From: José Luis Tallón (no email)
Date: Sun Mar 02 2003 - 13:36:09 EST
At 10:54 02/03/2003 -0500, you wrote:
>[snip]
>
>Well, I've tried playing around with it in the meantime, and if I
>change the daemon to have root priveleges, and not run chroot, then
>everything works great.
As explained
>But I'm not particularly comfortable doing it like that I don't
>think. If I chroot it, or if I drop priveleges for the daemon, it
>stops working,
chroot enabled => Postfix can not access /etc/shadow (obviously)
smtpd unprivileged => Postfix can not auth against /etc/shadow through PAM
>and there's not enough information in the logs to tell
>why exactly it's not working. The logging is quite strange - if I
>give the daemon root priveleges but keep it chroot'ed, then I get SASL
>authentication failed messages in my logs.
Cannot access /etc/shadow, as explained
>If it has no root priveleges and is not running chroot'ed, no messages
>show up in the
>logs except the connect from the client. (Not even the disconnect!)
That's simply an authentication failure, which is obviously not logged.
( if the requesting process is not privileged, PAM simply answers "auth
failed" )
>[snip]
>
>Thanks, I will explore this route and seewhat I can come up with.
>
>Is there any reasonable way to create a sasldb and keep it synced with
>/etc/shadow?
Brute force is not feasible ( you would need to "discover" each password by
brute force, then reconstruct sasldb from that )
You could chroot smtpd and copy /etc/shadow to the "jail" ( shivers ).
IIRC, this is as secure as leaving sshd enabled, Wietse said.
I finally did it by authenticating against a different process ( a good job
for TCP: map? ) via unix socket / loopback.
Try "saslauthd -a pam"
>Thanks for the tips
You're welcome!
J.L.
|
|
|