Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] postfix/imap/cyrus-sasl and Pam backend - PARTLY SOLVED!
  • From: Markus Feilner <lists@xxxxxxxxxxxxxx>
  • Date: Fri, 12 Mar 2004 15:40:29 +0100
  • Message-id: <200403121540.29594.lists@xxxxxxxxxxxxxx>
Am Donnerstag, 11. März 2004 18:00 schrieb Andreas Winkelmann:
> Am Donnerstag, 11. März 2004 17:03 schrieb Stephan Holl:
> > > Many thanks to Andreas Winkelmann who walked me through many
> > > possibilities (was off-list) - I would have stopped far earlier.
> > >
> > > Hope that helps. But beware, you DONT WANT TO HAVE /etc/shadow
> > > o+r !
> > >
> > > Moving postfix/smtpd into the shadow group may solve the problem
> > > better but is another security risk by itself. The page above
> > > however presents another alternative (pwcheck) so not all is
> > > lost. At least, one mystery is solved.
> >
> > Jumping in here I would like to know how the pwcheck-method
> > works... My suse 8.1 does not provide such a daemon, (or I did not
> > search hard enough :-))
> >
> > If anybody at this list did a successful setup with postfix /
> > pwcheck on suse8.1 could give me a hint ?!
>
> "pwcheck" is another daemon. But it is not included in Suse-8.1. If
> you really want to use it, you have to build sasl at yourself. Or the
> best install a actual version (2.1.18 is out) and use saslauthd if
> you want to use pam.
>
> --
> Andreas
Hello again,
;-)
I managed finally!
I did not have to change permissions on /etc/shadow,
but i had to add /etc/pam.d/imap and /etc/pam.d/pop files.
Therefore saslauthd failed and kept falling back to sasldb. Thanks
Andreas and others!!!!
Now i have: postfix using the following /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
and /etc/imapd.conf:
...
sasl_pwcheck_method: saslauthd
... (some tls definitions)
and /etc/sysconfig/saslauthd:
SASLAUTHD_AUTHMECH=pam

and /etc/pam.d/smtp:
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
password required pam_permit.so
and the same for /etc/pam.d/imap and /etc/pam.d/pop

Now smtp, imap and pop work - with:
smtp: tls+plain
pop: ssl+plain
imap:tls+"einfacher text" -Whatever that means...

Can i make that more secure?
I know that sasl->PAM won't work with md5, but how can i make my setup
safer? Or would you say this is enough? I am a little bit sceptical...

(With sasldb2 i can setup tls+md5 for smtp and imap.)
Thanks !!!
--
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx

< Previous Next >
Follow Ups