Vincent Danen grabbed a keyboard and wrote: > > Now, why you don't want to use pam. The pam authentication method > should be used if you *don't* use passwd/shadow authentication. For > instance, you would use pam if you used LDAP to authenticate logins > (may even work with NIS). If you want to use pam and still > authenticate against /etc/passwd (really, /etc/shadow), then you must > change /etc/shadow from mode 0600 to mode 0644. For some reason, SASL > will always error out, and I suspect this is because it is trying to > read /etc/shadow as the postfix user. This is the same thing with the > shadow method, which reads /etc/shadow directly. I've verified that > chmod'ing /etc/shadow to 0644 allows both pam and shadow to work > (using Evolution as a test client).
Interesting. I always thought that pam had it's own method of accessing the password file. Thanks for the information. > Unfortunately, that sucks and is very very insecure. /etc/shadow must > not be anything other than 600 as that defies it's whole purpose. Now > *why*, when using pam method, this is required I don't know. There > must be something wrong in the SASL libs for this to be a requirement > (although searching some archives on the postfix ml, everyone seems to > have this issue). Note, I haven't tried it with pam using something > other than the system passwd file (ie. didn't test against LDAP/NIS, > etc.). One of the things mentioned at a web site I found describing using AUTH in postifix was that if you were going to use the "pwcheck_method: shadow" style was that they recommended that you set /etc/shadow as mode 640 and then change its group to a group that the postfix user belonged to. That way, postfix could read the file. I suspect that it would work that way as well WRT what you describe above (you don't need to go 644, which I agree is *horrible* from a security standpoint). > Now, for your case, you want to use pwcheck method. /usr/sbin/pwcheck > is a daemon, run as root, that acts as a go-between between postfix > and /etc/shadow. There is no initscript for it, and pwcheck launches > itself into the backgroun, so you can just add to the end of > /etc/rc.d/rc.local "/usr/sbin/pwcheck". For testing, change your > smtpd.conf to pwcheck and just run /usr/sbin/pwcheck on the cmdline as > root. I will try that and let you know what happens. > > Heck, I even tried setting "pwcheck_method: sasldb" instead, ran saslpasswd > > to create a user account, and the flipping thing *still* aborted when I > > connected to the SMTP port on my machine with sasl turned on. Argh. > > Did you restart postfix after making this change? Yea, I sure did. "/etc/init.d/postfix restart" after various changes. I wanted to be sure that nothing was being cached without my knowledge. > If so, what kind of errors are you getting in your logs? When I connect to port 25 after doing the restart, I get the exact same error messages I've listed in this thread before. No variation at all. > If you run sasldblistusers as root, what does it say? # sasldblistusers user: mrobin realm: {myhost} mech: DIGEST-MD5 user: mrobin realm: {myhost} mech: PLAIN user: mrobin realm: {myhost} mech: CRAM-MD5 # "mrobin" is a friend of mine who I'm trying to give relay access to. :-) > > Any ideas? > > I think pwcheck is your best bet for what you want. Please try that. > Make sure you completely restart postfix after you change your > smtpd.conf... I don't know if it caches the contents of that file or > not, but I did notice in my testing that it seemed to be required. Like I said above, I did issue a restart rather than reload command. Heck, I even restarted saslauthd each time as well, just in case. > Also, you can read http://www.mandrakesecure.net/en/docs/postfix-sasl.php > which is "Enabling SASL support in postfix". I'm pretty sure it's at > least 99% accurate. It also has links to two other how-to's I've > found. I will do that for sure. > If, after all of this, it still doesn't work, then I can only assume > you're cursed or something. =) Because I did verify that pam worked > (with 644 /etc/shadow), shadow worked (with 644 /etc/shadow), sasldb > worked (always has over here), and that pwcheck worked (happy 600 > perms on /etc/shadow). Oh great, I'll go down in history. User: "I can't get this $#@!ing thing to work!" Support: "You must have the Curse Of Dave." :-) ARGH!!! Just to try it out before sending this off, I tried setting pam again (because it was quicker at this point) and changed /etc/shadow to mode 644. I did a restart of both saslauthd and postfix. I connected to the SMTP port, and the flipping thing *still* errors. As usual, in the syslog, I see: postfix/smtpd[18867]: fatal: SASL per-process initialization failed postfix/master[18842]: warning: process /usr/lib/postfix/smtpd pid 18867 exit status 1 postfix/master[18842]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling Why doesn't this thing like me? :-/ Do your SASL / Postfix people have any other ideas why this is refusing to work? Why do I keep getting this error? Even when I make the shadow file readable by the world, I keep getting that error... Do they have any idea why the "per-process" initialization would fail, no matter what I do with the configuration? --Dave -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com