postfix + cyrus-sasl + PAM + pam_ruby

David van Geest davidv at spindance.com
Wed Jul 22 14:35:56 EDT 2009


Hi All,

We've abandoned previous efforts to use pam_mysql with postfix and 
cyrus-sasl (see previous post...), and have decided to make use of our 
own Ruby libraries to access the DB.  Therefore, we're now attempting to 
use pam_ruby.  I started out with the example implementation found here: 
http://ruby-pam.sourceforge.net/pam-ruby.html.

Not having any luck so far telnet'ing to our SMTP server on port 2525 
and authenticating, so I'm wondering what could be wrong. 

I ran saslfinger -s on the server and got this output:

-bash-3.2# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed Jul 22 14:26:23 EDT 2009
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.5
System: CentOS release 5.2 (Final)

-- smtpd is linked to --
        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f43000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s


-- listing of /usr/lib/sasl --
total 28
drwxr-xr-x  2 root root  4096 Jul 21 11:55 .
drwxr-xr-x 62 root root 24576 Jul 21 13:49 ..

-- listing of /usr/lib/sasl2 --
total 3392
drwxr-xr-x  2 root root   4096 Jul 22 14:15 .
drwxr-xr-x 62 root root  24576 Jul 21 13:49 ..
-rw-r--r--  1 root root     25 Mar 14  2007 Sendmail.conf
-rwxr-xr-x  1 root root    884 Jan  7  2007 libanonymous.la
-rwxr-xr-x  1 root root  14372 Jan  7  2007 libanonymous.so
-rwxr-xr-x  1 root root  14372 Jan  7  2007 libanonymous.so.2
-rwxr-xr-x  1 root root  14372 Jan  7  2007 libanonymous.so.2.0.22
-rwxr-xr-x  1 root root    870 Jan  7  2007 libcrammd5.la
-rwxr-xr-x  1 root root  16832 Jan  7  2007 libcrammd5.so
-rwxr-xr-x  1 root root  16832 Jan  7  2007 libcrammd5.so.2
-rwxr-xr-x  1 root root  16832 Jan  7  2007 libcrammd5.so.2.0.22
-rwxr-xr-x  1 root root    893 Jan  7  2007 libdigestmd5.la
-rwxr-xr-x  1 root root  47204 Jan  7  2007 libdigestmd5.so
-rwxr-xr-x  1 root root  47204 Jan  7  2007 libdigestmd5.so.2
-rwxr-xr-x  1 root root  47204 Jan  7  2007 libdigestmd5.so.2.0.22
-rwxr-xr-x  1 root root    933 Jan  7  2007 libgssapiv2.la
-rwxr-xr-x  1 root root  26528 Jan  7  2007 libgssapiv2.so
-rwxr-xr-x  1 root root  26528 Jan  7  2007 libgssapiv2.so.2
-rwxr-xr-x  1 root root  26528 Jan  7  2007 libgssapiv2.so.2.0.22
-rwxr-xr-x  1 root root    877 Jan  7  2007 libldapdb.la
-rwxr-xr-x  1 root root  15472 Jan  7  2007 libldapdb.so
-rwxr-xr-x  1 root root  15472 Jan  7  2007 libldapdb.so.2
-rwxr-xr-x  1 root root  15472 Jan  7  2007 libldapdb.so.2.0.22
-rwxr-xr-x  1 root root    856 Jan  7  2007 liblogin.la
-rwxr-xr-x  1 root root  14752 Jan  7  2007 liblogin.so
-rwxr-xr-x  1 root root  14752 Jan  7  2007 liblogin.so.2
-rwxr-xr-x  1 root root  14752 Jan  7  2007 liblogin.so.2.0.22
-rwxr-xr-x  1 root root    858 Jan  7  2007 libntlm.la
-rwxr-xr-x  1 root root  31516 Jan  7  2007 libntlm.so
-rwxr-xr-x  1 root root  31516 Jan  7  2007 libntlm.so.2
-rwxr-xr-x  1 root root  31516 Jan  7  2007 libntlm.so.2.0.22
-rwxr-xr-x  1 root root    856 Jan  7  2007 libplain.la
-rwxr-xr-x  1 root root  14848 Jan  7  2007 libplain.so
-rwxr-xr-x  1 root root  14848 Jan  7  2007 libplain.so.2
-rwxr-xr-x  1 root root  14848 Jan  7  2007 libplain.so.2.0.22
-rwxr-xr-x  1 root root    930 Jan  7  2007 libsasldb.la
-rwxr-xr-x  1 root root 905200 Jan  7  2007 libsasldb.so
-rwxr-xr-x  1 root root 905200 Jan  7  2007 libsasldb.so.2
-rwxr-xr-x  1 root root 905200 Jan  7  2007 libsasldb.so.2.0.22
-rwxr-xr-x  1 root root    878 Jan  7  2007 libsql.la
-rwxr-xr-x  1 root root  23084 Jan  7  2007 libsql.so
-rwxr-xr-x  1 root root  23084 Jan  7  2007 libsql.so.2
-rwxr-xr-x  1 root root  23084 Jan  7  2007 libsql.so.2.0.22
-rw-r--r--  1 root root     57 Jul 21 11:56 sample.conf
-rw-r--r--  1 root root     57 Jul 21 11:56 smtpd.conf

-- listing of /etc/sasl2 --
total 12
drwxr-xr-x  2 root root 4096 Jul 22 13:49 .
drwxr-xr-x 80 root root 4096 Jul 22 13:59 ..
-rw-r--r--  1 root root   57 Jul 22 13:49 smtpd.conf




-- content of /usr/lib/sasl2/smtpd.conf --
    pwcheck_method: saslauthd
    mech_list: PLAIN LOGIN

-- content of /etc/sasl2/smtpd.conf --
    pwcheck_method: saslauthd
    mech_list: PLAIN LOGIN


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp       inet n       -       n       -       -       smtpd
submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
2525       inet n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
smtps     inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m 
${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m 
${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail 
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop 
$recipient
retry     unix  -       -       n       -       -       error
proxywrite unix -       -       n       -       1       proxymap

-- mechanisms on localhost --
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN


-- end of saslfinger output --

Also looked a bit at the sasl2-sample-server and -client (with  ln -s 
/usr/lib/sasl2/smtpd.conf /usr/lib/sasl2/sample.conf):

sasl2-sample-server -s rcmd -p 8000

then in another terminal

-bash-3.2# sasl2-sample-client -s rcmd -p 8000 -m PLAIN 127.0.0.1
receiving capability list... recv: {11}
LOGIN PLAIN
LOGIN PLAIN
please enter an authentication id: PLAIN
please enter an authorization id: <myunixuser>
Password:
send: {5}
PLAIN
send: {1}
Y
send: {23}
<myunixuser>[0]<myunixuser>[0]<mypass>
authentication failed
closing connection

And if it matters, /etc/sysconfig/saslauthd has "mech=PAM" in it.

Any ideas?  Am I even testing this out correctly?
-David


-- 
David van Geest
Software Engineer
SpinDance, Inc. <http://www.spindance.com>


More information about the Cyrus-sasl mailing list