foilmothra.dyndns.org
Date: Sun Mar 02 2003 - 09:54:12 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Sun, Mar 02, 2003 at 03:17:48PM +0100, Jos? Luis Tall?n wrote:
> At 14:48 01/03/2003 -0700, you wrote:
> >Sorry, I was just informing folks that Debian ships with chroot on.
>
> Indeed.
> That's a particular feature which --being quite paranoid myself sometimes--
> I love from Lamont Jones' fine packages.
>
> By following general advice often given in this list, one would first KISS
> ( Keep It Simple and Stupid ), thus:
> - disable chroot in master.cf for, at least, smtpd
> - configure PAM
> - test
>
> then you might reenable chroot for smtpd if you like.

Well, I've tried playing around with it in the meantime, and if I
change the daemon to have root priveleges, and not run chroot, then
everything works great.

But I'm not particularly comfortable doing it like that I don't
think. If I chroot it, or if I drop priveleges for the daemon, it
stops working, and there's not enough information in the logs to tell
why exactly it's not working. The logging is quite strange - if I
give the daemon root priveleges but keep it chroot'ed, then I get SASL
authentication failed messages in my logs. If it has no root
priveleges and is not running chroot'ed, no messages show up in the
logs except the connect from the client. (Not even the disconnect!)

> Keep in mind that, in order to authenticate against /etc/passwd -
> /etc/shadow, PAM must be called by a *privileged* ( i.e. belonging to root
> ) process -- which Postfix's smtpd is not, by any means.
> You will need to configure saslauthd to do that ( i'd love to hear from it,
> since i didn't manage to get it working -- fortunately i didn't need it,
> either ) or else, use SASLDB

Thanks, I will explore this route and seewhat I can come up with.

Is there any reasonable way to create a sasldb and keep it synced with
/etc/shadow?

Thanks for the tips

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]