From: Andreas Winkelmann (mlawinkelmann.de)
Date: Tue Nov 20 2007 - 00:08:26 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Dienstag, 20. November 2007, Frank Gruellich wrote:

> > > not sure if you need it, but, I'm using it:
> > >
> > > # cat smtp
> > > #%PAM-1.0
> > > auth required pam_mysql.so user=xxxxx passwd=yyyyy host=127.0.0.1
> > > db=zzzzzz table=mailbox usercolumn=username passwdcolumn=password
> > > crypt=1 md5=1 account sufficient pam_mysql.so user=xxxxx passwd=yyyyy
> > > host=127.0.0.1 db=zzzzzz table=mailbox usercolumn=username
> > > passwdcolumn=password crypt=1 md5=1
> >
> > With the 2nd line it allows SMTP relaying even with an incorrect
> > password.
>
> sufficient means that access is granted immediatelly if that PAM returns
> success, success or not of further modules doesn't matter. In general
> you want to have "account required" there.

If you have only one entry in the Stack then sufficient should be sufficient.

> I don't know why Postfix (or
> saslauthd) asks for auth and account, IMHO auth would be enough, but
> maybe that is needed for other stuff beside smtp.

saslauthd needs two Stacks auth and account. auth checks the Password, account
checks if the User is allowed to login. So to say, you can check if the User
is allowed to send Mail in the given Timeframe or whatever.

The Config-Lines you have quoted are not from the OP. The OP shows us only one
Logline where the auth-Stack fails. No Config, no Information about the
Database.

> Given that I don't think that this line is your problem. Removing the
> account line makes saslauthd fall back to /etc/pam.d/other, so check the
> same line there. It *really* should read
>
> account required pam_deny.so
>
> or you should have a *very* good reason for everything else. And you
> should read your logfiles, probably something like /var/log/secure.

With this line you will never get a successful authentication.

--
        Andreas

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]