Re: cyrus sasl2 and authentication [LONG]

From: Patrick Ben Koetter (p at state-of-mind dot de)
Date: Tue Mar 17 2009 - 15:45:46 EDT

  • Next message: Peter Blair: "Re: Dropping rejected mail from a transport server"

    * LuKreme <>:
    > On 17-Mar-2009, at 11:47, Andreas Winkelmann wrote:
    >>> On 17-Mar-2009, at 03:49, LuKreme wrote:
    >>>> I've made sure that /var/run/saslauthd/ is owned by root:postfix (it
    >>>> was root:mail) and have removed the authdaemon_path line and am
    >>>> trying again. Hopefully this was it.
    >>> That wasn't it, and the ownership by root:mail shouldn't matter as
    >>> the
    >>> postfix user is part of the mail group. I think I've read everything
    >>> twice, and am stumped.
    >>> Should I just start over and install dovecot (cyrus was the only
    >>> option way back in the day)?
    >> Did you check Patrick`s hint about the stored Passwords in your SQL-
    >> Server.
    >> Cyrus-SASL auxprop is bound to cleartext Passwords. If you have
    >> crypted
    >> Passwords, you have to patch Cyrus-SASL.
    > Ah... I must have missed that. <looks back>
    > Oh, well, that must be it then. passwords from postfixadmin are stored
    > in md5crypt.
    > (they look like $1$a28cb10c$wzblsb81Kv.F7vnMtqlEf.)
    > So, more on this patching of Cyrus-SASL?

    Dont use the patch. It's old and it braindamages Cyrus SASL. You can use
    crypted passwords with Cyrus SASL, if you set it up this way:

    Postfix -> libsasl -> saslauthd (PAM) -> PAM mysql -> Mysql DB

    That gives you plaintext mechanisms only on client to server communication,
    but that's okay as long as you required clients to establish a TLS session
    before they may authenticate. Set this to allow plaintext mechs during TLS

    smtpd_sasl_security_options = noplaintext, noanonymous
    smtpd_sasl_tls_security_options = noanonymous

    As for the PAM part in the sasl authentication, start saslauthd like this:

    saslauthd -a pam -m /path/to/the/socket

    In /etc/pam.d/smtp configure the PAM Mysql part (I haven't done so yet, so I
    can't be of any help).

    p at rick

    All technical answers asked privately will be automatically answered on
    the list and archived for public access unless privacy is explicitely
    required and justified.
    saslfinger (debugging SMTP AUTH):

  • Next message: Peter Blair: "Re: Dropping rejected mail from a transport server"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD