postfix/imap/cyrus-sasl and Pam backend
Hello List, I am looking for a site with good information about postfix, cyrus-sasl (and later kerberos authentikation against Active Directory). I have postifix and imap running with cyrus sasl and sasldb, but i did not manage to get it to authenticate against pam or kerberos. I have been googling, but i could not find a solution. I know that: - /etc/sysconfig/saslauthd tells saslauthd which mech to use. the entry is: SASLAUTHD_AUTHMECH=pam - /usr/lib/sasl2/smtpd.conf pwcheck_method: saslauthd mechlist: plain login crammd5 digestmd5 -/etc/posstfix/main.cf for testing: (...) smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes (...) Now: postfix grants all users access based on user/password kombinations in sasldb - and only those users. Shouldn't saslauth use the local user/password Kombination? (BTW: Why does sasl with PAM only work with PLAIN?) Thanks a lot! -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Am Mittwoch, 10. März 2004 12:11 schrieb Markus Feilner:
I am looking for a site with good information about postfix, cyrus-sasl (and later kerberos authentikation against Active Directory). I have postifix and imap running with cyrus sasl and sasldb, but i did not manage to get it to authenticate against pam or kerberos. I have been googling, but i could not find a solution.
I know that: - /etc/sysconfig/saslauthd tells saslauthd which mech to use. the entry is: SASLAUTHD_AUTHMECH=pam
- /usr/lib/sasl2/smtpd.conf pwcheck_method: saslauthd mechlist: plain login crammd5 digestmd5
1. "mech_list" with an underline. 2. cram-md5 and digest-md5 does not work behind saslauthd. mech_list: plain login
-/etc/posstfix/main.cf for testing: (...) smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes (...)
# postconf smtpd_sasl_local_domain This must be empty.
Now: postfix grants all users access based on user/password kombinations in sasldb - and only those users. Shouldn't saslauth use the local user/password Kombination?
Please define "saslauth". I'm not sure, what you mean.
(BTW: Why does sasl with PAM only work with PLAIN?)
It works with plain and login. -- Andreas
First of all - Thanks a lot!!! Am Mittwoch, 10. März 2004 14:03 schrieb Andreas Winkelmann:
- /usr/lib/sasl2/smtpd.conf pwcheck_method: saslauthd mechlist: plain login crammd5 digestmd5
1. "mech_list" with an underline. 2. cram-md5 and digest-md5 does not work behind saslauthd.
mech_list: plain login
OK... typo :-(
-/etc/posstfix/main.cf for testing: (...) smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes (...)
# postconf smtpd_sasl_local_domain
This must be empty.
It is. Thanks, but I found that one, too.
Now: postfix grants all users access based on user/password kombinations in sasldb - and only those users. Shouldn't saslauth use the local user/password Kombination? Please define "saslauth". I'm not sure, what you mean.
O.K. I made postfix use SASL auth - by the parameters above means, it uses saslauthd for authentikation. Right? saslauthd is configured to auth against pam. Right? But: saslauthd uses User/Password combinations from sasldb. Why? Where is my mistake?
(BTW: Why does sasl with PAM only work with PLAIN?)
It works with plain and login.
Sorry, You are right. But I want to understand, why I cannot use either MD5 methods for that...
-- Andreas
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Markus Feilner wrote:
First of all - Thanks a lot!!!
Now: postfix grants all users access based on user/password kombinations in sasldb - and only those users. Shouldn't saslauth use the local user/password Kombination?
Please define "saslauth". I'm not sure, what you mean.
O.K. I made postfix use SASL auth - by the parameters above means, it uses saslauthd for authentikation. Right? saslauthd is configured to auth against pam. Right?
Yes
But: saslauthd uses User/Password combinations from sasldb. Why?
IMHO, you should create system user (as sample, serg) and add this user to sasldb: saslpasswd2 -c -u <fhostname> serg where <fhostname> is full hostname Regards, Serguei Krasnov
Am Mittwoch, 10. März 2004 15:29 schrieb Serguei Krasnov:
Markus Feilner wrote:
O.K. I made postfix use SASL auth - by the parameters above means, it uses saslauthd for authentikation. Right? saslauthd is configured to auth against pam. Right?
Yes
But: saslauthd uses User/Password combinations from sasldb. Why?
IMHO, you should create system user (as sample, serg) and add this user to sasldb: saslpasswd2 -c -u <fhostname> serg where <fhostname> is full hostname
Regards, Serguei Krasnov I did. All those accounts in sasldb can send mail (postfix-sasl-smtp) and fetch mail (cyrus-imap), if I am authenticating against saslauthd and sasldb. But can't I use the (pam) system account with password over tls+sasl? The funny thing is: If I tell saslauthd to use pam instead of sasldb, the only difference is, that i Have to use PLAIN or LOGIN, and diest-MD5 is not working any longer. that seems correct, but sasldb is still used: I made some accounts in sasldb for users and gave them different passwords than the system passwords (pam). I does not seem to make any difference, whether i tell saslauthd to use pam or sasldb - it aways uses the passwords from sasldb. The only difference is that i have to use the unsecure PLAIN or LOGIN method. What did i do wrong? -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Am Mittwoch, 10. März 2004 15:45 schrieb Markus Feilner:
I did. All those accounts in sasldb can send mail (postfix-sasl-smtp) and fetch mail (cyrus-imap), if I am authenticating against saslauthd and sasldb. But can't I use the (pam) system account with password over tls+sasl? The funny thing is: If I tell saslauthd to use pam instead of sasldb, the only difference is, that i Have to use PLAIN or LOGIN, and diest-MD5 is not working any longer. that seems correct, but sasldb is still used: I made some accounts in sasldb for users and gave them different passwords than the system passwords (pam). I does not seem to make any difference, whether i tell saslauthd to use pam or sasldb - it aways uses the passwords from sasldb. The only difference is that i have to use the unsecure PLAIN or LOGIN method. What did i do wrong?
# postconf -n # cat /usr/lib/sasl2/smtpd.conf # rcsaslauthd stop # saslauthd -d -a pam (To see some debugging-output) And the Parts of your Log (/var/log/messages and /var/log/mail). -- Andreas
Am Mittwoch, 10. März 2004 15:18 schrieb Markus Feilner:
Now: postfix grants all users access based on user/password kombinations in sasldb - and only those users. Shouldn't saslauth use the local user/password Kombination?
Please define "saslauth". I'm not sure, what you mean.
O.K. I made postfix use SASL auth - by the parameters above means, it uses saslauthd for authentikation. Right?
Yes.
saslauthd is configured to auth against pam. Right?
Yes.
But: saslauthd uses User/Password combinations from sasldb. Why?
No. saslauthd and sasldb are two diffrent things.
Where is my mistake?
(BTW: Why does sasl with PAM only work with PLAIN?)
It works with plain and login.
Sorry, You are right. But I want to understand, why I cannot use either MD5 methods for that...
To use the *-MD5 Mechanisms, Cyrus-SASL needs access to the unencrypted plaintext-password. This based on the algorithms how these hashes are computed. The other reason is saslauthd itself. It speaks a protocol where the Lib only asks saslauthd if the password is correct: Lib -> saslauthd : Is "User","Realm","Password" Ok saslauthd -> Lib: "Ok" / "Not Ok" That's all, no way to exchange a password. -- Andreas
Am Mittwoch, 10. März 2004 15:34 schrieb Andreas Winkelmann:
O.K. I made postfix use SASL auth - by the parameters above means, it uses saslauthd for authentikation. Right?
Yes.
saslauthd is configured to auth against pam. Right?
Yes.
But: saslauthd uses User/Password combinations from sasldb. Why?
No. saslauthd and sasldb are two diffrent things. OK. I believe you. But it does not behave as i want to: I have sytem user xxx with password yyy (pam) and saslaccount xxx with password zzz in sasldb. Why can this user only send (smtp) and recieve mail (imap) when he enters his sasldb password zzz, even though the setup of saslauthd is configured for pam? saslauthd is obviously using pam because only PLAIN and LOGIN are allowed, trying other methods creates errors. When I give my mail client the user data from the pam account user=xxx password=yyy, i get "SASL PLAIN authentication failed".
Where is my mistake?
(BTW: Why does sasl with PAM only work with PLAIN?)
It works with plain and login.
Sorry, You are right. But I want to understand, why I cannot use either MD5 methods for that...
To use the *-MD5 Mechanisms, Cyrus-SASL needs access to the unencrypted plaintext-password. This based on the algorithms how these hashes are computed.
The other reason is saslauthd itself. It speaks a protocol where the Lib only asks saslauthd if the password is correct:
Lib -> saslauthd : Is "User","Realm","Password" Ok saslauthd -> Lib: "Ok" / "Not Ok"
That's all, no way to exchange a password. OK. I understand. That's why tls must be sufficient here. Thanks a lot!
-- Andreas
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Am Mittwoch, 10. März 2004 16:02 schrieb Markus Feilner:
But: saslauthd uses User/Password combinations from sasldb. Why?
No. saslauthd and sasldb are two diffrent things.
OK. I believe you. But it does not behave as i want to: I have sytem user xxx with password yyy (pam) and saslaccount xxx with password zzz in sasldb. Why can this user only send (smtp) and recieve mail (imap) when he enters his sasldb password zzz, even though the setup of saslauthd is configured for pam? saslauthd is obviously using pam because only PLAIN and LOGIN are allowed, trying other methods creates errors. When I give my mail client the user data from the pam account user=xxx password=yyy, i get "SASL PLAIN authentication failed".
I think there happens the "fallback" from Cyrus-SASL. If it does not find the smtpd.conf the default is to use "auxprop" which uses "sasldb". Another thing can be, if you are offering mechs which cannot be handled by saslauthd, for example "cram-md5" or "digest-md5" then Cyrus-SASL uses sasldb even though saslauthd is configured. Start saslauthd with "-d -a pam", then it prints some debugging-informations. Try to authenticate and check the output. -- Andreas
Am Mittwoch, 10. März 2004 16:09 schrieb Andreas Winkelmann:
Am Mittwoch, 10. März 2004 16:02 schrieb Markus Feilner:
But: saslauthd uses User/Password combinations from sasldb. Why?
No. saslauthd and sasldb are two diffrent things.
OK. I believe you. But it does not behave as i want to: I have sytem user xxx with password yyy (pam) and saslaccount xxx with password zzz in sasldb. Why can this user only send (smtp) and recieve mail (imap) when he enters his sasldb password zzz, even though the setup of saslauthd is configured for pam? saslauthd is obviously using pam because only PLAIN and LOGIN are allowed, trying other methods creates errors. When I give my mail client the user data from the pam account user=xxx password=yyy, i get "SASL PLAIN authentication failed".
I think there happens the "fallback" from Cyrus-SASL. If it does not find the smtpd.conf the default is to use "auxprop" which uses "sasldb". Another thing can be, if you are offering mechs which cannot be handled by saslauthd, for example "cram-md5" or "digest-md5" then Cyrus-SASL uses sasldb even though saslauthd is configured.
Start saslauthd with "-d -a pam", then it prints some debugging-informations. Try to authenticate and check the output.
-- Andreas OK, I didn't know about the fallback! I'll try that tomorrow and back you feed ;-) Thanks again for your great help - i feel like understanding much more now.
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Hello, Andreas Winkelmann wrote:
Am Mittwoch, 10. März 2004 16:02 schrieb Markus Feilner:
>>But: saslauthd uses User/Password combinations from sasldb. Why?
No. saslauthd and sasldb are two diffrent things.
OK. I believe you. But it does not behave as i want to: I have sytem user xxx with password yyy (pam) and saslaccount xxx with password zzz in sasldb. Why can this user only send (smtp) and recieve mail (imap) when he enters his sasldb password zzz, even though the setup of saslauthd is configured for pam? saslauthd is obviously using pam because only PLAIN and LOGIN are allowed, trying other methods creates errors. When I give my mail client the user data from the pam account user=xxx password=yyy, i get "SASL PLAIN authentication failed".
I think there happens the "fallback" from Cyrus-SASL. If it does not
find the
smtpd.conf the default is to use "auxprop" which uses "sasldb". Another thing can be, if you are offering mechs which cannot be handled by saslauthd, for example "cram-md5" or "digest-md5" then Cyrus-SASL uses sasldb even though saslauthd is configured.
Start saslauthd with "-d -a pam", then it prints some debugging-informations. Try to authenticate and check the output.
I can confirm all of Markus' observations. Incidentally, I too tried to enable SASL+TLS on my system two days ago. It doesn't work, saslauthd never bothers to use pam. Since I have an - relatively old - SuSE 8.1 system I presumed it uses old sasl package or something like that. I don't know which version Markus is running but I make the same observations. It just doesn't work. When I remove the /etc/sasldb file, saslauthd complains about it missing no matter what it's set to use: Saslauthd was started by root using "saslauthd -d -a pam" as suggested. No change in behaviour as if normally started using init-script Here's the logs, slightly pruned: server saslauthd[29341]: START: saslauthd 2.1.7 server saslauthd[29341]: master PID is: 29341 server saslauthd[29341]: daemon started, listening on /var/run/sasl2//mux ==> /var/log/messages <== server postfix/smtpd[29342]: unable to open Berkeley db /etc/sasldb: No such file or directory ==> /var/log/mail <== server postfix/smtpd[29342]: connect from client.domain.ch[192.168.168.10] ==> /var/log/warn <== server postfix/smtpd[29342]: unable to open Berkeley db /etc/sasldb: No such file or directory server postfix/smtpd[29342]: TLS connection established from client.domain.ch[192.168.168.10]: TLSv1 with cipher RC4-MD5 (128/128 bits) ==> /var/log/warn <== server last message repeated 2 times ==> /var/log/mail <== server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]: SASL PLAIN authentication failed server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]: SASL PLAIN authentication failed ==> /var/log/warn <== server postfix/smtpd[29342]: unable to open Berkeley db /etc/sasldb: No such file or directory ==> /var/log/mail <== server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]: SASL LOGIN authentication failed server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]: SASL LOGIN authentication failed ==> /var/log/mail <== server postfix/smtpd[29342]: lost connection after AUTH from client.domain.ch[192.168.168.10] server postfix/smtpd[29342]: disconnect from client.domain.ch[192.168.168.10] When I put the sasldb file back, it works again, but of course only uses the users within the sasldb file, not pam. Also there is never any pam check being done. I read that I am supposed to create the pam-config file as /etc/pam.d/smtp but when I do that, nothing changes. When I enter pam_warn.so in all directives, nothing happens. I assume it is never read. Same with the fallback "other". No logs, no nothing. I really suspect that saslauthd is completely ignoring the "pam" directive - maybe mistakenly compiled without pam support by suse. btw, it is not required that smtpd_sasl_local_domain in postfix's main.cf must be empty. If it is set, the user added to the sasldb just has to have that "domain" given when using saslpasswd -u. Of course the ultimate goal would be to use PAM and not /etc/sasldb anyhow. -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
I myself wrote:
I can confirm all of Markus' observations. Incidentally, I too tried to enable SASL+TLS on my system two days ago. It doesn't work, saslauthd never bothers to use pam. Since I have an - relatively old - SuSE 8.1 system I presumed it uses old sasl package or something like that. I don't know which version Markus is running but I make the same observations.
It just doesn't work. When I remove the /etc/sasldb file, saslauthd complains about it missing no matter what it's set to use: [..]
I think I found the solution to this problem (which should solve Markus' problem as well) it solved mine, sort of. It creates a lot more problems though, so one should think twice before going that route. It seems that everything is set correctly, however, pam auth still fails due to insufficient rights of the postfix subsystem that tries to perform the auth. doing a chmod 0644 /etc/shadow opens the password file to all the world, but it THEN works ! There is no hint nowhere in no logfile pointing to this fact. I found the crucial information on this page: http://www.mandrakesecure.net/en/docs/postfix-sasl.php It may be that first the file smtpd.conf must be created in /usr/lib/sasl (*not* ../lib/sasl2 - at least in the case of SuSE 8.1) with the contents: pwcheck_method: pam Many thanks to Andreas Winkelmann who walked me through many possibilities (was off-list) - I would have stopped far earlier. Hope that helps. But beware, you DONT WANT TO HAVE /etc/shadow o+r ! Moving postfix/smtpd into the shadow group may solve the problem better but is another security risk by itself. The page above however presents another alternative (pwcheck) so not all is lost. At least, one mystery is solved. HTH. -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
Hello Rene, At Thu, 11 Mar 2004 00:55:16 +0100 Rene Gallati wrote:
Many thanks to Andreas Winkelmann who walked me through many possibilities (was off-list) - I would have stopped far earlier.
Hope that helps. But beware, you DONT WANT TO HAVE /etc/shadow o+r !
Moving postfix/smtpd into the shadow group may solve the problem better but is another security risk by itself. The page above however presents another alternative (pwcheck) so not all is lost. At least, one mystery is solved.
Jumping in here I would like to know how the pwcheck-method works... My suse 8.1 does not provide such a daemon, (or I did not search hard enough :-)) If anybody at this list did a successful setup with postfix / pwcheck on suse8.1 could give me a hint ?! Thanks in advance. cheers Stephan -- Stephan Holl Check headers for GnuPG Key! http://www.gdf-hannover.de 17:01:55 up 1:06, 1 user, load average: 0.02, 0.01, 0.00
Am Donnerstag, 11. März 2004 17:03 schrieb Stephan Holl:
Many thanks to Andreas Winkelmann who walked me through many possibilities (was off-list) - I would have stopped far earlier.
Hope that helps. But beware, you DONT WANT TO HAVE /etc/shadow o+r !
Moving postfix/smtpd into the shadow group may solve the problem better but is another security risk by itself. The page above however presents another alternative (pwcheck) so not all is lost. At least, one mystery is solved.
Jumping in here I would like to know how the pwcheck-method works... My suse 8.1 does not provide such a daemon, (or I did not search hard enough :-))
If anybody at this list did a successful setup with postfix / pwcheck on suse8.1 could give me a hint ?!
"pwcheck" is another daemon. But it is not included in Suse-8.1. If you really want to use it, you have to build sasl at yourself. Or the best install a actual version (2.1.18 is out) and use saslauthd if you want to use pam. -- Andreas
Am Donnerstag, 11. März 2004 18:00 schrieb Andreas Winkelmann:
Am Donnerstag, 11. März 2004 17:03 schrieb Stephan Holl:
Many thanks to Andreas Winkelmann who walked me through many possibilities (was off-list) - I would have stopped far earlier.
Hope that helps. But beware, you DONT WANT TO HAVE /etc/shadow o+r !
Moving postfix/smtpd into the shadow group may solve the problem better but is another security risk by itself. The page above however presents another alternative (pwcheck) so not all is lost. At least, one mystery is solved.
Jumping in here I would like to know how the pwcheck-method works... My suse 8.1 does not provide such a daemon, (or I did not search hard enough :-))
If anybody at this list did a successful setup with postfix / pwcheck on suse8.1 could give me a hint ?!
"pwcheck" is another daemon. But it is not included in Suse-8.1. If you really want to use it, you have to build sasl at yourself. Or the best install a actual version (2.1.18 is out) and use saslauthd if you want to use pam.
-- Andreas Hello again, ;-) I managed finally! I did not have to change permissions on /etc/shadow, but i had to add /etc/pam.d/imap and /etc/pam.d/pop files. Therefore saslauthd failed and kept falling back to sasldb. Thanks Andreas and others!!!! Now i have: postfix using the following /usr/lib/sasl2/smtpd.conf pwcheck_method: saslauthd mech_list: plain login and /etc/imapd.conf: ... sasl_pwcheck_method: saslauthd ... (some tls definitions) and /etc/sysconfig/saslauthd: SASLAUTHD_AUTHMECH=pam
and /etc/pam.d/smtp: auth required pam_permit.so account required pam_permit.so session required pam_permit.so password required pam_permit.so and the same for /etc/pam.d/imap and /etc/pam.d/pop Now smtp, imap and pop work - with: smtp: tls+plain pop: ssl+plain imap:tls+"einfacher text" -Whatever that means... Can i make that more secure? I know that sasl->PAM won't work with md5, but how can i make my setup safer? Or would you say this is enough? I am a little bit sceptical... (With sasldb2 i can setup tls+md5 for smtp and imap.) Thanks !!! -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Am Freitag, 12. März 2004 15:40 schrieb Markus Feilner:
and /etc/pam.d/smtp: auth required pam_permit.so account required pam_permit.so session required pam_permit.so password required pam_permit.so and the same for /etc/pam.d/imap and /etc/pam.d/pop
???? pam_permit ???? You know what it is?
Now smtp, imap and pop work - with: smtp: tls+plain pop: ssl+plain imap:tls+"einfacher text" -Whatever that means...
Can i make that more secure?
Use a real pam-module. And force tls/ssl. -- Andreas
Am Freitag, 12. März 2004 15:53 schrieb Andreas Winkelmann:
Am Freitag, 12. März 2004 15:40 schrieb Markus Feilner:
and /etc/pam.d/smtp: auth required pam_permit.so account required pam_permit.so session required pam_permit.so password required pam_permit.so and the same for /etc/pam.d/imap and /etc/pam.d/pop
???? pam_permit ???? You know what it is?
Oh my god. Sorry for posting this foolish stuff. Thanks again, i hope nobody uses this... I found it in some documentation and tried it... Guess I Have to inform the author...
Now smtp, imap and pop work - with: smtp: tls+plain pop: ssl+plain imap:tls+"einfacher text" -Whatever that means...
Can i make that more secure?
Use a real pam-module.
OK. any hints for a working pam- configuration? The suse default /etc/pam.d/smtp does not work here...
And force tls/ssl. You mean for pop, right? smtp and imap use it. How can I force That?
-- Andreas
Again! THANK YOU THANK YOU! -- Mit freundlichen Grüßen Markus Feilner Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Am Freitag, 12. März 2004 16:25 schrieb Markus Feilner:
Now smtp, imap and pop work - with: smtp: tls+plain pop: ssl+plain imap:tls+"einfacher text" -Whatever that means...
Can i make that more secure?
Use a real pam-module.
OK. any hints for a working pam- configuration? The suse default /etc/pam.d/smtp does not work here...
What is "default"? pam_unix2? Make sure to clear "smtpd_sasl_local_domain" in Postfix. # postconf smtpd_sasl_local_domain should be empty.
And force tls/ssl.
You mean for pop, right? smtp and imap use it. How can I force That?
Postfix: Look for "smtpd_tls_auth_only = yes" or "smtpd_enforce_tls = yes". Hmm, which POP/IMAP-Daemon do you use? I know only Cyrus-IMAP. -- Andreas
Am Freitag, 12. März 2004 16:49 schrieb Andreas Winkelmann:
Am Freitag, 12. März 2004 16:25 schrieb Markus Feilner:
Now smtp, imap and pop work - with: smtp: tls+plain pop: ssl+plain imap:tls+"einfacher text" -Whatever that means...
Can i make that more secure?
Use a real pam-module.
OK. any hints for a working pam- configuration? The suse default /etc/pam.d/smtp does not work here...
What is "default"? pam_unix2? Ok, my (Backup from the Default) file /etc/pam.d/smtp is:
auth required /lib/security/pam_unix_auth.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_unix_passwd.so session required /lib/security/pam_unix_session.so and same are pop and imap The errors I get, when I try to send/retrieve mail via the box POP: Mar 12 17:13:00 linuxbox pop3d[11665]: starttls: SSLv3 with cipher RC4-MD5 (128/128 bits new) no authentication Mar 12 17:13:00 linuxbox pop3d[11665]: could not find password (...) IMAP: Mar 12 17:13:22 linuxbox saslauthd[11588]: do_auth : auth failure: [user=mfeilner] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Mar 12 17:13:22 linuxbox imapd[11564]: badlogin: fqdn[w.x.y.z] plaintext mfeilner SASL(-13): authentication failure: checkpass failed (...) SMTP: Mar 12 17:17:38 linuxbox postfix/smtpd[11685]: < unknown[192.168.0.117]: AUTH PLAIN bWZlaWxuZXIAbWZlaWxuZXIAYWdhZGlyMDM= Mar 12 17:17:38 linuxbox postfix/smtpd[11685]: smtpd_sasl_authenticate: sasl_method PLAIN, init_response bWZlaWxuZXIAbWZlaWxuZXIAYWdhZGlyMDM= Mar 12 17:17:38 linuxbox postfix/smtpd[11685]: smtpd_sasl_authenticate: decoded initial response mfeilner Mar 12 17:17:40 linuxbox postfix/smtpd[11685]: warning: SASL authentication failure: Password verification failed Mar 12 17:17:40 linuxbox postfix/smtpd[11685]: warning: unknown[192.168.0.117]: SASL PLAIN authentication failed Mar 12 17:17:40 linuxbox postfix/smtpd[11685]: > unknown[192.168.0.117]: 535 Error: authentication failed
# postconf smtpd_sasl_local_domain
should be empty.
It is.
And force tls/ssl.
You mean for pop, right? smtp and imap use it. How can I force That?
Postfix: Look for "smtpd_tls_auth_only = yes" or "smtpd_enforce_tls = yes".
It is. ;-)
Hmm, which POP/IMAP-Daemon do you use? I know only Cyrus-IMAP.
Yes. And i have the two lines in cyrus.conf: # pop3 cmd="pop3d" listen="pop3" prefork=0 pop3s cmd="pop3d -s" listen="pop3s" prefork=0 Those are the only ones I found concerning pop from the cyrus-imap package, (of course I have the tls lines in imapd.conf)
-- Andreas
-- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Am Freitag, 12. März 2004 17:36 schrieb Markus Feilner:
OK. any hints for a working pam- configuration? The suse default /etc/pam.d/smtp does not work here...
What is "default"? pam_unix2?
Ok, my (Backup from the Default) file /etc/pam.d/smtp is:
auth required /lib/security/pam_unix_auth.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_unix_passwd.so session required /lib/security/pam_unix_session.so
Hmm, which Suse-Version do you use? Is this the same as for example "/etc/ pam.d/login"?
IMAP: Mar 12 17:13:22 linuxbox saslauthd[11588]: do_auth : auth failure: [user=mfeilner] [service=imap] [realm=] [mech=pam] [reason=PAM auth error] Mar 12 17:13:22 linuxbox imapd[11564]: badlogin: fqdn[w.x.y.z] plaintext mfeilner SASL(-13): authentication failure: checkpass failed (...)
SMTP:
Mar 12 17:17:38 linuxbox postfix/smtpd[11685]: smtpd_sasl_authenticate: decoded initial response mfeilner
Change your Password! It's in the Internet now. -- Andreas
Am Freitag, 12. März 2004 18:34 schrieb Andreas Winkelmann:
Am Freitag, 12. März 2004 17:36 schrieb Markus Feilner:
OK. any hints for a working pam- configuration? The suse default /etc/pam.d/smtp does not work here...
What is "default"? pam_unix2?
Ok, my (Backup from the Default) file /etc/pam.d/smtp is:
auth required /lib/security/pam_unix_auth.so account required /lib/security/pam_unix_acct.so password required /lib/security/pam_unix_passwd.so session required /lib/security/pam_unix_session.so
Hmm, which Suse-Version do you use? Is this the same as for example "/etc/ pam.d/login"?
Mar 12 17:17:38 linuxbox postfix/smtpd[11685]: smtpd_sasl_authenticate: decoded initial response mfeilner
Change your Password! It's in the Internet now.
-- Andreas Nope. Thanks, but keep cool. ;-) That's definitly a test username on my testsystem. The Passphrase is totally different. All I posted is from a TESTSYSTEM, running a SuSE 9.0 system tied to an Active Directory/Kerberos REALM (samba3), plus postfix/amavis/clamav/cyrus-imap+pop and other stuff (not belonging to this thread...) Or should postfix list the password in the log file? I can't believe that... or? However, I guess I need a good introduction to PAM. Any hints anybody? Thanks again for helping! -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner@feilner-it.net
Am Freitag, 12. März 2004 21:20 schrieb Markus Feilner:
totally different. All I posted is from a TESTSYSTEM, running a SuSE 9.0 system tied to an Active Directory/Kerberos REALM (samba3), plus postfix/amavis/clamav/cyrus-imap+pop and other stuff (not belonging to this thread...)
If you use 9.0, "pam_unix2.so" should be the right choice.
Or should postfix list the password in the log file? I can't believe that... or?
Passwords are only logged, if you invoke smtpd with -v(v).
However, I guess I need a good introduction to PAM. Any hints anybody?
Maybe you find here something: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/ (Or in /usr/share/doc/packages/pam ) -- Andreas
participants (5)
-
Andreas Winkelmann -
Markus Feilner -
Rene Gallati -
Serguei Krasnov -
Stephan Holl