Jay, please run "postconf -n" and send that as well as output from the saslfinger script. <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
p...@rick * Jay G. Scott <g...@arlut.utexas.edu>: > > hi, > > I figured out, by accident, that although I hoped I was using > /etc/postfix/sasl_passwd.db > as my authentication store, I wasn't. I'm using regular login > stuff, a la PAM. So anyone in my /etc/passwd file can send > authenticated email. > > What I'd like to do is change that so you can only send authenticated > email if you're in /etc/postfix/sasl_passwd.db. > > My email server is smail. So this: > [r...@smail ~]# more /etc/postfix/sasl_passwd > smail.arlut.utexas.edu user1:clearpass > > followed by this: > postmap hash:/etc/postfix/sasl_passwd > > should set up user1 to be authenticated by the password clearpass > when sending email through the host smail. Right? > > The groovy part of /etc/postfix/main.cf: > #------------------------------------------------------------------------------- > > smtp_sasl_auth_enable = yes > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd > > smtpd_sasl_auth_enable = yes > smtpd_sasl_security_options = noanonymous > > smtpd_recipient_restrictions = > permit_sasl_authenticated, reject_unauth_destination > > smtpd_client_restrictions = permit_sasl_authenticated, reject > smtpd_sasl_authenticated_header = yes > > broken_sasl_auth_clients = yes > > cyrus_sasl_config_path = /usr/lib64/sasl2 > > smtp_sasl_type = cyrus > smtpd_sasl_type = cyrus > > smtpd_sasl_local_domain = $myhostname > #------------------------------------------------------------------------------- > > Now, is the stuff I need to change in the part above? Or is it in > saslauthd's smtpd.conf? > > more /usr/lib64/sasl2/smtpd.conf > pwcheck_method: saslauthd > log_level: 5 > mech_list: PLAIN LOGIN CRAM-MD5 > > What I'm really after: I want to control (in a way I understand) > which users get to send authenticated email. > > I know how to disable passwords for users in /etc/passwd, /etc/shadow, > but I don't want root sending authenticated email. Yet I also don't want > to disable root's password. Is there something I don't know? > I thought I couldn't prevent root authentication for email and still > let root log in. > > So, I thought /etc/postfix/sasl_passwd would be the ticket. > List the users there and that's that. Well, I find that I've > been testing using a user not in sasl_passwd. The tests have worked. > So I'm clearly going against /etc/passwd. > > But I thought saslauthd did not support cram-md5 and digest-md5, and > I want to use md5 to encrypt the passwords. Or at least allow it. > Thus, I had to have PLAIN LOGIN in smtpd.conf. I surmise that > mech_list: PLAIN LOGIN is turning on loggin in through /etc/passwd. > > Clearly, I'm a noob. > > j. > > -- > Jay Scott 512-835-3553 g...@arlut.utexas.edu > Head of Sun Support, Sr. Operating Systems Specialist > Applied Research Labs, Computer Science Div. S224 > University of Texas at Austin -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>