On Fri, Jan 09, 2004 at 06:15:45AM -0500, Michael B Allen wrote:
|
| > I've just installed postfix-tls but it will not authenticate users with SASL. The
| > error is simply "SASL LOGIN authentication failed" but that's it.
|
| Mmm, if I trace the pwcheck daemon it opens a UNIX domain socket
| /var/state/pwcheck/pwcheck and waits. When I send an email, nothing happends.
| Postfix isn't even trying to authenticate the user. If I run strings
| smtpd | grep pwcheck I get nada. Is it possible that postfix-tls
| isn't even configured to use pwcheck?
postfix dynamically links against the Cyrus SASL library. Cyrus SASL
dynamically loads the modules to do the actual processing of both
input (PLAIN, LOGIN, CRAM-MD5, etc.) and, separately, the verification
(pwcheck, saslauthd, pam, etc.).
Now, lets see if I remember the details for postfix 1.1 and SASL1.
(I have been using postfix 2 and SASL2 for some time now; from testing
and unstable) Actually, when I used postfix 1.1 and sasl1 I used the
pam method. The problem is that requires smtpd to be privlieged and
not chrooted. Secondly, sasl2 doesn't allow pam to be used directly.
Instead, have smptd consult the saslauthd daemon and let saslauthd
have the privileged access to pam. The config below will work with
sasl1, I think, but I have not tested it.
Make sure you have all the necessary packages installed. Obviously
you need postfix-tls :-). Install the 'libsasl-modules-plain' package
to get AUTH PLAIN capability. That package is only a 'Recommends'
from libsasl7, not 'Depends'. Also install the 'sasl-bin' package to
get the saslauthd daemon.
--- /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options =
# authentication "realm", ONLY FOR SASL v1
smtpd_sasl_local_domain = $mydomain
--- /etc/postfix/sasl/smtpd.cf
pwcheck_method: saslauthd
mech_list: plain
--- /etc/default/saslauthd
START=yes
MECHANISMS="pam"
Then start saslauthd (/etc/init.d/saslauthd start) and reload postfix'
configuration (/etc/init.d/postfix reload). Then test it. I usually
do the testing manually with telnet so that I can see precisely what
postfix is doing and compare that to the logs. Once it works with
manual protocol tests, then I test with other software.
Regarding pwcheck, I saved the following notes :
# http://www.thecabal.org/~devin/postfix/smtp-auth.txt
# pwcheck_method: pwcheck
#
# This is an alternative to giving the Postfix user read access
# to the /etc/shadow file. In theory, the pwcheck helper daemon
# runs as root and interfaces with the SASL library. This is not
# yet adequately documented by Cyrus.
Hopefully this points you in the right direction.
-D
--
If you want to know what God thinks about money,
just look at the people He gives it to.
-- Old Irish Saying
www: http://dman13.dyndns.org/~dman/ jabber: dman@dman13.dyndns.org
Attachment:
signature.asc
Description: Digital signature