[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
For the benefit of those that try it after me. Here is what I remember from when it finally worked.
This email describes the basics in getting the simplest "plain text" SMTP AUTH against "pam" using the /etc/passwd file, using the postfix-tls package. It isn't written by someone who understands it, just by someone who made it work for himself at least once! It isn't a howto, more a few tips on where not to go wrong.
Hopefully once you've made something work with smtp auth, you can figure out how to encrypt the credentials so they don't travel in plain text!
You configure saslauthd to work till testsaslauthd gives you the okay. In this case use "pam" as the mechanism in /etc/default/saslauthd
Postfix-tls talks to the saslauthd through the mux file, probably located in the postfix jail if you didn't fiddle. You need to make the directory and set permissions for this in the postfix jail.
(add PARAMS="-m /var/spool/postfix/var/run/saslauthd" to end of /etc/default/saslauthd once you've set the other settings so both programs look in the postfix jail to talk to each other)
(I also hacked /etc/init.d/postfix to put /etc/sasldb2 into the jail - not sure if this was needed but it got rid of an error at the time, and I added postfix to the sasl group all as per; http://www.fatofthelan.com/articles/articles.php?pid=22 )
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous mtpd_sasl_application_name = smtpd #broken_sasl_auth_clients = yes # More outlook hacks.
smtpd_recipient_restrictions = ~ permit_sasl_authenticated, ~ permit_mynetworks, ~ check_relay_domains
Postfix main.cf has an option; smtpd_sasl_security_options = noanonymous Don't be misled into thinking this controls other authentication schemes. It stops anonymous relaying.
To stop ntlm, digest-md5 authentication being attempted everytime you need to move the relevant libraries in /usr/lib/sasl2 into a different directory. Seems you can disable these auth methods at compile time, but at run time the only method is to hide them, and Debian is built with all of them (guess that saves compiling). I did a "mkdir inactive", "mv *ntlm* inactive" repeat and rinse etc. You can test it is working by "telnet localhost 25" "ehlo fred" and see what methods are offered for AUTH. ** Ugly hack just done - moving package files manually -- yuk yuk yuk **
/etc/postfix/sasl/smtpd.conf: pwcheck_method: saslauthd
If saslauthd is talking to "pam" then you'll need to add an "smtp" for pam. "cp /etc/pam.d/passwd /etc/pam.d/smtp"
Nothing in this configuration is difficult apart from side stepping all the blind alleys of previous ways of doing things, and figuring out the file locations on different operating systems used in other HOWTOs.
Having done it once I could do it all again in 10 minutes, so I won't embarass myself by saying how long it took first time to understand how it all plumbs together.
Particular blind alleys include other "pwcheck_method"'s are mentioned, they are probably obselete (but that could change). Don't be tempted to put other stuff in smtpd.conf
smtpd.conf location is mentioned as everywhere else but /etc/postfix/sasl, this is where the packaged postfix-tls expects.
If you poke the PARAMS option to saslauthd you'll likely break the ability of the "/etc/init.d/saslauthd" script to stop saslauthd ('kill' and "ps -ef" are your friends).
Reading log files helps, but when it is full of ntlm authentication attempts this is not so useful.
Okay I'm off to mail-abuse.org to make sure I haven't made an open relay by mistake....
-----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCXDmtGFXfHI9FVgYRAhPYAKDK/UEfumdVE+G4ZuLyWUeq1JMRPACeOEXx lVoy4t1isRVeNScdSC3SokY= =DpRm -----END PGP SIGNATURE-----
-- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe. FAQ: www.dcglug.org.uk/linux_adm/list-faq.html