Thanks, both Thomas and HyperAxe, for bringing that to my attention. I'm
still confused though.
I've made the permissions changes that you suggested, Thomas.
When I do an ethereal packet capture between the SMTP and LDAP servers
(actually capturing on loopback) I dont get any connections to LDAP unless
I'm doing pop3 requests... the SMTP server denies the incoming relay
attempt without even checking the password with the ldap server.
If pop3 can connect (using the same files in the control directory for
credentials as SMTP), then there has got to be another problem going on.
Is there any way to trace what files are being accessed within a given
timeframe... kinda like the linux equivalant of winternals filemon? just
to verify that indeed there isn't a file permissions issue here?
moreover, whenever I attempt to smtpauth, It logs something like this in
/var/log/qmail/smtpd/current:
@4000000042dfba2a0e9832cc tcpserver: status: 1/20
@4000000042dfba2a0f62d5cc tcpserver: pid 12398 from <my-ip>
@4000000042dfba2a0fa3befc tcpserver: ok 12398
mail.mydomain.com:<servers-ip>:25 :<clients-ip>::48418
@4000000042dfba2f14df19fc tcpserver: end 12398 status 256
@4000000042dfba2f14df5494 tcpserver: status: 0/20
is there a way that I can change my qmail-smtpd/run/log or qmail-smtpd/run
script to log more helpful information?
Thanks again. You guys have been ever so helpful!
-- Jason
----- Original Message -----
From: "Tomas Kuliavas" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, July 21, 2005 10:57 AM
Subject: Re: smtp auth
Thanks, HyperAxe. That fixed my immediate problem... Now it actually
tries to authenticate when I roam... which is exactly what I wanted. :-)
The new problem is with authentication. It rejects whatever
username/password combo that I put in... I'm guessing that relates with
my failure to configure my qmail-smtpd/run script correctly.
Life with qmail-ldap book is outdated. Current version of Qmail-LDAP does
not need extra arguments in qmail-smtpd. Check
/var/qmail/boot/qmail-smtpd/run
Check mailing list history. I think information about setting smtp auth in
qmail-ldap was posted several times.
-----------------
Since 20031001 patch QmailLDAP supports SMTP authentication protocol (rfc
2554). Use of 20050401 patch or later is recommended. Only PLAIN
authentication schema is supported. CRAM-MD5 and DIGEST-MD5 authentication
schemas are not implemented. CRAM-MD5 requires features that are not
enabled in qmail-ldap by default. DIGEST-MD5 requires specific user name
layout (i think).
SMTP authentication is enabled by adding SMTPAUTH variable to tcpserver's
environment. If you use daemontools (http://cr.yp.to/daemontools.html)
startup scripts supplied by qmail-ldap 20031101 or later, you can do that
by adding
<pre>
:allow,SMTPAUTH=""
</pre>
to /var/qmail/control/qmail-smtpd.rules and running command 'make' in
/var/qmail/control directory.
If you set SMTPAUTH value to TLSREQUIRED (SMTPAUTH="TLSREQUIRED"), then
authentication will work only in TLS encrypted sessions. See information
about compiling and installing qmail ldap with TLS support.
In order to authenticate users, smtp server's user (normally qmaild) must
be able to validate password entered by user with information stored in
LDAP userPassword field. Access to this field is usually restricted and
qmaild user does not have enough privileges to access ldap connection
information.
There are two possible solutions to this problem.
First solution is to give read access rights to qmaild user or nofiles
group on /var/qmail/control/ldappassword configuration file.
<pre>
# chgrp nofiles /var/qmail/control/ldappassword
# chmod 640 /var/qmail/control/ldappassword
</pre>
or
<pre>
# chmod 400 /var/qmail/control/ldappassword
# chown qmaild /var/qmail/control/ldappassword
</pre>
Second solution is to enable ldaprebind in /var/qmail/control/ldaprebind.
<pre>
# echo 1 > /var/qmail/control/ldaprebind
</pre>
If ldap rebind is used, qmaild user must be able to retrieve user's dn in
anonymous LDAP connection and authenticate to LDAP server with retrieved
user's dn and password provided by user. Password schema used in
userPassword field must be supported by LDAP server's authentication
system.
--
Tomas
