they said not to fill this option out, that is messes
# with users sending mail. I'll test this out later
smtpd_sasl_local_domain =
# Again, from a debian mailing list, it didn't break
# anything so I didn't see the harm in putting it in
smtpd_sasl_auth_enable = yes
smtpd_sasl2_auth_enable = yes
# I consider this a very important part of the config
# if you are using PAM with PLAIN or LOGIN. This
# turns on SSL, that way you arn't just sending your
# login and password in plain text. Least that is the
# impression I get from what I read, correct me if
# I'm wrong... I force the use of SSL with the second
# option... The rest is just copied from another mailing
# list...
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom |
Yes, I have all these files, but it's just one file with symlinks everywhere else just to make sure I got it... Accuracy by volume as they say... This is just from the Gentoo Docs...
/etc/postfix/sasl/smtpd.conf
/etc/postfix/sasl2/smtpd.conf
/usr/lib/sasl2/smtpd.conf
/var/lib/sasl2/smtpd.conf
| Code: | pwcheck_method: saslauthd
mech_list: LOGIN PLAIN |
/etc/pam.d/smtpd
... Just followed the above post...
It started to work with sasldb2 having the login and password, but once I worked out a few more options I deleted /etc/sasl2/sasldb2 and it started to work off of my regular login/pass...
That's about it... I restarted saslauthd and postfix plenty of times while playing with the config files...
I apolgize for the crappy post, I'm tired. At least the main points of my config files are there. I'll come back and clean this up later...
Oh, and don't use Eudora to test it gave me to many unrelated errors even after I proved it worked with Outlook...
_________________
-- Woody2143 |
|
| Back to top |
|
|
Blasted
n00b
Joined: 01 May 2003
Posts: 6
Location: Stavanger, Norway
|
| Posted: Sun May 11, 2003 11:54 am Post subject: |
|
|
| Quote: | | Note: Now for some reason, sasl will not play nicely with pam against the shadow file. I banged my head against this problem for, well, a long time. If anyone knows why sasl will not auth against the shadow file in its current gentoo incarnation, please email me as I'd love to hear a solution to this. |
I found this in another HOW-TO:
| Quote: | 5.1. Methods to provide the authentication service
Cyrus-SASL may use various methods to connect to a source that holds user and password data. By nature Cyrus-SASL is capable to connect to PAM and sasldb. However there are situations where this approach runs short:
5.1.1. Permissions
To authenticate via PAM from passwd/shadow requires root privileges. Any daemon (here: Postfix) that uses SASL which is not run as root, will therefore not be permitted to query passwd/shadow. Some systems solve this by adding the SASL-user to a special group that is permitted to read from passwd/shadow.
Is that good? Well consider running Postfix chrooted and having to copy your passwd/shadow files to the jail. Huh? Yes, you'd have to do that and that would make the idea running a chrooted Postfix to keep malicious users from your valuable password useless. You'd be at the start again... read on as there is a solution to this!
5.1.2. User:pass sources
There are situations where you don't want to use PAM or sasldb, because you want to have all the mail users separated from machines users or have them on a different machine or you run a central AUTH service for single sign on and so on...
For both scenarios you may configure SASL to use a daemon that will run as root and can connect to various backends e.g. a LDAP or SQL database.
Note
Cyrus-SASL daemons don't support LDAP and e.g. MySQL? from source. However there are patches available on the net that will give you those functionalities. You will have to patch Cyrus-SASL, recompile and install it, before these functionalities will be available to SASL.
You may use different methods to provide authentication service with Cyrus-SASL.
5.1.3. Daemons
Cyrus-SASL comes with two daemons that may run on your mail server: pwcheck and saslauthd. Basically they are pretty much the same. The newer daemon saslauthd (since Cyrus-SASL 1.5.27) is said to be based on the code of the former pwcheck. Anyway saslauthd goes beyond the functionality of pwcheck and pwcheck will be dropped in the future. So we will have a look at the newer daemon in this HOWTO.
Note
LDAP and SQL authentication
If you want to authenticate your mail users against an LDAP or SQL server you might want to go for the pwcheck daemon. There might be more patches available for this at the moment.
5.1.4. Which method can you use in Postfix?
You can use all of them, but note: If you use PAM, saslauthd or pwcheck you only have the mechanisms PLAIN and LOGIN at your command. |
Hope this can shed some light on the issue....
Oh yeah, the link can be found here
http://postfix.state-of-mind.de/ |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
