On 5/28/2022 7:07 PM, Viktor Dukhovni wrote:
On Sat, May 28, 2022 at 05:11:22PM -0700, Jim Garrison wrote:
Foreground saslauthd command, including debug output from
successful testsaslauthd but no log entries corresponding to the
immediately above extract from the Postfix log:
$ sudo saslauthd -a pam -d -c -m /var/spool/postfix/var/run/saslauthd
Why are you using the above "-m" option? The SASL library is going to
look in "/var/run/saslauthd/mux", which corresponds to the default "-m
/var/run/saslauthd". Unless the Postfix smtpd(8) process is chrooted,
the default value is the only one that'll work.
If you want to make saslauthd chroot-agnostic, make /var/run/saslauthd a
symlink to /var/spool/postfix/var/run/saslauthd. But simpler to just
not bother with chroot.
Well, since I was making no progress with cyrus SASL I decided to
switch to Dovecot following the Postfix SASL howto, and it worked
first time.
Viktor et al, thank you for your assistance. I've spent way too much
time on this, and should have just switched to dovecot auth at the
start. I foolishly assumed since I had it working on the ancient
system it would be at least as easy on a modern system.
The documentation tweak I'd recommend is to more strongly steer users
towards using dovecot auth instead of cyrus SASL. This is based on my
own experience plus reading the many posts from others, in various
forums, who were also having trouble with Cyrus SASL.
While I hate using cookbook solutions (where I cannot abstract the
intuitive understanding of what's going on under the covers), in this
case it'll have to do. I just don't have the time or inclination to
become an expert in the architecture, design and implementation of
either Cyrus SASL or Dovecot. (sigh! so much to learn, so little time)
One possible suggestion for Postfix: Since it appears Postfix was
never able to even establish contact with Cyrus SASL, it might be nice
to detect that condition and provide a different error message than
just "authentication failed", to help with troubleshooting. I
also appreciate that that might actually require a change in libsasl
and not Postfix.
Thanks again
--
Jim Garrison
j...@acm.org
