Vincent Danen grabbed a keyboard and wrote:
>
> Now, why you don't want to use pam. The pam authentication method
> should be used if you *don't* use passwd/shadow authentication. For
> instance, you would use pam if you used LDAP to authenticate logins
> (may even work with NIS). If you want to use pam and still
> authenticate against /etc/passwd (really, /etc/shadow), then you must
> change /etc/shadow from mode 0600 to mode 0644. For some reason, SASL
> will always error out, and I suspect this is because it is trying to
> read /etc/shadow as the postfix user. This is the same thing with the
> shadow method, which reads /etc/shadow directly. I've verified that
> chmod'ing /etc/shadow to 0644 allows both pam and shadow to work
> (using Evolution as a test client).
Interesting. I always thought that pam had it's own method of accessing
the password file. Thanks for the information.
> Unfortunately, that sucks and is very very insecure. /etc/shadow must
> not be anything other than 600 as that defies it's whole purpose. Now
> *why*, when using pam method, this is required I don't know. There
> must be something wrong in the SASL libs for this to be a requirement
> (although searching some archives on the postfix ml, everyone seems to
> have this issue). Note, I haven't tried it with pam using something
> other than the system passwd file (ie. didn't test against LDAP/NIS,
> etc.).
One of the things mentioned at a web site I found describing using AUTH in
postifix was that if you were going to use the "pwcheck_method: shadow"
style was that they recommended that you set /etc/shadow as mode 640 and
then change its group to a group that the postfix user belonged to. That
way, postfix could read the file. I suspect that it would work that way as
well WRT what you describe above (you don't need to go 644, which I agree
is *horrible* from a security standpoint).
> Now, for your case, you want to use pwcheck method. /usr/sbin/pwcheck
> is a daemon, run as root, that acts as a go-between between postfix
> and /etc/shadow. There is no initscript for it, and pwcheck launches
> itself into the backgroun, so you can just add to the end of
> /etc/rc.d/rc.local "/usr/sbin/pwcheck". For testing, change your
> smtpd.conf to pwcheck and just run /usr/sbin/pwcheck on the cmdline as
> root.
I will try that and let you know what happens.
> > Heck, I even tried setting "pwcheck_method: sasldb" instead, ran saslpasswd
> > to create a user account, and the flipping thing *still* aborted when I
> > connected to the SMTP port on my machine with sasl turned on. Argh.
>
> Did you restart postfix after making this change?
Yea, I sure did. "/etc/init.d/postfix restart" after various changes. I
wanted to be sure that nothing was being cached without my knowledge.
> If so, what kind of errors are you getting in your logs?
When I connect to port 25 after doing the restart, I get the exact same
error messages I've listed in this thread before. No variation at all.
> If you run sasldblistusers as root, what does it say?
# sasldblistusers
user: mrobin realm: {myhost} mech: DIGEST-MD5
user: mrobin realm: {myhost} mech: PLAIN
user: mrobin realm: {myhost} mech: CRAM-MD5
#
"mrobin" is a friend of mine who I'm trying to give relay access to. :-)
> > Any ideas?
>
> I think pwcheck is your best bet for what you want. Please try that.
> Make sure you completely restart postfix after you change your
> smtpd.conf... I don't know if it caches the contents of that file or
> not, but I did notice in my testing that it seemed to be required.
Like I said above, I did issue a restart rather than reload command. Heck,
I even restarted saslauthd each time as well, just in case.
> Also, you can read http://www.mandrakesecure.net/en/docs/postfix-sasl.php
> which is "Enabling SASL support in postfix". I'm pretty sure it's at
> least 99% accurate. It also has links to two other how-to's I've
> found.
I will do that for sure.
> If, after all of this, it still doesn't work, then I can only assume
> you're cursed or something. =) Because I did verify that pam worked
> (with 644 /etc/shadow), shadow worked (with 644 /etc/shadow), sasldb
> worked (always has over here), and that pwcheck worked (happy 600
> perms on /etc/shadow).
Oh great, I'll go down in history.
User: "I can't get this $#@!ing thing to work!"
Support: "You must have the Curse Of Dave."
:-)
ARGH!!! Just to try it out before sending this off, I tried setting pam
again (because it was quicker at this point) and changed /etc/shadow to
mode 644. I did a restart of both saslauthd and postfix. I connected to
the SMTP port, and the flipping thing *still* errors. As usual, in the
syslog, I see:
postfix/smtpd[18867]: fatal: SASL per-process initialization failed
postfix/master[18842]: warning: process /usr/lib/postfix/smtpd pid 18867
exit status 1
postfix/master[18842]: warning: /usr/lib/postfix/smtpd: bad command startup
-- throttling
Why doesn't this thing like me? :-/
Do your SASL / Postfix people have any other ideas why this is refusing to
work? Why do I keep getting this error? Even when I make the shadow file
readable by the world, I keep getting that error... Do they have any idea
why the "per-process" initialization would fail, no matter what I do with
the configuration?
--Dave
--
David Guntner GEnie: Just say NO!
http://www.akaMail.com/pgpkey/davidg or key server
for PGP Public key
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
