NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2003-03

From: Wietse Venema (wietseporcupine.org)
Date: Sat Mar 01 2003 - 14:24:37 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Don't turn on Postfix chroot unless you must, and certainly don't
turn it on until you have Postfix working. Postfix as distributed
by myself has chroot turned off by default.

Wietse

foilmothra.dyndns.org:
> Hello,
>
> I'm trying to set up SASL so I can authenticate SMTP users against the
> normal system accounts via PAM. I've read many docs on this, and I
> can't get it to work with Debian (stable)'s package. The goal is to
> let users who can authenticate with their normal username and password
> to relay mail through the system regardless of where they are.
>
> All I've been getting is library errors in the logs. By copying libraries into
> the chroot jail, postfix stopped putting SASL authentication failed
> messages in the logs. The daemon currently is working fine for
> sending mail internally, and receiving mail (it's the primary MX for a
> domain) the only problem is with SMTP authentication. My configuration:
>
> # uname -a
> Linux hostname.org 2.4.20 #3 SMP Fri Feb 7 14:00:08 EST 2003 i686 unknown
> (Debian version 3.0 Packages)
> ii libc6 2.2.5-11.2 GNU C Library: Shared libraries and Timezone
> ii postfix 1.1.11-0.woody A high-performance mail transport agent
> ii postfix-doc 1.1.11-0.woody Postfix documentation
> ii postfix-ldap 1.1.11-0.woody LDAP map support for Postfix
> ii postfix-pcre 1.1.11-0.woody PCRE map support for Postfix
> ii postfix-tls 1.1.11+tls0.7. TLS and SASL support for Postfix
> ii libsasl7 1.5.27-3 Authentication abstraction library.
> ii libsasl-digest 1.5.27-3 DIGEST-MD5 module for SASL
> ii libsasl-gssapi 1.5.24-15 Pluggable Authentication Modules for SASL -
> ii libsasl-krb4-m 1.5.24-15 Pluggable Authentication Modules for SASL -
> ii libsasl-module 1.5.27-3 Basic Pluggable Authentication Modules for
>
> $ cat /etc/pam.d/smtp
> auth required /lib/security/pam_unix_auth.so
> account required /lib/security/pam_unix_acct.so
> password required /lib/security/pam_unix_passwd.so
> session required /lib/security/pam_unix_session.so
>
> $ cat /etc/postfix/sasl/smtp.conf
> pwcheck_method: PAM
>
> (These two above files are duplicated in the chroot jail at
> /var/spool/postfix/etc/pam.d/smtp and
> /var/spool/postfix/etc/postfix/sasl/smtp.conf - as is the essentially
> empty /etc/pam.conf)
>
> $ postconf -n
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = yes
> biff = no
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> daemon_directory = /usr/lib/postfix
> local_recipient_maps =
> luser_relay = myaddress.com
> mailbox_command =
> mailbox_size_limit = 0
> mydestination = my1.host.com, my2.host.com, my3.host.com
> myhostname = my.host.com
> mynetworks = 127.0.0.0/8, 10.7.11.2/16
> myorigin = /etc/mailname
> program_directory = /usr/lib/postfix
> recipient_delimiter = +
> relayhost =
> setgid_group = postdrop
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination,
> check_relay_domains
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $mydomain
> smtpd_sasl_security_options = noanonymous
> queue_directory = /var/spool/postfix
>
> Here's part of what I do to set up the libraries in the chroot jail:
> echo "updating chrooted postfix..."
> cp -a /lib/security /var/spool/postfix/lib # PAM libs
> rm -rf /var/spool/postfix/etc/pam.d
> cp -a /etc/pam.d /var/spool/postfix/etc # PAM conf
> rm -rf /var/spool/postfix/usr
> mkdir /var/spool/postfix/usr /var/spool/postfix/usr/lib
> cp -a /usr/lib/libsasl* /var/spool/postfix/usr/lib/
> cp -a /usr/lib/sasl /var/spool/postfix/usr/lib # SASL libs
>
> Oh, and to verify that SASL is supported:
> $ telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> 220 mail.hostname.org ESMTP Postfix (Debian/GNU)
> EHLO whatever.com
> 250-oldhat.oldhat.org
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH GSSAPI LOGIN PLAIN CRAM-MD5 DIGEST-MD5
> 250-AUTH=GSSAPI LOGIN PLAIN CRAM-MD5 DIGEST-MD5
> 250-XVERP
> 250 8BITMIME
>
> Here's where it gets really weird. When I try to send using Outlook 6
> against this machine with the right username and password, this is the
> ONLY message that ends up in the log:
> Mar 1 12:24:46 hostname postfix/smtpd[18735]: connect from hostname.com[1.2.3.4]
>
> Prior to when I was copying the libraries into the chroot jail, I was
> getting messages that said SASL authentication failed. (And "couldn't
> initialize PAM libraries" messages) As it is, outlook can't send the
> mail and just keeps prompting me for a password until I quit. Outlook
> is configured with "My outgoing server requires authentication". I
> have also sniffed what outlook is sending and things seem to be in
> order on that front.
>
> Also, I've been getting many library errors in my logs that reference
> "generic errors" in libkerberos:
> Feb 27 17:25:39 hostname postfix/smtpd[29603]: add_plugin(/usr/lib/sasl/libkerberos4.so) failed: generic failure
> These show up in auth.log rather than the mail logs.
>
> Any help that anyone could provide would be extremely appreciated.
> I've been wrestling with this for 3 days now and I can't get it right.
>
> --
> M. David Allen
>
>

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]