Re: Relay between 2 Postfix : SASL authentication failure

Tue, 20 Apr 2010 08:52:53 -0700 

On Tue, Apr 20, 2010 at 05:18:48PM +0200, Gregory BELLIER wrote:

> I managed to have an authentication but it's really weird. I'm on Debian 
> Lenny.
>
> In /etc/default/saslauthd on both mta1 and mta2, I have :
> START=yes
> DESC="SASL Authentication Daemon"
> NAME="saslauthd"
> MECHANISMS="shadow"
> MECH_OPTIONS=""
> THREADS=5
> OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
>
> mta1:/etc/postfix# more /etc/postfix/sasl/smtpd.conf
> pwcheck_method: saslauthd

Is this where Postfix is configured to look for the "smtpd.conf" file?
I don't recall seeing any configuration settings that make it so...

Debian may have patches that make this location the default, but do check
that you are using the right pathname...

To use ${config_directory} for the SASL "smtpd.conf" I have (non-Debian
system):

    main.cf:
        # Postfix 2.5+, with Cyrus SASL 2.1.22+
        # http://www.postfix.org/postconf.5.html#cyrus_sasl_config_path
        #
        cyrus_sasl_config_path = ${config_directory}

    smtpd.conf:
        pwcheck_method: saslauthd
        mech_list: PLAIN

    I use PAM, the saslauthd daemon is running as

        # ps -o pid,args -p $(pgrep -P 1 saslauthd)
        PID  COMMAND
        3821 saslauthd -m /var/run/saslauthd -a pam

Have you checked the options with which saslauthd is actually running?

    For completeness, since I use PAM, the PAM stack is:
        auth         requisite    pam_krb5.so.1 auth_only
        account      required     pam_localuser.so file=/etc/postfix/saslusers
        password     required     pam_deny.so
        session      required     pam_deny.so

    The saslusers file limits which accounts are allowed to authenticate:

        joeuser:x:NN:NN:submit SASL user:/:

> The authentication I now have, only works if I set a sasldb which is by 
> default in /etc/sasldb2 but because of the chroot, I need to copy it (maybe 
> a link would be enough, I haven't tested yet) in /var/spool/postfix/etc
>
> I don't understand why I need this sasldb while I configured for shadow...

Either Postfix is not configured to use saslauthd, or saslauthd is not
configured as you believe.

-- 
        Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment.  If you are interested, please drop me a note.

Reply via email to