ASMTP setup on 4.8 -- SOLVED!!!

Drew Tomlinson drew at mykitchentable.net
Wed Jul 23 12:10:39 PDT 2003 

I finally found the answer!!!  I found the following on
http://www.securitysage.com/guides/postfix_sasltls.html:

Note: As per discussions on the Postfix users mailing list, there is a
known issue in Postfix20020917/SASL2 where the smtpd_sasl_local_domain
option must be left to an empty (null) value, otherwise SASL2 will not
authenticate.

In /usr/local/etc/postfix/main.cf I had "smtpd_sasl_local_domain =
$myhostname" as shown in the various examples on the net.  Based on the
above, I changed it to "smtpd_sasl_local_domain =" and now it works.

Thanks to both of you for your help and patience.

Drew

----- Original Message ----- 
From: "Drew Tomlinson" <drew at mykitchentable.net>
To: "Scot W. Hetzel" <hetzels at westbend.net>; "Hajimu UMEMOTO"
<ume at mahoroba.org>
Cc: <freebsd-security at freebsd.org>
Sent: Wednesday, July 23, 2003 11:08 AM
Subject: Re: ASMTP setup on 4.8


> ----- Original Message ----- 
> From: "Scot W. Hetzel" <hetzels at westbend.net>
> To: "Drew Tomlinson" <drew at mykitchentable.net>; "Hajimu UMEMOTO"
> <ume at mahoroba.org>
> Cc: <freebsd-security at freebsd.org>
> Sent: Monday, July 21, 2003 11:02 AM
>
>
> > From: "Drew Tomlinson" <drew at mykitchentable.net>
> > > I have also tried "pwcheck_method: pam" but then /var/log/maillog
> shows:
> > >
> > > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: SASL
> > > authentication problem: unknown password verifier
> > > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning:
> > > unknown[165.107.42.110]: SASL LOGIN authentication failed
> > >
> >
> > If you want to use PAM, you need to set the pwcheck_method to
> saslauthd, and
> > then add the following to either /etc/rc.conf or /etc/rc.conf.local:
> >
> > sasl_saslauthd_enable="YES"
> > sasl_saslauthd_flags="-a pam"
>
> Thanks for your help but I'm still having trouble.  :(  The contents
of
> /usr/local/lib/sasl2/smtpd.conf are:
> pwcheck_method: saslauthd
>
> And it's permissions are:
> -rw-r--r--  1 root  wheel     47 Jul 23 10:40 smtpd.conf
>
> I've also verified correct permissions on /var/state/saslauthd:
> drwxrwx---  2 cyrus  mail  512 Jul 23 10:46 saslauthd
>
> I've verified that Postfix is a member of the mail group as this line
is
> in /etc/group:
> mail:*:6:postfix
>
> I manually started saslauthd for testing with this command line:
> blacklamb# saslauthd -a pam -d
>
> > Then you need to make sure PAM is configured correctly on your
system:
> >
> > FreeBSD <=4.x:
> >     1. Check /etc/pam.conf for entries for imap, pop3, and other(?)
> >     2. Add an entry for sieve and cyrus, similar to your imap and
pop3
> > entries
> >
> > FreeBSD >=5.x
> >     1. Check the /etc/pam.d directroy for imap, pop3 and other(?)
> files
> >         a. Make sure they are correctly configured
> >     2. Copy /etc/pam.d/imap to /etc/pam.d/sieve
> >     3. Copy /etc/pam.d/imap to /etc/pam.d/cyrus
>
> I'm using FBSD 4.8.  /etc/pam.conf has the following entries:
> #Mail services
> imap    auth    required        pam_unix.so  try_first_pass
> imap    account required        pam_unix.so
> imap    session required        pam_permit.so
>
> pop3    auth    required        pam_unix.so  try_first_pass
> pop3    account required        pam_unix.so
> pop3    session required        pam_permit.so
>
> smtp    auth    required        pam_unix.so  try_first_pass
> smtp    account required        pam_unix.so
> smtp    session required        pam_permit.so
>
> sieve   auth    required        pam_unix.so  try_first_pass
> sieve   account required        pam_unix.so
> sieve   account required        pam_unix.so
> sieve   session required        pam_permit.so
>
> cyrus   auth    required        pam_unix.so  try_first_pass
> cyrus   account required        pam_unix.so
> cyrus   session required        pam_permit.so
>
> # If we don't match anything else, default to using getpwnam().
> other   auth    sufficient      pam_skey.so
> other   auth    required        pam_unix.so  try_first_pass
> other   account required        pam_unix.so  try_first_pass
>
> I included the "other" entries because in one of Hajimu's messages he
> stated he didn't have to add anything to /etc/pam.conf as the "other"
> entries took care of the request.
>
> Anyway, I started saslauthd in debug mode and this is what it reports
> when I attempt to authenticate:
>
> saslauthd[67502] :get_accept_lock : acquired accept lock
> saslauthd[67501] :rel_accept_lock : released accept lock
> saslauthd[67501] :do_auth         : auth failure:
> [user=<username>@blacklamb.mykitchentable.net] [service=smtp]
> [realm=blacklamb.mykitchentable.net] [mech=pam] [reason=PAM auth
error]
>
> Please know that I replaced my real username with "<username>" in the
> output.  I get this message whether I am attempting to authenticate
with
> MS Outlook, Evolution, and even from a direct telnet session with
> Postfix.
>
> I've double-checked my Postfix config with examples I've found on the
> Net.  I think it's OK as it's advertising AUTH services:
>
> Connected to blacklamb.mykitchentable.net.
> Escape character is '^]'.
> 220 blacklamb.mykitchentable.net NO UCE ESMTP
> ehlo test
> 250-blacklamb.mykitchentable.net
> 250-PIPELINING
> 250-SIZE 5120000
> 250-ETRN
> 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> 250-XVERP
> 250 8BITMIME
>
>
> I assume I don't have something configured right with PAM?  Do you
have
> any other ideas as to what I'm doing wrong?  Everything I've read
> indicates this shouldn't be this hard but I don't know what else to
> check.
>
> Thanks again for your help!
>
> Drew
>
> P.S.  My web server is running great after your help with FP
extensions.
> :)
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe at freebsd.org"
>
>

More information about the freebsd-security mailing list