Am Mittwoch, 10. März 2004 16:02 schrieb Markus Feilner:
>>But: saslauthd uses User/Password combinations from sasldb. Why?
No. saslauthd and sasldb are two diffrent things.
OK. I believe you. But it does not behave as i want to: I have sytem user xxx with password yyy (pam) and saslaccount xxx with password zzz in sasldb. Why can this user only send (smtp) and recieve mail (imap) when he enters his sasldb password zzz, even though the setup of saslauthd is configured for pam? saslauthd is obviously using pam because only PLAIN and LOGIN are allowed, trying other methods creates errors. When I give my mail client the user data from the pam account user=xxx password=yyy, i get "SASL PLAIN authentication failed".
I think there happens the "fallback" from Cyrus-SASL. If it does not
find the
smtpd.conf the default is to use "auxprop" which uses "sasldb". Another thing can be, if you are offering mechs which cannot be handled by saslauthd, for example "cram-md5" or "digest-md5" then Cyrus-SASL uses sasldb even
Hello, Andreas Winkelmann wrote: though
saslauthd is configured.
Start saslauthd with "-d -a pam", then it prints some debugging-informations. Try to authenticate and check the output.
I can confirm all of Markus' observations. Incidentally, I too tried to enable SASL+TLS on my system two days ago. It doesn't work, saslauthd never bothers to use pam. Since I have an - relatively old - SuSE 8.1 system I presumed it uses old sasl package or something like that. I don't know which version Markus is running but I make the same observations. It just doesn't work. When I remove the /etc/sasldb file, saslauthd complains about it missing no matter what it's set to use: Saslauthd was started by root using "saslauthd -d -a pam" as suggested. No change in behaviour as if normally started using init-script Here's the logs, slightly pruned: server saslauthd[29341]: START: saslauthd 2.1.7 server saslauthd[29341]: master PID is: 29341 server saslauthd[29341]: daemon started, listening on /var/run/sasl2//mux ==> /var/log/messages <== server postfix/smtpd[29342]: unable to open Berkeley db /etc/sasldb: No such file or directory ==> /var/log/mail <== server postfix/smtpd[29342]: connect from client.domain.ch[192.168.168.10] ==> /var/log/warn <== server postfix/smtpd[29342]: unable to open Berkeley db /etc/sasldb: No such file or directory server postfix/smtpd[29342]: TLS connection established from client.domain.ch[192.168.168.10]: TLSv1 with cipher RC4-MD5 (128/128 bits) ==> /var/log/warn <== server last message repeated 2 times ==> /var/log/mail <== server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]: SASL PLAIN authentication failed server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]: SASL PLAIN authentication failed ==> /var/log/warn <== server postfix/smtpd[29342]: unable to open Berkeley db /etc/sasldb: No such file or directory ==> /var/log/mail <== server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]: SASL LOGIN authentication failed server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]: SASL LOGIN authentication failed ==> /var/log/mail <== server postfix/smtpd[29342]: lost connection after AUTH from client.domain.ch[192.168.168.10] server postfix/smtpd[29342]: disconnect from client.domain.ch[192.168.168.10] When I put the sasldb file back, it works again, but of course only uses the users within the sasldb file, not pam. Also there is never any pam check being done. I read that I am supposed to create the pam-config file as /etc/pam.d/smtp but when I do that, nothing changes. When I enter pam_warn.so in all directives, nothing happens. I assume it is never read. Same with the fallback "other". No logs, no nothing. I really suspect that saslauthd is completely ignoring the "pam" directive - maybe mistakenly compiled without pam support by suse. btw, it is not required that smtpd_sasl_local_domain in postfix's main.cf must be empty. If it is set, the user added to the sasldb just has to have that "domain" given when using saslpasswd -u. Of course the ultimate goal would be to use PAM and not /etc/sasldb anyhow. -- C U - -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -