Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] postfix/imap/cyrus-sasl and Pam backend
  • From: Rene Gallati <security@xxxxxxxxxxxxx>
  • Date: Wed, 10 Mar 2004 20:43:32 +0100
  • Message-id: <404F6FE4.4010908@xxxxxxxxxxxxx>
Hello,

Andreas Winkelmann wrote:

>> Am Mittwoch, 10. März 2004 16:02 schrieb Markus Feilner:
>>
>
>>>>>>>>But: saslauthd uses User/Password combinations from sasldb. Why?
>>>
>>>>>>
>>>>>>No. saslauthd and sasldb are two diffrent things.
>>
>>>>
>>>>OK. I believe you.
>>>>But it does not behave as i want to:
>>>>I have sytem user xxx with password yyy (pam) and saslaccount xxx with
>>>>password zzz in sasldb.
>>>>Why can this user only send (smtp) and recieve mail (imap) when he
>>>>enters his sasldb password zzz, even though the setup of saslauthd is
>>>>configured for pam? saslauthd is obviously using pam because only PLAIN
>>>>and LOGIN are allowed, trying other methods creates errors.
>>>>When I give my mail client the user data from the pam account user=xxx
>>>>password=yyy, i get "SASL PLAIN authentication failed".
>
>>
>>
>> I think there happens the "fallback" from Cyrus-SASL. If it does not find the
>> smtpd.conf the default is to use "auxprop" which uses "sasldb". Another thing
>> can be, if you are offering mechs which cannot be handled by saslauthd, for
>> example "cram-md5" or "digest-md5" then Cyrus-SASL uses sasldb even though
>> saslauthd is configured.
>>
>> Start saslauthd with "-d -a pam", then it prints some debugging-informations.
>> Try to authenticate and check the output.
>>


I can confirm all of Markus' observations. Incidentally, I too tried to
enable SASL+TLS on my system two days ago. It doesn't work, saslauthd
never bothers to use pam. Since I have an - relatively old - SuSE 8.1
system I presumed it uses old sasl package or something like that. I
don't know which version Markus is running but I make the same observations.

It just doesn't work. When I remove the /etc/sasldb file, saslauthd
complains about it missing no matter what it's set to use:

Saslauthd was started by root using "saslauthd -d -a pam" as suggested.
No change in behaviour as if normally started using init-script

Here's the logs, slightly pruned:

server saslauthd[29341]: START: saslauthd 2.1.7
server saslauthd[29341]: master PID is: 29341
server saslauthd[29341]: daemon started, listening on /var/run/sasl2//mux
==> /var/log/messages <==
server postfix/smtpd[29342]: unable to open Berkeley db /etc/sasldb: No
such file or directory
==> /var/log/mail <==
server postfix/smtpd[29342]: connect from client.domain.ch[192.168.168.10]
==> /var/log/warn <==
server postfix/smtpd[29342]: unable to open Berkeley db /etc/sasldb: No
such file or directory
server postfix/smtpd[29342]: TLS connection established from
client.domain.ch[192.168.168.10]: TLSv1 with cipher RC4-MD5 (128/128 bits)
==> /var/log/warn <==
server last message repeated 2 times
==> /var/log/mail <==
server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]:
SASL PLAIN authentication failed
server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]:
SASL PLAIN authentication failed
==> /var/log/warn <==
server postfix/smtpd[29342]: unable to open Berkeley db /etc/sasldb: No
such file or directory
==> /var/log/mail <==
server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]:
SASL LOGIN authentication failed
server postfix/smtpd[29342]: warning: client.domain.ch[192.168.168.10]:
SASL LOGIN authentication failed
==> /var/log/mail <==
server postfix/smtpd[29342]: lost connection after AUTH from
client.domain.ch[192.168.168.10]
server postfix/smtpd[29342]: disconnect from
client.domain.ch[192.168.168.10]


When I put the sasldb file back, it works again, but of course only uses
the users within the sasldb file, not pam.

Also there is never any pam check being done. I read that I am supposed
to create the pam-config file as /etc/pam.d/smtp but when I do that,
nothing changes. When I enter pam_warn.so in all directives, nothing
happens. I assume it is never read. Same with the fallback "other". No
logs, no nothing.

I really suspect that saslauthd is completely ignoring the "pam"
directive - maybe mistakenly compiled without pam support by suse.

btw, it is not required that smtpd_sasl_local_domain in postfix's
main.cf must be empty. If it is set, the user added to the sasldb just
has to have that "domain" given when using saslpasswd -u. Of course the
ultimate goal would be to use PAM and not /etc/sasldb anyhow.
--

C U

- -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -

< Previous Next >
Follow Ups