Re: postfix with SASL over PAM
Hi Rodi, Postfix is not in a chroot jail, and (I forgot to mention this) the user posftix is in the shadow group. Google only has questions on this subject, but not many answers... :( Thanks R.M. Evers wrote: Hi Jose, Maybe your smtpd (smtp/smtps) is chrooted? Check your master.cf for this. And for shadow auth you probably also have to add postfix to the shadow group.. Hope this helps :) Regards, -Rodi On Fri, 2003-08-29 at 00:19, Jose Alberto Guzman wrote: I'm trying to get posfix authenticate (for relaying purposes) users with SASL via PAM on woody. I've installed posftix, posftix-tls, libsasl and it´s modules. Following the READMEs, I can see that postfix does support SASL auth LOGIN and PLAIN mechanisms: 220 mybox.over.here ESMTP Postfix (Debian/GNU) EHLO localhost 250-mybox.over.here 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN PLAIN 250-XVERP 250 8BITMIME But when I try to authenticate with plain (base64 encoded: 'user\0user\0password'), posfix complains with : postfix/smtpd[2134]: connect from localhost[127.0.0.1] postfix/smtpd[2134]: PAM _pam_init_handlers: could not open /etc/pam.conf postfix/smtpd[2134]: PAM pam_start: failed to initialize handlers postfix/smtpd[2134]: warning: localhost[127.0.0.1]: SASL PLAIN authentication failed I've added the following lines to my working postfix's main.cf: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = check_relay_domains permit_mynetworks permit_sasl_authenticated And /etc/pam.d/smtp looks like: #%PAM-1.0 auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionrequired pam_limits.so To be on the safe side, I also added the following lines to /etc/pam.conf smtpauth required pam_nologin.so smtpauth required pam_unix.so smtpauth required pam_env.so smtpaccountrequired pam_unix.so smtpsessionrequired pam_unix.so smtpsessionrequired pam_limits.so Both pam files are world readable. Also, the file /etc/postfix/sasl/smtpd.conf contains: pwcheck_method: pam and it's perms are: 0644 With sasl over shadow, it just warns: SASL PLAIN authentication failed. Has anyone managed to get woody's postfix to authenticate with sasl over pam? Thanks in advance José -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: postfix with SASL over PAM
Hi Jose, Postfix is not in a chroot jail, and (I forgot to mention this) the user posftix is in the shadow group. I recommend running postfix chrooted and use pwcheck for authentication. Here is a quick guide how I did it: Make sure the following packages are installed... postfix-tls sasl-bin libsasl-modules-plain libsasl2 libsasl-gssapi-mit libsasl-digestmd5-des I´m using pwcheck so since we´re running postfix chrooted we have to link /var/spool/postfix/var/run/pwcheck to /var/run/pwcheck and of course create it. mkdir -p /var/spool/postfix/var/run/pwcheck chown postfix.root /var/spool/postfix/var/run/pwcheck/ chmod 700 /var/spool/postfix/var/run/pwcheck/ ln -s /var/spool/postfix/var/run/pwcheck /var/run/pwcheck launch /usr/sbin/pwcheck - you may want to write a little start/stop script for /etc/init.d/pwcheck (don´t forget to include the symlink in it!) Use 'pwcheck_method: pwcheck' in /etc/postfix/sasl/smtpd.conf In main.cf I have: smtpd_sasl_auth_enable=yes smtpd_sasl_security_options=noanonymous broken_sasl_auth_clients=yes smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, permit_mynetworks, permit_sasl_authenticated, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_maps_rbl, reject_unauth_pipelining, check_relay_domains That should be all... -- Regards Thomas Kramer mailto:[EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: postfix with SASL over PAM
Hi Jose, Maybe your smtpd (smtp/smtps) is chrooted? Check your master.cf for this. And for shadow auth you probably also have to add postfix to the shadow group.. Hope this helps :) Regards, -Rodi On Fri, 2003-08-29 at 00:19, Jose Alberto Guzman wrote: I'm trying to get posfix authenticate (for relaying purposes) users with SASL via PAM on woody. I've installed posftix, posftix-tls, libsasl and it´s modules. Following the READMEs, I can see that postfix does support SASL auth LOGIN and PLAIN mechanisms: 220 mybox.over.here ESMTP Postfix (Debian/GNU) EHLO localhost 250-mybox.over.here 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN PLAIN 250-XVERP 250 8BITMIME But when I try to authenticate with plain (base64 encoded: 'user\0user\0password'), posfix complains with : postfix/smtpd[2134]: connect from localhost[127.0.0.1] postfix/smtpd[2134]: PAM _pam_init_handlers: could not open /etc/pam.conf postfix/smtpd[2134]: PAM pam_start: failed to initialize handlers postfix/smtpd[2134]: warning: localhost[127.0.0.1]: SASL PLAIN authentication failed I've added the following lines to my working postfix's main.cf: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = check_relay_domains permit_mynetworks permit_sasl_authenticated And /etc/pam.d/smtp looks like: #%PAM-1.0 auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionrequired pam_limits.so To be on the safe side, I also added the following lines to /etc/pam.conf smtpauth required pam_nologin.so smtpauth required pam_unix.so smtpauth required pam_env.so smtpaccountrequired pam_unix.so smtpsessionrequired pam_unix.so smtpsessionrequired pam_limits.so Both pam files are world readable. Also, the file /etc/postfix/sasl/smtpd.conf contains: pwcheck_method: pam and it's perms are: 0644 With sasl over shadow, it just warns: SASL PLAIN authentication failed. Has anyone managed to get woody's postfix to authenticate with sasl over pam? Thanks in advance José -- Met vriendelijke groet / Kind regards, Rodi Evers ([EMAIL PROTECTED]) HBH Automatisering B.V. Koningslaan 30, 1075 AD Amsterdam, The Netherlands. Phone : +31 20 662 41 45 Fax: +31 20 676 44 78 -- -- De informatie verzonden met dit e-mail bericht is uitsluitend bestemd voor de geadresseerde. Gebruik van deze informatie door anderen dan de geadresseerde is verboden. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is niet toegestaan. Horlings, Brouwer Horlings staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mail, noch voor tijdige ontvangst daarvan. Website: http://www.hbh-it.nl/ -- -- The information contained in this communication is confidential and may be legally privileged. It is intented solely for the use of the individual orentity to whom it is addressed and others authorised to receive it. If you are not the intended recipient you are hereby notified that any disclosure, copying, distribution or taking any action in reliance on the contents of this information is strictly prohibited and may be unlawful. Horlings, Brouwer Horlings is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. Website: http://www.hbh-it.nl/ -- -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: postfix with SASL over PAM
## Jose Alberto Guzman ([EMAIL PROTECTED]): But when I try to authenticate with plain (base64 encoded: 'user\0user\0password'), posfix complains with : postfix/smtpd[2134]: connect from localhost[127.0.0.1] postfix/smtpd[2134]: PAM _pam_init_handlers: could not open /etc/pam.conf Are you running smtpd chroooted? If you want to use SMTP-AUTH, it might be easier to un-chroot smtpd. Elsewhere you will have to copy a lot of files (especially for SASL). Has anyone managed to get woody's postfix to authenticate with sasl over pam? smtpd can't read /etc/shadow and tus PAM can't (PAM is a bunch of libraries). I used pwcheck (from sasl-bin, IIRC). Run pwcheck as root, it becomes a daemon. Then edit /etc/postfix/sasl/smtpd.conf, it should read pwcheck_method: pwcheck. pwcheck uses an unix socket (/var/run/pwcheck/pwcheck by default), take care smtpd can access it (think of chroot). Regards, cmt -- Spare Space -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
postfix with SASL over PAM
I'm trying to get posfix authenticate (for relaying purposes) users with SASL via PAM on woody. I've installed posftix, posftix-tls, libsasl and it´s modules. Following the READMEs, I can see that postfix does support SASL auth LOGIN and PLAIN mechanisms: 220 mybox.over.here ESMTP Postfix (Debian/GNU) EHLO localhost 250-mybox.over.here 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-AUTH GSSAPI CRAM-MD5 DIGEST-MD5 LOGIN PLAIN 250-XVERP 250 8BITMIME But when I try to authenticate with plain (base64 encoded: 'user\0user\0password'), posfix complains with : postfix/smtpd[2134]: connect from localhost[127.0.0.1] postfix/smtpd[2134]: PAM _pam_init_handlers: could not open /etc/pam.conf postfix/smtpd[2134]: PAM pam_start: failed to initialize handlers postfix/smtpd[2134]: warning: localhost[127.0.0.1]: SASL PLAIN authentication failed I've added the following lines to my working postfix's main.cf: smtpd_sasl_auth_enable = yes smtpd_recipient_restrictions = check_relay_domains permit_mynetworks permit_sasl_authenticated And /etc/pam.d/smtp looks like: #%PAM-1.0 auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionrequired pam_limits.so To be on the safe side, I also added the following lines to /etc/pam.conf smtpauth required pam_nologin.so smtpauth required pam_unix.so smtpauth required pam_env.so smtpaccountrequired pam_unix.so smtpsessionrequired pam_unix.so smtpsessionrequired pam_limits.so Both pam files are world readable. Also, the file /etc/postfix/sasl/smtpd.conf contains: pwcheck_method: pam and it's perms are: 0644 With sasl over shadow, it just warns: SASL PLAIN authentication failed. Has anyone managed to get woody's postfix to authenticate with sasl over pam? Thanks in advance José -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Postfix and SASL
I'm having some trouble getting Postfix SMTP auth working. I'm using unstable postfix and postfix-tls on testing, with unstable libsasl2 and libsasl2-modules. Whenever I try to send a message from my mail client (KMail) on another box, I get this in /var/log/mail.log: May 6 23:54:38 rama postfix/smtpd[21897]: connect from h24-70-240-178.ed.shawcable.net[24.70.240.1 78] May 6 23:54:39 rama postfix/smtpd[21897]: TLS connection established from h24-70-240-178.ed.shawca ble.net[24.70.240.178]: TLSv1 with cipher RC4-MD5 (128/128 bits) May 6 23:54:39 rama postfix/smtpd[21897]: warning: SASL authentication failure: cannot connect to saslauthd server: Connection refused May 6 23:54:39 rama postfix/smtpd[21897]: warning: h24-70-240-178.ed.shawcable.net[24.70.240.178]: SASL LOGIN authentication failed May 6 23:54:40 rama postfix/smtpd[21897]: disconnect from h24-70-240-178.ed.shawcable.net[24.70.24 0.178] My /etc/postfix/sasl/smtpd.conf looks like this: # This sets smtpd to authenticate using the saslauthd daemon. pwcheck_method: saslauthd # This allows only plain and login as the authentication mechanisms. mech_list: plain login # Path to saslauthd run directory saslauthd_path: /var/run/saslauthd/ The relevant portions of main.cf: smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes I suspect that postfix is trying to use the wrong socket, or something like that. I did a netstat -ap, and found that saslauthd is indeed listening on /var/run/saslauthd/mux. I'd really appreciate any ideas anyone has on this. Thanks, Philip Bock
Re: Postfix and SASL
On Wed, May 07, 2003 at 06:09:17AM -, [EMAIL PROTECTED] wrote: I suspect that postfix is trying to use the wrong socket, or something like that. I did a netstat -ap, and found that saslauthd is indeed listening on /var/run/saslauthd/mux. I'd really appreciate any ideas anyone has on this. Use strace -Ff -p PIDOFSMTPD out 21 and analyze out after you tried to connect. Your problem comes probably with the fact that smtpd is chrooted to /var/spool/postfix by default under debian. So you need probably to link authdaemon dir to somewhere in the chroot (or mount -o bind the dir or ...), examining the strace result will give you the path searched. I used this debugging method to make it working with pwcheck. -- Emmanuel Lacour Easter-eggs 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com
Re: Postfix and SASL
I'm having some trouble getting Postfix SMTP auth working. I'm using unstable postfix and postfix-tls on testing, with unstable libsasl2 and libsasl2-modules. Whenever I try to send a message from my mail client (KMail) on another box, I get this in /var/log/mail.log: snip/ I suspect that postfix is trying to use the wrong socket, or something like that. I did a netstat -ap, and found that saslauthd is indeed listening on /var/run/saslauthd/mux. I'd really appreciate any ideas anyone has on this. The problem is, that smtpd runs in chroot in standard-debian-packages, so it cannot access /var/run/saslauthd/mux. Either you move postfix out of chroot or you link the saslauthd-socket into the chroot (only works with hard-links, so chroot and /var/run/saslauthd must be on the same partition) or you tell saslauthd to put the mux-file directly in the chroot. regards -- \\\ ||| /// _\=/_ ( @ @ )(o o) +oOOo-(_)-oOOo--oOOo-(_)-oOOo--+ | Markus Schabel TGM - Die Schule der Technik www.tgm.ac.at | | IT-Service A-1200 Wien, Wexstrasse 19-23 net.tgm.ac.at | | [EMAIL PROTECTED] Tel.: +43(1)33126/316 | | [EMAIL PROTECTED] Fax.: +43(1)33126/154 | | FSF Associate Member #597, Linux User #259595 (counter.li.org) | |oOOoYet Another Spam Trap: oOOo | | ()oOOo[EMAIL PROTECTED] ( ) oOOo | +\ (( )--\ ( -( )-+ \_) ) /\_) ) / (_/ (_/ Computers are like airconditioners: They stop working properly if you open windows.
More Postfix and SASL excitement
I've been trying, like many others, it seems, to get postfix, tls, and sasl to play nice. TLS was easy, but sasl is turning out not to be. I've tried lots with pwcheck_method: pam in /etc/postfix/sasl/smtpd.conf, and gotten nowhere, so I thought I'd give saslauthd a try. My smtpd.conf now looks like this: pwcheck_method: saslauthd mech_list: plain login I have saslauthd set to start in /etc/default/saslauthd, and a ps -A seems to show it running, but when I attempt to send mail from a client set to use authentication, I get these lines in /var/log/mail.info: Mar 27 22:13:18 rama postfix/smtpd[1035]: connect from unknown[24.70.240.178] Mar 27 22:13:18 rama postfix/smtpd[1035]: TLS connection established from unknown[24.70.240.178]: TLSv1 with cipher RC4-MD5 (128/128 bits) Mar 27 22:13:18 rama postfix/smtpd[1035]: warning: SASL authentication failure: cannot connect to saslauthd server Mar 27 22:13:18 rama postfix/smtpd[1035]: warning: unknown[24.70.240.178]: SASL LOGIN authentication failed Mar 27 22:13:23 rama postfix/smtpd[1035]: disconnect from unknown[24.70.240.178] I managed to find something about renaming the saslauthd socket so postfix could find it (http://www.tldp.org/HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO/postfix-config.html, at the bottom), but of course the files aren't layed out like that on Debian. Anyone have any ideas? Thanks, Philip Bock
More Postfix and SASL excitement
I've been trying, like many others, it seems, to get postfix, tls, and sasl to play nice. TLS was easy, but sasl is turning out not to be. I've tried lots with pwcheck_method: pam in /etc/postfix/sasl/smtpd.conf, and gotten nowhere, so I thought I'd give saslauthd a try. My smtpd.conf now looks like this: pwcheck_method: saslauthd mech_list: plain login I have saslauthd set to start in /etc/default/saslauthd, and a ps -A seems to show it running, but when I attempt to send mail from a client set to use authentication, I get these lines in /var/log/mail.info: Mar 27 22:13:18 rama postfix/smtpd[1035]: connect from unknown[24.70.240.178] Mar 27 22:13:18 rama postfix/smtpd[1035]: TLS connection established from unknown[24.70.240.178]: TLSv1 with cipher RC4-MD5 (128/128 bits) Mar 27 22:13:18 rama postfix/smtpd[1035]: warning: SASL authentication failure: cannot connect to saslauthd server Mar 27 22:13:18 rama postfix/smtpd[1035]: warning: unknown[24.70.240.178]: SASL LOGIN authentication failed Mar 27 22:13:23 rama postfix/smtpd[1035]: disconnect from unknown[24.70.240.178] I managed to find something about renaming the saslauthd socket so postfix could find it (http://www.tldp.org/HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO/postfix-config.html, at the bottom), but of course the files aren't layed out like that on Debian. Anyone have any ideas? Thanks, Philip Bock -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
postfix with SASL on Debian?
Hello, I'd like to enable postfix+sasl+courier-imap+Maildir support of Postfix on woody. Everything goes well except for postfix+sasl. What packages should I install anyway? Any instructions ? -- Patrick Hsieh [EMAIL PROTECTED] GPG public key http://pahud.net/pubkeys/pahudatpahud.gpg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]