Re: digest-md5 cram -> postfix -> saslauthd - pam -> mysql

From: Lutz Jaenicke (no email)
Date: Sat Nov 01 2003 - 02:16:21 EST

Next message: Luigi Rosa: "detaild log file extraction"
Previous message: Diego Rivera: "PATCH: (updated) %[1-9] substitutions for LDAP maps"
Next in thread: Denny Schierz: "Re: digest-md5 cram -> postfix -> saslauthd - pam -> mysql"
Maybe reply: Denny Schierz: "Re: digest-md5 cram -> postfix -> saslauthd - pam -> mysql"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Note to "postfix-users": the same problem was sent with a different
Subject to "postfix-users"...

On Sat, Nov 01, 2003 at 04:05:13AM +0100, Denny Schierz wrote:
> my postfix (2.x) servers want to authenticate to my relay server (same
> postfix version) with digest-md5 or cram-md5. It fails with:
>
> example output:
>
> username="test.test.de",realm="s15144503.rootmaster.info",nonce="fBBfmTWk9G1wsrkPuQsQeY0gaROxop1PCBotcNOG9Yg=",cnonce="aKOLNAMd1Xg2DQN5WQzcx9zvXZFQ+fc2t3pJi8eCFyI=",nc=00000001,qop=auth,digest-uri="smtp/cstroot.dyndns.org",response=0fdb6fd2f8cb8a1ecf003fc261d83b4c
> Nov 1 03:02:35 s15144503 postfix/smtpd[23598]: warning: SASL
> authentication failure: no secret in database

Did you notice this information: no secret in database...

> The server supports Digest:
>
> s15144503 root # telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 huhu, where you are?
> EHLO test
> 250-s15144503.rootmaster.info
> 250-PIPELINING
> 250-SIZE 10240000
> 250-ETRN
> 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> 250-XVERP
> 250 8BITMIME

Actually, the server announces to support DIGEST-MD5. Whether this is
true or not depends on your setup. If you are using a trapdoor
mechanism (like /etc/passwd) only cleartext passwords as LOGIN or
PLAIN can actually be used. SASL will however offer all mechanisms
compiled in unless you adapt the list of supported mechanism to the
working ones by adding a
  mech_list: login plain
directive to smtpd.conf
I am not familiar with pam->mysql, so I don't know whether it technically
could be used with digest type authentication. In any case the manual
page of saslauthd is clear:
     saslauthd is a daemon process that handles plaintext authentication
     requests on behalf of the SASL library.
So when using saslauthd you must restrict the list of options to
plaintext (LOGIN, PLAIN) anyway!

> something is not working :-/ Both servers have the same version of
> cyrus-sasl and postfix with same options (runs not in chroot). On the
> relay server runs saslauthd (pam -> mysql).

Aha, so the saslauthd information does answer the question!

> i disabled cram and digest, but now postfix authenticate with ntlm :-/.
> Only login/plain ist working, but i don't know, how to tell postfix to
> authenticate via login/plain.

Postfix client will use the list of options offered by the server...

Best regards,
Lutz

-- 
Lutz Jaenicke                             
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus

Next message: Luigi Rosa: "detaild log file extraction"
Previous message: Diego Rivera: "PATCH: (updated) %[1-9] substitutions for LDAP maps"
Next in thread: Denny Schierz: "Re: digest-md5 cram -> postfix -> saslauthd - pam -> mysql"
Maybe reply: Denny Schierz: "Re: digest-md5 cram -> postfix -> saslauthd - pam -> mysql"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Invaluement Anti-Spam DNSBLs