Ali.Naddaftrilogy.com
Date: Fri Jul 16 2004 - 16:42:40 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Patrick,

Thanks for your reply. It seems that postfix is already a member of sasl
group on my machine:

# grep sasl /etc/group
sasl:!:45:postfix

So any other suggestion?
Thanks,
Ali.

Patrick Ben Koetter <pstate-of-mind.de>
Sent by: owner-postfix-userspostfix.org
07/16/2004 03:41 PM

 
        To: postfix-userspostfix.org
        cc:
        Subject: Re: smtpd + sasl

* Ali.Naddaftrilogy.com <Ali.Naddaftrilogy.com> [040716 20:57]:
> I have tested my sasl and the ldap-backend using the testsaslauthd
> utility and it works fine. To test my smtpd + sasl, I made a telnet
> connection to port 25 of my machine. The 'Ehlo *****' returns what I
> expect:

Don't trust testsaslauthd. It doesn't even use the SASL libraries...

> .....
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
> 250 8BITMIME
>
> As you can guess, when I try to authenticate, it fails:
> AUTH PLAIN ****************
> 535 Error: authentication failed

The way Debian has it, the directory where saslauthd creates it's socket
is accessible to sasl and the group sasl only; Postfix cannot access it
to communicate with saslauthd.

Either change the permissions _and_ change the script that will try to
set 'correct' permissions after a reboot or add Postfix to the group
'sasl'. I recommend the first. Anything else seems to break the idea of
least privilege...

prick

--
I take the freedom to ignore offlist messages. Open Source software
requires open access to information that tells all of us how to run it.
Don't deprive the community of that!

SMTP AUTH HOWTO: <http://postfix.state-of-mind.de/patrick.koetter/>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]