OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Liviu Daia (Liviu.Daiaimar.ro)
Date: Mon Nov 26 2001 - 13:29:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On 26 November 2001, Craig Skinner <craig_skinnerlinuxmail.org> wrote:
    > G'day all,
    >
    > Newbie here again(!)
    >
    > Searched the archives and found similar stuff but
    > still couldn't suss it out.
    >
    > postfix-20010228-pl08
    > cyrus-imapd-2.0.16
    > cyrus-sasl-1.5.24
    > (all from source)

        Unrelated to your question: you probably want to upgrade to
    cyrus-sasl-1.5.27 (in the beta directory on the Cyrus site). Among
    other things, it fixes a format string vulnerability. If you installed
    the old one as shared libraries, you don't need to recompile imapd and
    Postfix.

    > on Linux-Mandrake-8.1 -no X here
    > Dell PowerEdge 1300, Dual p3, scsi
    >
    > I'm setting up postfix for imap only use on a LAN that
    > is also to be accessable from the net.
    >
    >
    > Not running chrooted (yet) -- Is it worth it????

        The standard answer is: every bit of security counts.

    > ls -l /etc/sasldb
    > -rw-r--r-- 1 root root 12288 Nov 22
    > 14:11 /etc/sasldb

        A better idea is:

    $ ls -l /etc/sasldb
    -rw-r----- 1 cyrus postfix 12950 Nov 6 22:05 /etc/sasldb
    $ id postfix
    uid=15(postfix) gid=30(postfix) groups=30(postfix)

    > sasldblistusers
    > user: craig realm: aberdeen.chstech.co.uk mech: PLAIN
    > user: craig realm: aberdeen.chstech.co.uk mech: CRAM-MD5
    > user: craig realm: aberdeen.chstech.co.uk mech: DIGEST-MD5
    >
    > cat /usr/local/lib/sasl/smtpd.conf
    > pwcheck_method: sasldb
    >
    > ls -l /usr/local/lib/sasl/smtpd.conf
    > -rw-r--r-- 1 root root 23 Nov 22
    > 13:40 /usr/local/lib/sasl/smtpd.conf

        Looks ok so far.

    > postconf | grep sasl

        The full output of "postconf -n" might be useful.

    > broken_sasl_auth_clients = yes
    > lmtp_sasl_auth_enable = yes
    > lmtp_sasl_password_maps = hash:/etc/postfix/lmtp_sasl_pass
    > lmtp_sasl_security_options = noplaintext, noanonymous

        This sets up the client side authentication for LMTP.

        In order for that to work, you need to put the right domain name,
    username and password in lmtp_sasl_pass, the file must be readable only
    by root, and your LMTP server (presumably Cyrus) must use the same realm
    as the domain name in lmtp_sasl_pass. This last point is essential.
    Hint: use "sasldblistusers" on the machine with the LMTP server, and use
    the _same_ name in $mailbox_transport (or wherever you tell Postfix to
    use LMTP) and in lmtp_sasl_pass.

        Oh, and you need to run lmtp_sasl_pass through postmap before
    starting Postfix.

    > smtp_sasl_auth_enable = yes
    > smtp_sasl_password_maps =
    > smtp_sasl_security_options =
    > noplaintext,noanonymous,noactive,nodictionary

        This sets up the client side authentication for SMTP. It's
    incomplete (you don't have a password file), and you probably don't need
    it on a mail server.

    > smtpd_sasl_auth_enable = yes
    > smtpd_sasl_local_domain = $myhostname
    > smtpd_sasl_security_options =
    > noanonymous,noplaintext,noactive,nodictionary

        This sets up the server side authentication for SMTP. You only need
    it if you plan to relay mail for mobile users.

    > telnet localhost 25
    > Trying 127.0.0.1...
    > Connected to localhost.localdomain (127.0.0.1).
    > Escape character is '^]'.
    > Connection closed by foreign host.
    >
    > tail /var/log/syslog
    > Nov 22 15:01:00 aberdeen CROND[1198]: (root) CMD
    > (run-parts /etc/cron.hourly)
    > Nov 22 15:08:18 aberdeen postfix/smtpd[1278]: fatal:
    > no SASL authentication mechanisms
    > Nov 22 15:08:19 aberdeen postfix/master[1026]:
    > warning: process /usr/libexec/postfix/smtpd pid 1278
    > exit status 1
    > Nov 22 15:08:19 aberdeen postfix/master[1026]:
    > warning: /usr/libexec/postfix/smtpd: bad command
    > startup -- throttling
    > Nov 22 15:09:19 aberdeen postfix/smtpd[1288]: fatal:
    > no SASL authentication mechanisms
    > Nov 22 15:09:20 aberdeen postfix/master[1026]:
    > warning: process /usr/libexec/postfix/smtpd pid 1288
    > exit status 1
    > Nov 22 15:09:20 aberdeen postfix/master[1026]:
    > warning: /usr/libexec/postfix/smtpd: bad command
    > startup -- throttling
    >
    > ****************************************************
    > Nov 22 15:10:20 aberdeen postfix/smtpd[1300]: fatal:
    > no SASL authentication mechanisms
    > ****************************************************

        This means sasl_listmech() failed. You can thank cyrus-sasl
    authors for providing such an useful logging mechanism. :-) Ok,
    basically it means your cyrus-sasl installation is screwed up. You'll
    have to figure out for yourself why, and how to fix it. Turning off
    $smtpd_sasl_auth_enable above will probably shut it up.

        A second guess would be that "noactive,nodictionary" above is
    incompatible with using sasldb as pwcheck_method.

    > Nov 22 15:10:21 aberdeen postfix/master[1026]:
    > warning: process /usr/libexec/postfix/smtpd pid 1300
    > exit status 1
    > Nov 22 15:10:21 aberdeen postfix/master[1026]:
    > warning: /usr/libexec/postfix/smtpd: bad command
    > startup -- throttling
    >
    >
    > What else should I be looking for??

        Running the tests that came with cyrus-sasl might have illuminating
    results.

        Regards,

        Liviu Daia 

    -- 
Dr. Liviu Daia               e-mail:   Liviu.Daiaimar.ro
Institute of Mathematics     web page: http://www.imar.ro/~daia
of the Romanian Academy      PGP key:  http://www.imar.ro/~daia/daia.asc
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users