From owner-freebsd-security@FreeBSD.ORG Wed Jul 23 12:10:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F51837B401 for ; Wed, 23 Jul 2003 12:10:39 -0700 (PDT) Received: from blacklamb.mykitchentable.net (65-73-137-26.bras01.elk.ca.frontiernet.net [65.73.137.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 82F1043FB1 for ; Wed, 23 Jul 2003 12:10:37 -0700 (PDT) (envelope-from drew@mykitchentable.net) Received: from tagalong (unknown [165.107.42.110]) by blacklamb.mykitchentable.net (Postfix) with ESMTP id BDD1A3BF420; Wed, 23 Jul 2003 12:10:36 -0700 (PDT) Message-ID: <00d601c3514e$191e9740$6e2a6ba5@lc.ca.gov> From: "Drew Tomlinson" To: "Scot W. Hetzel" , "Hajimu UMEMOTO" References: <039801c34d60$c3e59cb0$6e2a6ba5@lc.ca.gov><03cf01c34d6a$f3002150$6e2a6ba5@lc.ca.gov><011501c34fa8$3ed6cb30$6e2a6ba5@lc.ca.gov><010501c34fb2$3e3bb820$13fd2fd8@Admin02> <004f01c35145$61d1d280$6e2a6ba5@lc.ca.gov> Date: Wed, 23 Jul 2003 12:10:35 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 cc: freebsd-security@freebsd.org Subject: Re: ASMTP setup on 4.8 -- SOLVED!!! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2003 19:10:39 -0000 I finally found the answer!!! I found the following on http://www.securitysage.com/guides/postfix_sasltls.html: Note: As per discussions on the Postfix users mailing list, there is a known issue in Postfix20020917/SASL2 where the smtpd_sasl_local_domain option must be left to an empty (null) value, otherwise SASL2 will not authenticate. In /usr/local/etc/postfix/main.cf I had "smtpd_sasl_local_domain = $myhostname" as shown in the various examples on the net. Based on the above, I changed it to "smtpd_sasl_local_domain =" and now it works. Thanks to both of you for your help and patience. Drew ----- Original Message ----- From: "Drew Tomlinson" To: "Scot W. Hetzel" ; "Hajimu UMEMOTO" Cc: Sent: Wednesday, July 23, 2003 11:08 AM Subject: Re: ASMTP setup on 4.8 > ----- Original Message ----- > From: "Scot W. Hetzel" > To: "Drew Tomlinson" ; "Hajimu UMEMOTO" > > Cc: > Sent: Monday, July 21, 2003 11:02 AM > > > > From: "Drew Tomlinson" > > > I have also tried "pwcheck_method: pam" but then /var/log/maillog > shows: > > > > > > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: SASL > > > authentication problem: unknown password verifier > > > Jul 21 09:38:34 blacklamb postfix/smtpd[66269]: warning: > > > unknown[165.107.42.110]: SASL LOGIN authentication failed > > > > > > > If you want to use PAM, you need to set the pwcheck_method to > saslauthd, and > > then add the following to either /etc/rc.conf or /etc/rc.conf.local: > > > > sasl_saslauthd_enable="YES" > > sasl_saslauthd_flags="-a pam" > > Thanks for your help but I'm still having trouble. :( The contents of > /usr/local/lib/sasl2/smtpd.conf are: > pwcheck_method: saslauthd > > And it's permissions are: > -rw-r--r-- 1 root wheel 47 Jul 23 10:40 smtpd.conf > > I've also verified correct permissions on /var/state/saslauthd: > drwxrwx--- 2 cyrus mail 512 Jul 23 10:46 saslauthd > > I've verified that Postfix is a member of the mail group as this line is > in /etc/group: > mail:*:6:postfix > > I manually started saslauthd for testing with this command line: > blacklamb# saslauthd -a pam -d > > > Then you need to make sure PAM is configured correctly on your system: > > > > FreeBSD <=4.x: > > 1. Check /etc/pam.conf for entries for imap, pop3, and other(?) > > 2. Add an entry for sieve and cyrus, similar to your imap and pop3 > > entries > > > > FreeBSD >=5.x > > 1. Check the /etc/pam.d directroy for imap, pop3 and other(?) > files > > a. Make sure they are correctly configured > > 2. Copy /etc/pam.d/imap to /etc/pam.d/sieve > > 3. Copy /etc/pam.d/imap to /etc/pam.d/cyrus > > I'm using FBSD 4.8. /etc/pam.conf has the following entries: > #Mail services > imap auth required pam_unix.so try_first_pass > imap account required pam_unix.so > imap session required pam_permit.so > > pop3 auth required pam_unix.so try_first_pass > pop3 account required pam_unix.so > pop3 session required pam_permit.so > > smtp auth required pam_unix.so try_first_pass > smtp account required pam_unix.so > smtp session required pam_permit.so > > sieve auth required pam_unix.so try_first_pass > sieve account required pam_unix.so > sieve account required pam_unix.so > sieve session required pam_permit.so > > cyrus auth required pam_unix.so try_first_pass > cyrus account required pam_unix.so > cyrus session required pam_permit.so > > # If we don't match anything else, default to using getpwnam(). > other auth sufficient pam_skey.so > other auth required pam_unix.so try_first_pass > other account required pam_unix.so try_first_pass > > I included the "other" entries because in one of Hajimu's messages he > stated he didn't have to add anything to /etc/pam.conf as the "other" > entries took care of the request. > > Anyway, I started saslauthd in debug mode and this is what it reports > when I attempt to authenticate: > > saslauthd[67502] :get_accept_lock : acquired accept lock > saslauthd[67501] :rel_accept_lock : released accept lock > saslauthd[67501] :do_auth : auth failure: > [user=@blacklamb.mykitchentable.net] [service=smtp] > [realm=blacklamb.mykitchentable.net] [mech=pam] [reason=PAM auth error] > > Please know that I replaced my real username with "" in the > output. I get this message whether I am attempting to authenticate with > MS Outlook, Evolution, and even from a direct telnet session with > Postfix. > > I've double-checked my Postfix config with examples I've found on the > Net. I think it's OK as it's advertising AUTH services: > > Connected to blacklamb.mykitchentable.net. > Escape character is '^]'. > 220 blacklamb.mykitchentable.net NO UCE ESMTP > ehlo test > 250-blacklamb.mykitchentable.net > 250-PIPELINING > 250-SIZE 5120000 > 250-ETRN > 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 > 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 > 250-XVERP > 250 8BITMIME > > > I assume I don't have something configured right with PAM? Do you have > any other ideas as to what I'm doing wrong? Everything I've read > indicates this shouldn't be this hard but I don't know what else to > check. > > Thanks again for your help! > > Drew > > P.S. My web server is running great after your help with FP extensions. > :) > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > >