sasl autentication
i start saslauthd -a shadow
but when i try to send mail with autentication i get an error that the login and password doesnt match.
any ideas ?
thanks
7 Replies
I just started playing with postfix + sasl yesterday and I ran into this problem a few times. But that's really all I know right now. I put that on hold for some other stuff.
> i start saslauthd -a shadow
You are telling saslauthd to look in your /etc/shadow file! You can add people with saslpasswd all day, but it won't get you anywhere. You need to add them to the passwd/shadow files on your box. Yes, that means they will have an account on the host, so if you don't want that, try this:
saslauthd -a sasldb
That will make saslauthd look in /etc/sasldb
– James
The following shows how
To compile it and install it:
./configure --prefix=/usr/local --enable-login --disable-krb4 --disable-gssapi --disable-cram --disable-digest
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
ldconfig
mkdir -p /var/state/saslauthd
chmod 711 /var/state/saslauthd
To configure it:
echo "pwcheck_method: saslauthd" > /usr/local/lib/sasl2/smtpd.conf
To setup a correct PAM entry:
cp /etc/pam.d/other /etc/pam.d/smtp
To run it:
/usr/local/sbin/saslauthd -a pam -n 2
(replace n with however many instances you want)
HTH
Sunny Dubey
PS: When running MTA's like Postfix or whatever … DO NOT PASS A "sasl local domain" OF ANY KIND. What ends up happening is that instead of authenticating "username", the MTA will pass along "username@domain", which obviously will fail. Check your logs to make sure this isn't happening (even with your current setup.) If this is, google for pam_realm (which strips the @domain part).
As I understand it, I need to enable some kind of wrapper (either sasl or sslwrap or something else) that will accept incoming SSL connection on behalf of the daemon listening at that port, and then pass the decrypted communication to the correct daemon.
With SMTP, should I then remove all relaying restrictions and allow access only through the SSL wrapper? (A related problem I'm trying to address is that the default configuration of exim blocks me from sending to anyone but myself.) How would I then configure my mail client? Obviously to use SSL in the connection, but what about authentication? Password or Kerberos 4 or 5 or MD5 Challenge-Response?
Does IMAP require this wrapper, or is encryption already supported by the IMAP protocol?
@schof:
As I understand it, I need to enable some kind of wrapper (either sasl or sslwrap or something else) that will accept incoming SSL connection on behalf of the daemon listening at that port, and then pass the decrypted communication to the correct daemon.
That is one way, but postfix can do this naturally via a TLS patch. Check out the docs on postfix.org and my own (WIP) howto at: http://opencurve.org/~sunny/nix/postfix/
As for IMAP-SSL? Courier-IMAP does that super easy. Their documentation is all one needs. However you may find yourself doing the following so that you don't use Courier-IMAP's broken PAM setup.
cp /etc/pam.d/other /etc/pam.d/pop3
cp /etc/pam.d/other /etc/pam.d/imap
@schof:
How would I then configure my mail client? Obviously to use SSL in the connection, but what about authentication? Password or Kerberos 4 or 5 or MD5 Challenge-Response?
Careful here,
To make things more confusing PLAIN and LOGIN cannot be sent over a clear text network. However CRAM and DIGEST can.
Sunny Dubey
PS: Sorry for screwing up the posting