postfix + cyrus-sasl + PAM + pam_ruby
David van Geest
davidv at spindance.com
Wed Jul 22 14:35:56 EDT 2009
Hi All,
We've abandoned previous efforts to use pam_mysql with postfix and
cyrus-sasl (see previous post...), and have decided to make use of our
own Ruby libraries to access the DB. Therefore, we're now attempting to
use pam_ruby. I started out with the example implementation found here:
http://ruby-pam.sourceforge.net/pam-ruby.html.
Not having any luck so far telnet'ing to our SMTP server on port 2525
and authenticating, so I'm wondering what could be wrong.
I ran saslfinger -s on the server and got this output:
-bash-3.2# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Wed Jul 22 14:26:23 EDT 2009
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.5.5
System: CentOS release 5.2 (Final)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f43000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
-- listing of /usr/lib/sasl --
total 28
drwxr-xr-x 2 root root 4096 Jul 21 11:55 .
drwxr-xr-x 62 root root 24576 Jul 21 13:49 ..
-- listing of /usr/lib/sasl2 --
total 3392
drwxr-xr-x 2 root root 4096 Jul 22 14:15 .
drwxr-xr-x 62 root root 24576 Jul 21 13:49 ..
-rw-r--r-- 1 root root 25 Mar 14 2007 Sendmail.conf
-rwxr-xr-x 1 root root 884 Jan 7 2007 libanonymous.la
-rwxr-xr-x 1 root root 14372 Jan 7 2007 libanonymous.so
-rwxr-xr-x 1 root root 14372 Jan 7 2007 libanonymous.so.2
-rwxr-xr-x 1 root root 14372 Jan 7 2007 libanonymous.so.2.0.22
-rwxr-xr-x 1 root root 870 Jan 7 2007 libcrammd5.la
-rwxr-xr-x 1 root root 16832 Jan 7 2007 libcrammd5.so
-rwxr-xr-x 1 root root 16832 Jan 7 2007 libcrammd5.so.2
-rwxr-xr-x 1 root root 16832 Jan 7 2007 libcrammd5.so.2.0.22
-rwxr-xr-x 1 root root 893 Jan 7 2007 libdigestmd5.la
-rwxr-xr-x 1 root root 47204 Jan 7 2007 libdigestmd5.so
-rwxr-xr-x 1 root root 47204 Jan 7 2007 libdigestmd5.so.2
-rwxr-xr-x 1 root root 47204 Jan 7 2007 libdigestmd5.so.2.0.22
-rwxr-xr-x 1 root root 933 Jan 7 2007 libgssapiv2.la
-rwxr-xr-x 1 root root 26528 Jan 7 2007 libgssapiv2.so
-rwxr-xr-x 1 root root 26528 Jan 7 2007 libgssapiv2.so.2
-rwxr-xr-x 1 root root 26528 Jan 7 2007 libgssapiv2.so.2.0.22
-rwxr-xr-x 1 root root 877 Jan 7 2007 libldapdb.la
-rwxr-xr-x 1 root root 15472 Jan 7 2007 libldapdb.so
-rwxr-xr-x 1 root root 15472 Jan 7 2007 libldapdb.so.2
-rwxr-xr-x 1 root root 15472 Jan 7 2007 libldapdb.so.2.0.22
-rwxr-xr-x 1 root root 856 Jan 7 2007 liblogin.la
-rwxr-xr-x 1 root root 14752 Jan 7 2007 liblogin.so
-rwxr-xr-x 1 root root 14752 Jan 7 2007 liblogin.so.2
-rwxr-xr-x 1 root root 14752 Jan 7 2007 liblogin.so.2.0.22
-rwxr-xr-x 1 root root 858 Jan 7 2007 libntlm.la
-rwxr-xr-x 1 root root 31516 Jan 7 2007 libntlm.so
-rwxr-xr-x 1 root root 31516 Jan 7 2007 libntlm.so.2
-rwxr-xr-x 1 root root 31516 Jan 7 2007 libntlm.so.2.0.22
-rwxr-xr-x 1 root root 856 Jan 7 2007 libplain.la
-rwxr-xr-x 1 root root 14848 Jan 7 2007 libplain.so
-rwxr-xr-x 1 root root 14848 Jan 7 2007 libplain.so.2
-rwxr-xr-x 1 root root 14848 Jan 7 2007 libplain.so.2.0.22
-rwxr-xr-x 1 root root 930 Jan 7 2007 libsasldb.la
-rwxr-xr-x 1 root root 905200 Jan 7 2007 libsasldb.so
-rwxr-xr-x 1 root root 905200 Jan 7 2007 libsasldb.so.2
-rwxr-xr-x 1 root root 905200 Jan 7 2007 libsasldb.so.2.0.22
-rwxr-xr-x 1 root root 878 Jan 7 2007 libsql.la
-rwxr-xr-x 1 root root 23084 Jan 7 2007 libsql.so
-rwxr-xr-x 1 root root 23084 Jan 7 2007 libsql.so.2
-rwxr-xr-x 1 root root 23084 Jan 7 2007 libsql.so.2.0.22
-rw-r--r-- 1 root root 57 Jul 21 11:56 sample.conf
-rw-r--r-- 1 root root 57 Jul 21 11:56 smtpd.conf
-- listing of /etc/sasl2 --
total 12
drwxr-xr-x 2 root root 4096 Jul 22 13:49 .
drwxr-xr-x 80 root root 4096 Jul 22 13:59 ..
-rw-r--r-- 1 root root 57 Jul 22 13:49 smtpd.conf
-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
-- content of /etc/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
2525 inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix - n n - - pipe
flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
${extension} ${user}
cyrus unix - n n - - pipe
user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
${extension} ${user}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient
retry unix - - n - - error
proxywrite unix - - n - 1 proxymap
-- mechanisms on localhost --
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
-- end of saslfinger output --
Also looked a bit at the sasl2-sample-server and -client (with ln -s
/usr/lib/sasl2/smtpd.conf /usr/lib/sasl2/sample.conf):
sasl2-sample-server -s rcmd -p 8000
then in another terminal
-bash-3.2# sasl2-sample-client -s rcmd -p 8000 -m PLAIN 127.0.0.1
receiving capability list... recv: {11}
LOGIN PLAIN
LOGIN PLAIN
please enter an authentication id: PLAIN
please enter an authorization id: <myunixuser>
Password:
send: {5}
PLAIN
send: {1}
Y
send: {23}
<myunixuser>[0]<myunixuser>[0]<mypass>
authentication failed
closing connection
And if it matters, /etc/sysconfig/saslauthd has "mech=PAM" in it.
Any ideas? Am I even testing this out correctly?
-David
--
David van Geest
Software Engineer
SpinDance, Inc. <http://www.spindance.com>
More information about the Cyrus-sasl
mailing list