ASMTP setup on 4.8
Drew Tomlinson
drew at mykitchentable.net
Wed Jul 23 11:08:15 PDT 2003
----- Original Message -----
From: "Scot W. Hetzel" <hetzels at westbend.net>
To: "Drew Tomlinson" <drew at mykitchentable.net>; "Hajimu UMEMOTO"
<ume at mahoroba.org>
Cc: <freebsd-security at freebsd.org>
Sent: Monday, July 21, 2003 11:02 AM
> From: "Drew Tomlinson" <drew at mykitchentable.net>
> > I have also tried "pwcheck_method: pam" but then /var/log/maillog
shows:
> >
> > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: SASL
> > authentication problem: unknown password verifier
> > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning:
> > unknown[165.107.42.110]: SASL LOGIN authentication failed
> >
>
> If you want to use PAM, you need to set the pwcheck_method to
saslauthd, and
> then add the following to either /etc/rc.conf or /etc/rc.conf.local:
>
> sasl_saslauthd_enable="YES"
> sasl_saslauthd_flags="-a pam"
Thanks for your help but I'm still having trouble. :( The contents of
/usr/local/lib/sasl2/smtpd.conf are:
pwcheck_method: saslauthd
And it's permissions are:
-rw-r--r-- 1 root wheel 47 Jul 23 10:40 smtpd.conf
I've also verified correct permissions on /var/state/saslauthd:
drwxrwx--- 2 cyrus mail 512 Jul 23 10:46 saslauthd
I've verified that Postfix is a member of the mail group as this line is
in /etc/group:
mail:*:6:postfix
I manually started saslauthd for testing with this command line:
blacklamb# saslauthd -a pam -d
> Then you need to make sure PAM is configured correctly on your system:
>
> FreeBSD <=4.x:
> 1. Check /etc/pam.conf for entries for imap, pop3, and other(?)
> 2. Add an entry for sieve and cyrus, similar to your imap and pop3
> entries
>
> FreeBSD >=5.x
> 1. Check the /etc/pam.d directroy for imap, pop3 and other(?)
files
> a. Make sure they are correctly configured
> 2. Copy /etc/pam.d/imap to /etc/pam.d/sieve
> 3. Copy /etc/pam.d/imap to /etc/pam.d/cyrus
I'm using FBSD 4.8. /etc/pam.conf has the following entries:
#Mail services
imap auth required pam_unix.so try_first_pass
imap account required pam_unix.so
imap session required pam_permit.so
pop3 auth required pam_unix.so try_first_pass
pop3 account required pam_unix.so
pop3 session required pam_permit.so
smtp auth required pam_unix.so try_first_pass
smtp account required pam_unix.so
smtp session required pam_permit.so
sieve auth required pam_unix.so try_first_pass
sieve account required pam_unix.so
sieve account required pam_unix.so
sieve session required pam_permit.so
cyrus auth required pam_unix.so try_first_pass
cyrus account required pam_unix.so
cyrus session required pam_permit.so
# If we don't match anything else, default to using getpwnam().
other auth sufficient pam_skey.so
other auth required pam_unix.so try_first_pass
other account required pam_unix.so try_first_pass
I included the "other" entries because in one of Hajimu's messages he
stated he didn't have to add anything to /etc/pam.conf as the "other"
entries took care of the request.
Anyway, I started saslauthd in debug mode and this is what it reports
when I attempt to authenticate:
saslauthd[67502] :get_accept_lock : acquired accept lock
saslauthd[67501] :rel_accept_lock : released accept lock
saslauthd[67501] :do_auth : auth failure:
[user=<username>@blacklamb.mykitchentable.net] [service=smtp]
[realm=blacklamb.mykitchentable.net] [mech=pam] [reason=PAM auth error]
Please know that I replaced my real username with "<username>" in the
output. I get this message whether I am attempting to authenticate with
MS Outlook, Evolution, and even from a direct telnet session with
Postfix.
I've double-checked my Postfix config with examples I've found on the
Net. I think it's OK as it's advertising AUTH services:
Connected to blacklamb.mykitchentable.net.
Escape character is '^]'.
220 blacklamb.mykitchentable.net NO UCE ESMTP
ehlo test
250-blacklamb.mykitchentable.net
250-PIPELINING
250-SIZE 5120000
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-XVERP
250 8BITMIME
I assume I don't have something configured right with PAM? Do you have
any other ideas as to what I'm doing wrong? Everything I've read
indicates this shouldn't be this hard but I don't know what else to
check.
Thanks again for your help!
Drew
P.S. My web server is running great after your help with FP extensions.
:)
More information about the freebsd-security
mailing list