Postfix logging some OTP related permission denied messages

Michael Powell nightrecon at verizon.net
Sun Jun 29 13:46:58 UTC 2008 

आशीष शुक्ल Ashish Shukla wrote:

> Hi,
> 
> I'm running 7.0-RELEASE-p2 (amd64). I'm running Postfix 2.5.1_2,1 mail
> server instead of the default Sendmail which ships with base distribution.
> 
> My mail server is working fine with no issues except that I noticed that
> some messages in /var/log/messages:
> 
> ---->8---->8----
> Jun 29 03:12:45 chateau postfix/smtpd[1159]: OTP unavailable because can't
> read/write key database /etc/opiekeys: Permission denied Jun 29 03:18:22
> chateau postfix/smtpd[1535]: OTP unavailable because can't read/write key
> database /etc/opiekeys: Permission denied Jun 29 03:23:55 chateau
> postfix/smtpd[1873]: OTP unavailable because can't read/write key database
> /etc/opiekeys: Permission denied Jun 29 04:18:25 chateau
> postfix/smtpd[78118]: OTP unavailable because can't read/write key
> database /etc/opiekeys: Permission denied Jun 29 16:07:11 chateau
> postfix/smtpd[1712]: OTP unavailable because can't read/write key database
> /etc/opiekeys: Permission denied Jun 29 16:07:17 chateau
> postfix/smtpd[1712]: OTP unavailable because can't read/write key database
> /etc/opiekeys: Permission denied Jun 29 16:13:30 chateau
> postfix/smtpd[2125]: OTP unavailable because can't read/write key database
> /etc/opiekeys: Permission denied ----8<----8<----
> 
> I've not done anything explicitly to turn on support for One-time
> passwords in my system.
> 
> Any ideas, reasons behind these messages ?
> 
> TIA

Greetings:

I've seen some suggestions which involve making changes for allowing the
access to the files, but my thoughts are if you are not making use of this
feature this would be tantamount to a small form of security violation.

The shortcut is probably just to give the group 'mail' rw permissions to
opiekeys and don't overly muck with a config that works correctly.

If when you installed Postfix it installed cyrus-sasl as a dependency you
might try going into /usr/ports/security/cyrus-sasl2 and doing make config
and clearing the checkbox option near the bottom "OTP Enable OTP auth",
then make deinstall, and make reinstall.

However, my Postfix is only an extremely basic install and I've never seen
these messages. A snippet from my Postfix main.cf:

# sasl config
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_security_options =

#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks

and wrt to sasl in /etc/rc.conf I have:

saslauthd_enable="YES"
saslauthd_flags="-a sasldb"

I've also noticed the following in my /etc/group file, but I believe it has
no bearing on this problem.

mail:*:6:postfix

Since I didn't build Cyrus-SASL without OTP I suspect it is turned on or
somehow being activated in your Postfix config. The docs also say there is
supposed to be an SASL config file somewhere in /usr/local/lib/sasl2, but
I've never seen one.

 

-Mike

More information about the freebsd-questions mailing list