ASMTP setup on 4.8

Drew Tomlinson drew at mykitchentable.net
Wed Jul 23 11:08:15 PDT 2003 

----- Original Message ----- 
From: "Scot W. Hetzel" <hetzels at westbend.net>
To: "Drew Tomlinson" <drew at mykitchentable.net>; "Hajimu UMEMOTO"
<ume at mahoroba.org>
Cc: <freebsd-security at freebsd.org>
Sent: Monday, July 21, 2003 11:02 AM


> From: "Drew Tomlinson" <drew at mykitchentable.net>
> > I have also tried "pwcheck_method: pam" but then /var/log/maillog
shows:
> >
> > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: SASL
> > authentication problem: unknown password verifier
> > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning:
> > unknown[165.107.42.110]: SASL LOGIN authentication failed
> >
>
> If you want to use PAM, you need to set the pwcheck_method to
saslauthd, and
> then add the following to either /etc/rc.conf or /etc/rc.conf.local:
>
> sasl_saslauthd_enable="YES"
> sasl_saslauthd_flags="-a pam"

Thanks for your help but I'm still having trouble.  :(  The contents of
/usr/local/lib/sasl2/smtpd.conf are:
pwcheck_method: saslauthd

And it's permissions are:
-rw-r--r--  1 root  wheel     47 Jul 23 10:40 smtpd.conf

I've also verified correct permissions on /var/state/saslauthd:
drwxrwx---  2 cyrus  mail  512 Jul 23 10:46 saslauthd

I've verified that Postfix is a member of the mail group as this line is
in /etc/group:
mail:*:6:postfix

I manually started saslauthd for testing with this command line:
blacklamb# saslauthd -a pam -d

> Then you need to make sure PAM is configured correctly on your system:
>
> FreeBSD <=4.x:
>     1. Check /etc/pam.conf for entries for imap, pop3, and other(?)
>     2. Add an entry for sieve and cyrus, similar to your imap and pop3
> entries
>
> FreeBSD >=5.x
>     1. Check the /etc/pam.d directroy for imap, pop3 and other(?)
files
>         a. Make sure they are correctly configured
>     2. Copy /etc/pam.d/imap to /etc/pam.d/sieve
>     3. Copy /etc/pam.d/imap to /etc/pam.d/cyrus

I'm using FBSD 4.8.  /etc/pam.conf has the following entries:
#Mail services
imap    auth    required        pam_unix.so  try_first_pass
imap    account required        pam_unix.so
imap    session required        pam_permit.so

pop3    auth    required        pam_unix.so  try_first_pass
pop3    account required        pam_unix.so
pop3    session required        pam_permit.so

smtp    auth    required        pam_unix.so  try_first_pass
smtp    account required        pam_unix.so
smtp    session required        pam_permit.so

sieve   auth    required        pam_unix.so  try_first_pass
sieve   account required        pam_unix.so
sieve   account required        pam_unix.so
sieve   session required        pam_permit.so

cyrus   auth    required        pam_unix.so  try_first_pass
cyrus   account required        pam_unix.so
cyrus   session required        pam_permit.so

# If we don't match anything else, default to using getpwnam().
other   auth    sufficient      pam_skey.so
other   auth    required        pam_unix.so  try_first_pass
other   account required        pam_unix.so  try_first_pass

I included the "other" entries because in one of Hajimu's messages he
stated he didn't have to add anything to /etc/pam.conf as the "other"
entries took care of the request.

Anyway, I started saslauthd in debug mode and this is what it reports
when I attempt to authenticate:

saslauthd[67502] :get_accept_lock : acquired accept lock
saslauthd[67501] :rel_accept_lock : released accept lock
saslauthd[67501] :do_auth         : auth failure:
[user=<username>@blacklamb.mykitchentable.net] [service=smtp]
[realm=blacklamb.mykitchentable.net] [mech=pam] [reason=PAM auth error]

Please know that I replaced my real username with "<username>" in the
output.  I get this message whether I am attempting to authenticate with
MS Outlook, Evolution, and even from a direct telnet session with
Postfix.

I've double-checked my Postfix config with examples I've found on the
Net.  I think it's OK as it's advertising AUTH services:

Connected to blacklamb.mykitchentable.net.
Escape character is '^]'.
220 blacklamb.mykitchentable.net NO UCE ESMTP
ehlo test
250-blacklamb.mykitchentable.net
250-PIPELINING
250-SIZE 5120000
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-XVERP
250 8BITMIME


I assume I don't have something configured right with PAM?  Do you have
any other ideas as to what I'm doing wrong?  Everything I've read
indicates this shouldn't be this hard but I don't know what else to
check.

Thanks again for your help!

Drew

P.S.  My web server is running great after your help with FP extensions.
:)

More information about the freebsd-security mailing list