Re: saslauthd

To: debian-isp@lists.debian.org
Subject: Re: saslauthd
From: martin f krafft <madduck@debian.org>
Date: Fri, 5 Nov 2004 10:43:20 +0100
Message-id: <[🔎] 20041105094320.GA13570@cirrus.madduck.net>
Mail-followup-to: debian-isp@lists.debian.org
In-reply-to: <[🔎] F66C8483-2F0D-11D9-95EA-000A95E08538@andrewloe.com>
References: <[🔎] F66C8483-2F0D-11D9-95EA-000A95E08538@andrewloe.com>

also sprach W.Andrew Loe III <andrew@andrewloe.com> [2004.11.05.1034 +0100]:
> I am trying to get PLAIN authentication over TLS to work with postfix. 
> I am having a problem with getting saslauthd (checking against system 
> users) to run. /etc/init.d/saslauthd exists, but it doesn't do anything 

make sure START=yes is set in /etc/default/saslauthd.

sh -x helps... :)

albatross:/etc/postfix# cat /etc/default/saslauthd
START=yes
MECHANISMS="pam"
PARAMS="-O /etc/saslauthd.conf -m /var/spool/postfix/var/run/saslauthd"

The last one makes sure to put the multiplexer into the postfix
chroot. You have to create the appropriate directories:

albatross:/etc/postfix# ls -la /var/spool/postfix/var/run/saslauthd       [314]
total 64
drwxr-xr-x    2 root     root           53 2004-10-20 15:52 ./
drwxr-xr-x    3 root     root           22 2004-07-10 12:37 ../
srwxrwxrwx    1 root     root            0 2004-10-20 15:52 mux=
-rw-------    1 root     root            0 2004-10-20 15:52 mux.accept
-rw-------    1 root     root            4 2004-10-20 15:52 saslauthd.pid

Then start saslauthd and see if the three files are created.

> properly use sasl2 not sasl, but it seems that it never finds my 
> smtpd.conf, so it doesn't know to use saslauthd to check if the user 
> authenticates - leaving me out in the cold :(

albatross:/etc/postfix# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

Finally, here are the relevant parts from postfix:

main.cf:

  smtpd_use_tls = yes
  smtpd_enforce_tls = no
  smtpd_tls_wrappermode = no

  smtpd_sasl_auth_enable = no
  smtpd_sasl_local_domain = smtprelay.madduck.net
  smtpd_sasl_security_options = noanonymous, noplaintext
  broken_sasl_auth_clients = no

master.cf:

  smtps   inet  n - - - - smtpd
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_security_options=noanonymous

This will make SASL work only if you connect to port 465, which is
the standard SMTP-SSL/TLS port. Thus, use SSL/TLS on connect, not
STARTTLS.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- saslauthd
  - From: W.Andrew Loe III <andrew@andrewloe.com>

Prev by Date: Re: saslauthd
Next by Date: NFS-mounting crontabs
Previous by thread: Re: saslauthd
Next by thread: NFS-mounting crontabs
Index(es):
- Date
- Thread