Hello, I am using Postfix version 2.5.2 with dovecot I am having below problem for plain text authentication: Jun 27 16:11:58 smtp(pam_unix)[3745]: check pass; user unknown Jun 27 16:11:58 smtp(pam_unix)[3745]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Jun 27 16:12:00 saslauthd[3745]: do_auth : auth failure: [service=smtp] [realm=xxxx.com] [mech=pam] [reason=PAM auth error] My /etc/pam.d/smtp file is as under: #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth Just done know what is the problem. My POP server is getting properly authenticated. Thanks for help! onik
I think it is the realm that is confusing your pam, it is working out the usernames as user@xxx.com. Try turning off the -r flag if you have it set for your saslauthd.
I have a similar problem (running on Fedora Core 11). my /etc/sysconfig/saslauthd: please note that I removed the -r from the last line but it didn't help. here's my /etc/pam.d/smtp: and if I look in the database I see what I would expect: Code: # mysql -u mail_admin -p mail whatever select * from users; +--------------+------------------+----------+ | email | password | quota | +--------------+------------------+----------+ | tst@arix.com | 5ce37c852c314c20 | 10485760 | +--------------+------------------+----------+ 1 row in set (0.00 sec) I run a test, which fails with the included results: Code: # testsaslauthd -u tst -p testpass -s smtp -r arix.com 0: NO "authentication failed" I'm running the daemon by hand like this, which also generates the included output: Code: # saslauthd -d -V -a pam [...] saslauthd[13741] :do_auth: auth failure: [user=tst] [service=smtp] [realm=arix.com] [mech=pam] [reason=PAM auth error] and curiously, in /var/log/secure I see: but there are no messages when I try the test like this (though obviously I still fail the test): Code: # testsaslauthd -u tst@arix.com -p testpass -s smtp 0: NO "authentication failed" what else can I look at? thx - e
a little more info... I discovered I can turn debugging info for PAM by adding "debug" to my /etc/pam.d/smtp file like this: this allowed me to learn a little more. when I do: ...the SQL generated in /var/log/secure shows: which is clearly wrong... therefore the test should be called like this: well... that also failed, I tried passing the encrypted version of the password: but it didn't work either. sigh...
ok, a little more progress... as per the HOWTO, /etc/pam.d/smtp contains crypt=1. According to the SASL README this means use of crypt() for password encryption... but the HOWTO has me using the MySQL PASSWORD() function to store the passwords in the database. so I changed to crypt=mysql, which continued to fail (there's a note in the README that it might). Setting crypt=0 and testing with plain passwords worked. Then I used MySQL's encrypt() to store the password, and set crypt back to 1. everything works. incidentally, md5 doesn't seem to work, in either crypt=Y md5 or crypt=md5 modes. but this was all when running the deamon by hand with (yes, I figured out how to hand it a config file): Code: # saslauthd -d -a pam -O /etc/postfix/sasl/smtpd.conf when I start the daemon: Code: # service saslauthd start ...it fails. in looking at the /etc/init.d/saslauthd I see that the mechanism is hard-coded to shadow, but I don't know if I should be modifying this file... I guess I don't know whether courier-imap or postfix will run saslauthd directly (and hand it its configuration file of choice), or it relies on the deamon being started at boot time. anyone know the answer?
yes, SELinux is disabled: Code: # cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - SELinux is fully disabled. SELINUX=disabled # SELINUXTYPE= type of policy in use. Possible values are: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted ok, answer to my last question: postfix/courier don't run their own copy of SASL. it was easy enough to test, turn off the daemon and run: Code: # perl -MMIME::Base64 -e 'print encode_base64("\0tst\@arix.com\0testpass");' AGVAYXJpeC5jb20AZWtraXM= # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.arix.com ESMTP Postfix AUTH PLAIN AGVAYXJpeC5jb20AZWtraXM= [B]535 5.7.8 Error: authentication failed: generic failure[/B] then run the daemon and you get: Code: # perl -MMIME::Base64 -e 'print encode_base64("\0tst\@arix.com\0testpass");' AGVAYXJpeC5jb20AZWtraXM= # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.arix.com ESMTP Postfix AUTH PLAIN AGVAYXJpeC5jb20AZWtraXM= [B]535 5.7.8 Error: authentication failed: authentication failure[/B] however I also found that Postfix uses the equivalent of [realm=arix.com] instead of [realm=], which means I still got an authentication failure. So, I can tell the daemon to join the two fields like this: Code: saslauthd -d -a pam -O /etc/postfix/sasl/smtpd.conf [b]-r[/b] which satisfies the test: Code: # testsaslauthd -u tst -p ekkis -r arix.com -s smtp 0: OK "Success." ...and, of course: Code: root@janus:~ # telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.arix.com ESMTP Postfix AUTH PLAIN AGVAYXJpeC5jb20AZWtraXM= [B]235 2.7.0 Authentication successful[/B] but for whatever reason the daemon doesn't seem to care about the contents of /etc/sysconfig/saslauthd i.e. adding the -r to the OPTIONS line doesn't seem to make a difference. is this the wrong file to be editing in F11? so my next question is: if I modify the /etc/init.d/saslauthd to call the daemon as I want it (for smtp) then what else will I mess up? how do I also call the daemon to work for imap?
for kicks I tried: Code: # saslauthd -d -a pam -r as you can see, without the -O /etc/postfix/sasl/smtpd.conf. To my surprise, authentication still worked... so obviously whatever is in that file (information on how to log into MySQL) is either picked up anyway, or not used at all (so the PAM file figures out how to issue the needed SQL)... so i think that solves my issue above... I've modified the /etc/init.d/saslauthd and everything works now. yea! here's IMAP: Code: [COLOR="Teal"]# telnet localhost 143[/COLOR] Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information. [COLOR="Teal"]a1 login e@arix.com ekkis[/COLOR][COLOR="Red"] a1 OK LOGIN Ok.[/COLOR] [COLOR="Teal"]a2 logout[/COLOR] * BYE Courier-IMAP server shutting down a2 OK LOGOUT completed Connection closed by foreign host. and Postfix: Code: [COLOR="Teal"]# telnet localhost 25 [/COLOR]Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 mail.arix.com ESMTP Postfix [COLOR="Teal"]AUTH PLAIN AGVAYXJpeC5jb20AZWtraXM=[/COLOR] [COLOR="Red"]235 2.7.0 Authentication successful[/COLOR] quit 221 2.0.0 Bye Connection closed by foreign host. Case closed (I think)!
hi got the same problem how do you fix or modified this /etc/init.d/saslauthd?? please help me thank you
What's the exact error message? How did you set up the system? Did you use a tutorial? If so, which one (URL)?