From owner-freebsd-questions@FreeBSD.ORG  Sun Jun 29 13:46:58 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7A6FD1065676
	for <freebsd-questions@freebsd.org>;
	Sun, 29 Jun 2008 13:46:58 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from ciao.gmane.org (main.gmane.org [80.91.229.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 09C008FC1A
	for <freebsd-questions@freebsd.org>;
	Sun, 29 Jun 2008 13:46:57 +0000 (UTC)
	(envelope-from freebsd-questions@m.gmane.org)
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1KCxEz-0005ws-D4
	for freebsd-questions@freebsd.org; Sun, 29 Jun 2008 13:46:53 +0000
Received: from pool-138-88-131-24.esr.east.verizon.net ([138.88.131.24])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Sun, 29 Jun 2008 13:46:53 +0000
Received: from nightrecon by pool-138-88-131-24.esr.east.verizon.net with
	local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00
	for <freebsd-questions@freebsd.org>; Sun, 29 Jun 2008 13:46:53 +0000
X-Injected-Via-Gmane: http://gmane.org/
To: freebsd-questions@freebsd.org
From: Michael Powell <nightrecon@verizon.net>
Date: Sun, 29 Jun 2008 09:48:19 -0400
Lines: 80
Message-ID: <g483nu$rur$1@ger.gmane.org>
References: <20080629105019.GA2003@chateau.d.lf>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8Bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: pool-138-88-131-24.esr.east.verizon.net
Sender: news <news@ger.gmane.org>
Subject: Re: Postfix logging some OTP related permission denied messages
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: nightrecon@verizon.net
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jun 2008 13:46:58 -0000

आशीष शुक्ल Ashish Shukla wrote:

> Hi,
> 
> I'm running 7.0-RELEASE-p2 (amd64). I'm running Postfix 2.5.1_2,1 mail
> server instead of the default Sendmail which ships with base distribution.
> 
> My mail server is working fine with no issues except that I noticed that
> some messages in /var/log/messages:
> 
> ---->8---->8----
> Jun 29 03:12:45 chateau postfix/smtpd[1159]: OTP unavailable because can't
> read/write key database /etc/opiekeys: Permission denied Jun 29 03:18:22
> chateau postfix/smtpd[1535]: OTP unavailable because can't read/write key
> database /etc/opiekeys: Permission denied Jun 29 03:23:55 chateau
> postfix/smtpd[1873]: OTP unavailable because can't read/write key database
> /etc/opiekeys: Permission denied Jun 29 04:18:25 chateau
> postfix/smtpd[78118]: OTP unavailable because can't read/write key
> database /etc/opiekeys: Permission denied Jun 29 16:07:11 chateau
> postfix/smtpd[1712]: OTP unavailable because can't read/write key database
> /etc/opiekeys: Permission denied Jun 29 16:07:17 chateau
> postfix/smtpd[1712]: OTP unavailable because can't read/write key database
> /etc/opiekeys: Permission denied Jun 29 16:13:30 chateau
> postfix/smtpd[2125]: OTP unavailable because can't read/write key database
> /etc/opiekeys: Permission denied ----8<----8<----
> 
> I've not done anything explicitly to turn on support for One-time
> passwords in my system.
> 
> Any ideas, reasons behind these messages ?
> 
> TIA

Greetings:

I've seen some suggestions which involve making changes for allowing the
access to the files, but my thoughts are if you are not making use of this
feature this would be tantamount to a small form of security violation.

The shortcut is probably just to give the group 'mail' rw permissions to
opiekeys and don't overly muck with a config that works correctly.

If when you installed Postfix it installed cyrus-sasl as a dependency you
might try going into /usr/ports/security/cyrus-sasl2 and doing make config
and clearing the checkbox option near the bottom "OTP Enable OTP auth",
then make deinstall, and make reinstall.

However, my Postfix is only an extremely basic install and I've never seen
these messages. A snippet from my Postfix main.cf:

# sasl config
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_security_options =

#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks
#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks

and wrt to sasl in /etc/rc.conf I have:

saslauthd_enable="YES"
saslauthd_flags="-a sasldb"

I've also noticed the following in my /etc/group file, but I believe it has
no bearing on this problem.

mail:*:6:postfix

Since I didn't build Cyrus-SASL without OTP I suspect it is turned on or
somehow being activated in your Postfix config. The docs also say there is
supposed to be an SASL config file somewhere in /usr/local/lib/sasl2, but
I've never seen one.

 

-Mike