On Fri Mar 08, 2002 at 12:52:19PM -0800, David Guntner wrote: > > Now, why you don't want to use pam. The pam authentication method > > should be used if you *don't* use passwd/shadow authentication. For > > instance, you would use pam if you used LDAP to authenticate logins > > (may even work with NIS). If you want to use pam and still > > authenticate against /etc/passwd (really, /etc/shadow), then you must > > change /etc/shadow from mode 0600 to mode 0644. For some reason, SASL > > will always error out, and I suspect this is because it is trying to > > read /etc/shadow as the postfix user. This is the same thing with the > > shadow method, which reads /etc/shadow directly. I've verified that > > chmod'ing /etc/shadow to 0644 allows both pam and shadow to work > > (using Evolution as a test client). > > Interesting. I always thought that pam had it's own method of accessing > the password file. Thanks for the information.
I would suspect the same. For everything else, it seems to be the
case. So this is most likely a problem in cyrus-sasl itself.
> > Unfortunately, that sucks and is very very insecure. /etc/shadow must
> > not be anything other than 600 as that defies it's whole purpose. Now
> > *why*, when using pam method, this is required I don't know. There
> > must be something wrong in the SASL libs for this to be a requirement
> > (although searching some archives on the postfix ml, everyone seems to
> > have this issue). Note, I haven't tried it with pam using something
> > other than the system passwd file (ie. didn't test against LDAP/NIS,
> > etc.).
>
> One of the things mentioned at a web site I found describing using AUTH in
> postifix was that if you were going to use the "pwcheck_method: shadow"
> style was that they recommended that you set /etc/shadow as mode 640 and
> then change its group to a group that the postfix user belonged to. That
> way, postfix could read the file. I suspect that it would work that way as
> well WRT what you describe above (you don't need to go 644, which I agree
> is *horrible* from a security standpoint).
You could do that, but, really, I wouldn't want the shadow file
accessible by postfix either. As far as I'm concerned, shadow should
be readable only by root, no exception. Which is why I'm glad they
have the pwcheck method.
> > Now, for your case, you want to use pwcheck method. /usr/sbin/pwcheck
> > is a daemon, run as root, that acts as a go-between between postfix
> > and /etc/shadow. There is no initscript for it, and pwcheck launches
> > itself into the backgroun, so you can just add to the end of
> > /etc/rc.d/rc.local "/usr/sbin/pwcheck". For testing, change your
> > smtpd.conf to pwcheck and just run /usr/sbin/pwcheck on the cmdline as
> > root.
>
> I will try that and let you know what happens.
Sounds good.
> > > Heck, I even tried setting "pwcheck_method: sasldb" instead, ran saslpasswd
> > > to create a user account, and the flipping thing *still* aborted when I
> > > connected to the SMTP port on my machine with sasl turned on. Argh.
> >
> > Did you restart postfix after making this change?
>
> Yea, I sure did. "/etc/init.d/postfix restart" after various changes. I
> wanted to be sure that nothing was being cached without my knowledge.
Ok, this is good.
> > If so, what kind of errors are you getting in your logs?
>
> When I connect to port 25 after doing the restart, I get the exact same
> error messages I've listed in this thread before. No variation at all.
Very very wierd... I'm at my wits end here...
> > If you run sasldblistusers as root, what does it say?
>
> # sasldblistusers
> user: mrobin realm: {myhost} mech: DIGEST-MD5
> user: mrobin realm: {myhost} mech: PLAIN
> user: mrobin realm: {myhost} mech: CRAM-MD5
> #
>
> "mrobin" is a friend of mine who I'm trying to give relay access to. :-)
Ok, this is good...
> > > Any ideas?
> >
> > I think pwcheck is your best bet for what you want. Please try that.
> > Make sure you completely restart postfix after you change your
> > smtpd.conf... I don't know if it caches the contents of that file or
> > not, but I did notice in my testing that it seemed to be required.
>
> Like I said above, I did issue a restart rather than reload command. Heck,
> I even restarted saslauthd each time as well, just in case.
Good good.
> > Also, you can read http://www.mandrakesecure.net/en/docs/postfix-sasl.php
> > which is "Enabling SASL support in postfix". I'm pretty sure it's at
> > least 99% accurate. It also has links to two other how-to's I've
> > found.
>
> I will do that for sure.
=)
> > If, after all of this, it still doesn't work, then I can only assume
> > you're cursed or something. =) Because I did verify that pam worked
> > (with 644 /etc/shadow), shadow worked (with 644 /etc/shadow), sasldb
> > worked (always has over here), and that pwcheck worked (happy 600
> > perms on /etc/shadow).
>
> Oh great, I'll go down in history.
>
> User: "I can't get this $#@!ing thing to work!"
>
> Support: "You must have the Curse Of Dave."
>
> :-)
hehehe... sounds like this may be a good phrase to adopt.
> ARGH!!! Just to try it out before sending this off, I tried setting pam
> again (because it was quicker at this point) and changed /etc/shadow to
> mode 644. I did a restart of both saslauthd and postfix. I connected to
> the SMTP port, and the flipping thing *still* errors. As usual, in the
> syslog, I see:
>
> postfix/smtpd[18867]: fatal: SASL per-process initialization failed
> postfix/master[18842]: warning: process /usr/lib/postfix/smtpd pid 18867
> exit status 1
> postfix/master[18842]: warning: /usr/lib/postfix/smtpd: bad command startup
>
> Why doesn't this thing like me? :-/
>
> Do your SASL / Postfix people have any other ideas why this is refusing to
> work? Why do I keep getting this error? Even when I make the shadow file
> readable by the world, I keep getting that error... Do they have any idea
> why the "per-process" initialization would fail, no matter what I do with
> the configuration?
Nope... they have no clue. One final thing... what does rpm -q
postfix give you? Ie. exactly what version of postfix are you using?
I can't think of anything else unless you're using an older version of
postfix than that which has the proper SASL support. But if you've
updated to the version of postfix on the updates mirrors right now, it
should work fine.
For 8.0, it is postfix-20010228-6.2mdk and for 8.1 it's
postfix-20010228-15.2mdk. If you have a version other than these, try
updating.
Failing that, maybe try removing postfix and cyrus-sasl completely
from the system, reinstall and reconfigure. I have no idea what else
it could be.
You must have the Curse of Dave... =)
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx -source http://www.freezer-burn.org/bios/vdanen.gpg | gpg --import"
1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD
Current Linux kernel 2.4.8-34.1mdk uptime: 1 day 1 hour 44 minutes.
msg50822/pgp00000.pgp
Description: PGP signature
