hi, I figured out, by accident, that although I hoped I was using /etc/postfix/sasl_passwd.db as my authentication store, I wasn't. I'm using regular login stuff, a la PAM. So anyone in my /etc/passwd file can send authenticated email.
What I'd like to do is change that so you can only send authenticated email if you're in /etc/postfix/sasl_passwd.db. My email server is smail. So this: [r...@smail ~]# more /etc/postfix/sasl_passwd smail.arlut.utexas.edu user1:clearpass followed by this: postmap hash:/etc/postfix/sasl_passwd should set up user1 to be authenticated by the password clearpass when sending email through the host smail. Right? The groovy part of /etc/postfix/main.cf: #------------------------------------------------------------------------------- smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination smtpd_client_restrictions = permit_sasl_authenticated, reject smtpd_sasl_authenticated_header = yes broken_sasl_auth_clients = yes cyrus_sasl_config_path = /usr/lib64/sasl2 smtp_sasl_type = cyrus smtpd_sasl_type = cyrus smtpd_sasl_local_domain = $myhostname #------------------------------------------------------------------------------- Now, is the stuff I need to change in the part above? Or is it in saslauthd's smtpd.conf? more /usr/lib64/sasl2/smtpd.conf pwcheck_method: saslauthd log_level: 5 mech_list: PLAIN LOGIN CRAM-MD5 What I'm really after: I want to control (in a way I understand) which users get to send authenticated email. I know how to disable passwords for users in /etc/passwd, /etc/shadow, but I don't want root sending authenticated email. Yet I also don't want to disable root's password. Is there something I don't know? I thought I couldn't prevent root authentication for email and still let root log in. So, I thought /etc/postfix/sasl_passwd would be the ticket. List the users there and that's that. Well, I find that I've been testing using a user not in sasl_passwd. The tests have worked. So I'm clearly going against /etc/passwd. But I thought saslauthd did not support cram-md5 and digest-md5, and I want to use md5 to encrypt the passwords. Or at least allow it. Thus, I had to have PLAIN LOGIN in smtpd.conf. I surmise that mech_list: PLAIN LOGIN is turning on loggin in through /etc/passwd. Clearly, I'm a noob. j. -- Jay Scott 512-835-3553 g...@arlut.utexas.edu Head of Sun Support, Sr. Operating Systems Specialist Applied Research Labs, Computer Science Div. S224 University of Texas at Austin