Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] postfix/imap/cyrus-sasl and Pam backend
  • From: Rene Gallati <security@xxxxxxxxxxxxx>
  • Date: Thu, 11 Mar 2004 00:55:16 +0100
  • Message-id: <404FAAE4.5010503@xxxxxxxxxxxxx>
I myself wrote:

I can confirm all of Markus' observations. Incidentally, I too tried to
enable SASL+TLS on my system two days ago. It doesn't work, saslauthd
never bothers to use pam. Since I have an - relatively old - SuSE 8.1
system I presumed it uses old sasl package or something like that. I
don't know which version Markus is running but I make the same observations.

It just doesn't work. When I remove the /etc/sasldb file, saslauthd
complains about it missing no matter what it's set to use:

I think I found the solution to this problem (which should solve Markus' problem as well) it solved mine, sort of. It creates a lot more problems though, so one should think twice before going that route.

It seems that everything is set correctly, however, pam auth still fails due to insufficient rights of the postfix subsystem that tries to perform the auth.

doing a chmod 0644 /etc/shadow opens the password file to all the world, but it THEN works !

There is no hint nowhere in no logfile pointing to this fact. I found the crucial information on this page:

It may be that first the file smtpd.conf must be created in /usr/lib/sasl (*not* ../lib/sasl2 - at least in the case of SuSE 8.1) with the contents:
pwcheck_method: pam

Many thanks to Andreas Winkelmann who walked me through many possibilities (was off-list) - I would have stopped far earlier.

Hope that helps. But beware, you DONT WANT TO HAVE /etc/shadow o+r !

Moving postfix/smtpd into the shadow group may solve the problem better but is another security risk by itself. The page above however presents another alternative (pwcheck) so not all is lost. At least, one mystery is solved.




- -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -

< Previous Next >
Follow Ups