>> >> PARAMS="-m /var/spool/postfix/var/run/saslauthd -r" >> > > You are planning to run Postfix chrooted, right? > > That's not an issue for me as long as it's not involving any non-trivial security problems. >From http://www.postfix.org/security.html: "Although chroot(2), even when combined with low privilege, is no guarantee against system compromise it does add a considerable hurdle. And we all know that every little bit helps." >From Wietse Venema himself: "Don't turn on Postfix chroot unless you must, and certainly don't turn it on until you have Postfix working. Postfix as distributed by myself has chroot turned off by default." I'd rather follow Wietse's advice :) > >> I also pasted the result of saslfinger below, for not burrying my second >> question. So my first question is: how come the pid file is not in >> /var/spool/postfix/var/run/saslauthd? >> > > I don't know. I didn't know it was possible to tell saslauthd it should put > the socket in a special directory at all. All I know is: The socket directory > (run_path) is where saslauthd puts everything. > > > Found the answer if anyone is interested. See http://wiki.ev-15.com/debian:mail_system >> >> igloo:/etc/postfix# tail /var/log/auth.log >> >> Mar 12 16:43:52 igloo saslauthd[4670]: rel_accept_lock : released accept >> lock >> Mar 12 16:43:52 igloo saslauthd[4666]: get_accept_lock : acquired accept >> lock >> Mar 12 16:43:52 igloo saslauthd[4670]: DEBUG: auth_pam: pam_authenticate >> failed: Authentication failure >> Mar 12 16:43:52 igloo saslauthd[4670]: do_auth : auth failure: >> [user=email@address] [service=smtp] [realm=] [mech=pam] [reason=PAM auth >> error] >> > > PAM has a problem. My guess (!) is, its with the pam_mysql settings you've > given. > > Yes, you helped me hit the bug here. Relevant stuff in the pam_mysql README: verbose (0) If set to 1, produces logs with detailed messages that describes what PAM-MySQL is doing. May be useful for debugging. crypt (plain) The method to encrypt the user's password: 0 (or "plain") = No encryption. Passwords stored in plaintext. HIGHLY DISCOURAGED. 1 (or "Y") = Use crypt(3) function. 2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the encryption function used by PAM-MySQL is different from that of the MySQL server, as PAM-MySQL uses the function defined in MySQL's C-client API instead of using PASSWORD() SQL function in the query. 3 (or "md5") = Use plain hex MD5 So I modified /etc/pam.d/smtp to use verbose=1 and, finally, crypt=2, since this seemed to be the problem. auth required pam_mysql.so user=<user@address> passwd=<pass> host=127.0.0.1 db=mail table=postfix_users usercolumn=email passwdcolumn=clear crypt=2 verbose=1 account sufficient pam_mysql.so user=<user@address> passwd=<pass> host=127.0.0.1 db=mail table=postfix_users usercolumn=email passwdcolumn=clear crypt=2 verbose=1 > > Get Postfix out of the way to simplify your debug setup. Start saslauthd from > commandline with the settings you want to gave in /etc/default/saslauthd AND > add "-d" to keep saslauthd attached to the screen in debug mode. > > So that would be # /usr/sbin/saslauthd -d -a pam & [1] 3654 saslauthd[3654] :main : num_procs : 5 igloo:/home/nicolas# saslauthd[3654] :main : mech_option: NULL saslauthd[3654] :main : run_path : /var/run/saslauthd saslauthd[3654] :main : auth_mech : pam saslauthd[3654] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept saslauthd[3654] :detach_tty : master pid is: 0 saslauthd[3654] :ipc_init : listening on socket: /var/run/saslauthd/mux saslauthd[3654] :main : using process model saslauthd[3655] :get_accept_lock : acquired accept lock saslauthd[3654] :have_baby : forked child: 3655 saslauthd[3654] :have_baby : forked child: 3656 saslauthd[3654] :have_baby : forked child: 3657 saslauthd[3654] :have_baby : forked child: 3658 > Then use testsaslauthd with at least the following options: > > $ testsaslauthd -f /var/spool/postfix/var/run/saslauthd -r -s smtp -u <user> -p <pass> > ... and there you go # testsaslauthd -s smtp -u <user@address> -p <pass> saslauthd[3756] :rel_accept_lock : released accept lock saslauthd[3757] :get_accept_lock : acquired accept lock saslauthd[3756] :do_auth : auth success: [user=<user@address>] [service=smtp] [realm=] [mech=pam] saslauthd[3756] :do_request : response: OK 0: OK "Success." Interestingly, when specifying either -f /var/spool/postfix/var/run/saslauthd or -f /var/spool/saslauthd I get this: # testsaslauthd -f /var/spool/postfix/var/run/saslauthd -r -s smtp -u <user@address> -p <pass> connect() : Connection refused # testsaslauthd -f /var/run/saslauthd -r -s smtp -u <user@address> -p <pass> connect() : Connection refused >> -- content of /etc/postfix/sasl/smtpd.conf -- >> pwcheck_method: saslauthd >> mech_list: plain login >> allow_plaintext: true >> auxprop_plugin: sql >> sql_hostnames: 127.0.0.1 >> sql_user: --- replaced --- >> sql_passwd: --- replaced --- >> sql_database: mail >> sql_select: select password from users where email = '%u' >> #saslauthd_path: /var/run/saslauthd >> > > > This /etc/postfix/sasl/smtpd.conf won't work. Either you use saslauthd and > PAM with encrypted passwords or you use the auxprop sql plugin without crypted > passwords. > > If you go for saslauthd do this: > > /etc/postfix/sasl/smtpd.conf > pwcheck_method: saslauthd > mech_list: plain login > Blindly copied the above. Now that you mention it, it couldn't be more obvious. I could indeed also work with the auxprop sql plugin after modifying the /etc/postfix/sasl/smtpd.conf (had to change the sql_select line too, sasl parses the username "email@address" into "user"@"realm", so I needed to define it as '%u@%r' ). Anyway, I think that saslauthd/pam offers more security, so I removed Postfix out of the chroot jail, added user postfix to sasl group and adapted /etc/postfix/sasl/smtpd.conf for saslauthd. I am yet left with one last obstable: when called through Postfix, saslauthd parses the user <email@address> into <email> and <address>, and assigns <address> to "realm" instead of to "user". Mar 14 00:14:49 igloo saslauthd[4308]: pam_mysql - pam_mysql_release_ctx() called. Mar 14 00:14:49 igloo saslauthd[4308]: pam_mysql - pam_mysql_destroy_ctx() called. Mar 14 00:14:49 igloo saslauthd[4308]: pam_mysql - pam_mysql_close_db() called. Mar 14 00:14:49 igloo saslauthd[4308]: do_auth : auth failure: [user=<email>] [service=smtp] [realm=<address>] [mech=pam] [reason=PAM auth error] Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - option verbose is set to "1" Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_close_db() called. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_sm_authenticate() called. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_converse() called. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_open_db() called. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_open_db() returning 0. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_check_passwd() called. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_format_string() called Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_quick_escape() called. Mar 14 00:14:49 igloo last message repeated 3 times Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - SELECT clear FROM postfix_users WHERE email = '<email>' Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - SELECT returned no result. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_check_passwd() returning 1. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_sm_authenticate() returning 10. Mar 14 00:14:49 igloo saslauthd[4309]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_release_ctx() called. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_destroy_ctx() called. Mar 14 00:14:49 igloo saslauthd[4309]: pam_mysql - pam_mysql_close_db() called. Mar 14 00:14:49 igloo saslauthd[4309]: do_auth : auth failure: [user=<email>] [service=smtp] [realm=<address>] [mech=pam] [reason=PAM auth error] I changed /etc/default/saslauthd to START=yes PARAMS="-r" MECHANISMS="pam" ...and /etc/init.d/saslauthd to PIDFILE="/var/run/${NAME}/saslauthd.pid" ... but these did not help. I had the impression that the deamon does read /etc/default/saslauthd, but disregards the PARAMS= line: root 4350 0.0 1.0 7196 2052 ? Ss 00:37 0:00 /usr/sbin/saslauthd -a pam root 4351 0.0 1.0 7196 2052 ? S 00:37 0:00 /usr/sbin/saslauthd -a pam root 4352 0.0 1.0 7196 2052 ? S 00:37 0:00 /usr/sbin/saslauthd -a pam root 4353 0.0 1.0 7196 2052 ? S 00:37 0:00 /usr/sbin/saslauthd -a pam root 4354 0.0 1.0 7196 2052 ? S 00:37 0:00 /usr/sbin/saslauthd -a pam This seems to be correct, following the clues I found on http://www.nervous.it/txt/Postfix-SMTP-AUTH-4-DUMMIES.html - I concur ^^ - I added the "-r" to the /etc/init.d/saslauthd instead, on my system it looks like this: DAEMON_ARGS="$DAEMON_ARGS -a $MECHANISMS -r $MECH_OPTIONS $OPTIONS $THREAD_OPTIONS" Restart saslauthd and voilà! it works. So now that I acquired boundless knowledge I can go write a tutorial myself! :-) Thanks, Nicolas