From: Patrick Ben Koetter (p at state-of-mind dot de)
Date: Tue Mar 17 2009 - 15:45:46 EDT
* LuKreme <>:
> On 17-Mar-2009, at 11:47, Andreas Winkelmann wrote:
>>> On 17-Mar-2009, at 03:49, LuKreme wrote:
>>
>>>> I've made sure that /var/run/saslauthd/ is owned by root:postfix (it
>>>> was root:mail) and have removed the authdaemon_path line and am
>>>> trying again. Hopefully this was it.
>>>
>>> That wasn't it, and the ownership by root:mail shouldn't matter as
>>> the
>>> postfix user is part of the mail group. I think I've read everything
>>> twice, and am stumped.
>>>
>>> Should I just start over and install dovecot (cyrus was the only
>>> option way back in the day)?
>>
>> Did you check Patrick`s hint about the stored Passwords in your SQL-
>> Server.
>> Cyrus-SASL auxprop is bound to cleartext Passwords. If you have
>> crypted
>> Passwords, you have to patch Cyrus-SASL.
>
> Ah... I must have missed that. <looks back>
>
> Oh, well, that must be it then. passwords from postfixadmin are stored
> in md5crypt.
>
> (they look like $1$a28cb10c$wzblsb81Kv.F7vnMtqlEf.)
>
> So, more on this patching of Cyrus-SASL?
Dont use the patch. It's old and it braindamages Cyrus SASL. You can use
crypted passwords with Cyrus SASL, if you set it up this way:
Postfix -> libsasl -> saslauthd (PAM) -> PAM mysql -> Mysql DB
That gives you plaintext mechanisms only on client to server communication,
but that's okay as long as you required clients to establish a TLS session
before they may authenticate. Set this to allow plaintext mechs during TLS
only:
smtpd_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_tls_security_options = noanonymous
As for the PAM part in the sasl authentication, start saslauthd like this:
saslauthd -a pam -m /path/to/the/socket
In /etc/pam.d/smtp configure the PAM Mysql part (I haven't done so yet, so I
can't be of any help).
p at rick
-- All technical answers asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
|
|
|