On Fri Mar 08, 2002 at 12:05:04AM -0800, David Guntner wrote: > >> $ cat /var/lib/sasl/smtpd.conf > >> pwcheck_method: pam > >> $ > >> > >> (I figured you might want to know what's in the smtpd.conf file. :) > > > > This is very bad. What you are doing here is telling SASL to use > > pam... not good. Two things here: > > > > 1) smtpd.conf should contain "pwcheck_method:sasldb" > > 2) it belongs in /usr/lib/sasl not /var/lib/sasl > > > > If this doesn't fix your problem, I will be really surprised... > > Prepare to be really surprised, then. :-(
/me hates being a perfectionist Ok... I'll be damned if this gets past me... I stayed up *really* late last night (this morning?) trying to figure this out and while I was at it, I wrote a document on the whole thing for MandrakeSecure. Go figure... =) > I took a look in my /usr/lib/sasl directory and found that it already had a > smtpd.conf file. > > $ cat /usr/lib/sasl/smtpd.conf > #%PAM-1.0 > auth required /lib/security/pam_stack.so service=system-auth > account required /lib/security/pam_stack.so service=system-auth > $ > > I added "pwcheck_method: pam" to the bottom of the file (waiting until I get > your reply on why it's bad to use this), and when I connected to port 25, > again I got the error messages I've listed before. Ok. The problem is how SASL works with this. There are four pwcheck methods... pam, shadow, sasldb, and pwcheck. The pam auth method interfaces with pam, apparently. shadow reads /etc/shadow directly. sasldb uses the /var/lib/sasl/sasl.db file. pwcheck interfaces with the pwcheck daemon which reads the /etc/shadow file. Now, why you don't want to use pam. The pam authentication method should be used if you *don't* use passwd/shadow authentication. For instance, you would use pam if you used LDAP to authenticate logins (may even work with NIS). If you want to use pam and still authenticate against /etc/passwd (really, /etc/shadow), then you must change /etc/shadow from mode 0600 to mode 0644. For some reason, SASL will always error out, and I suspect this is because it is trying to read /etc/shadow as the postfix user. This is the same thing with the shadow method, which reads /etc/shadow directly. I've verified that chmod'ing /etc/shadow to 0644 allows both pam and shadow to work (using Evolution as a test client). Unfortunately, that sucks and is very very insecure. /etc/shadow must not be anything other than 600 as that defies it's whole purpose. Now *why*, when using pam method, this is required I don't know. There must be something wrong in the SASL libs for this to be a requirement (although searching some archives on the postfix ml, everyone seems to have this issue). Note, I haven't tried it with pam using something other than the system passwd file (ie. didn't test against LDAP/NIS, etc.). Now, for your case, you want to use pwcheck method. /usr/sbin/pwcheck is a daemon, run as root, that acts as a go-between between postfix and /etc/shadow. There is no initscript for it, and pwcheck launches itself into the backgroun, so you can just add to the end of /etc/rc.d/rc.local "/usr/sbin/pwcheck". For testing, change your smtpd.conf to pwcheck and just run /usr/sbin/pwcheck on the cmdline as root. > Heck, I even tried setting "pwcheck_method: sasldb" instead, ran saslpasswd > to create a user account, and the flipping thing *still* aborted when I > connected to the SMTP port on my machine with sasl turned on. Argh. Did you restart postfix after making this change? If so, what kind of errors are you getting in your logs? If you run sasldblistusers as root, what does it say? > Any ideas? I think pwcheck is your best bet for what you want. Please try that. Make sure you completely restart postfix after you change your smtpd.conf... I don't know if it caches the contents of that file or not, but I did notice in my testing that it seemed to be required. Also, you can read http://www.mandrakesecure.net/en/docs/postfix-sasl.php which is "Enabling SASL support in postfix". I'm pretty sure it's at least 99% accurate. It also has links to two other how-to's I've found. If, after all of this, it still doesn't work, then I can only assume you're cursed or something. =) Because I did verify that pam worked (with 644 /etc/shadow), shadow worked (with 644 /etc/shadow), sasldb worked (always has over here), and that pwcheck worked (happy 600 perms on /etc/shadow). -- MandrakeSoft Security; http://www.mandrakesecure.net/ "lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import" 1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD Current Linux kernel 2.4.8-34.1mdk uptime: 44 days 15 hours 57 minutes.
msg50645/pgp00000.pgp
Description: PGP signature