postfix + cyrus-sasl + PAM + pam_ruby
Sean O'Malley
omalleys at msu.edu
Wed Jul 22 15:36:40 EDT 2009
try:
testsaslauthd -u username -p password -r "127.0.0.1;234" -s servicename
(the -r flag probably isn't needed, i believe it specifies the realm
name.)
This should test saslauthd and your pam configuration.
I believe on redhat they called it cyrus-testsaslauthd or something along
those lines if it is included.
If that works, you know your backend is configured correctly.
I would probably try it with pam_unix and a local account if that doesnt
work, just to see if the problem is with your pam stack or with the pam
module.
On Wed, 22 Jul 2009, David van Geest wrote:
> Hi All,
>
> We've abandoned previous efforts to use pam_mysql with postfix and
> cyrus-sasl (see previous post...), and have decided to make use of our
> own Ruby libraries to access the DB. Therefore, we're now attempting to
> use pam_ruby. I started out with the example implementation found here:
> http://ruby-pam.sourceforge.net/pam-ruby.html.
>
> Not having any luck so far telnet'ing to our SMTP server on port 2525
> and authenticating, so I'm wondering what could be wrong.
>
> I ran saslfinger -s on the server and got this output:
>
> -bash-3.2# saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Wed Jul 22 14:26:23 EDT 2009
> version: 1.0.2
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.5.5
> System: CentOS release 5.2 (Final)
>
> -- smtpd is linked to --
> libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f43000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = cyrus
> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
> smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
> smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
>
>
> -- listing of /usr/lib/sasl --
> total 28
> drwxr-xr-x 2 root root 4096 Jul 21 11:55 .
> drwxr-xr-x 62 root root 24576 Jul 21 13:49 ..
>
> -- listing of /usr/lib/sasl2 --
> total 3392
> drwxr-xr-x 2 root root 4096 Jul 22 14:15 .
> drwxr-xr-x 62 root root 24576 Jul 21 13:49 ..
> -rw-r--r-- 1 root root 25 Mar 14 2007 Sendmail.conf
> -rwxr-xr-x 1 root root 884 Jan 7 2007 libanonymous.la
> -rwxr-xr-x 1 root root 14372 Jan 7 2007 libanonymous.so
> -rwxr-xr-x 1 root root 14372 Jan 7 2007 libanonymous.so.2
> -rwxr-xr-x 1 root root 14372 Jan 7 2007 libanonymous.so.2.0.22
> -rwxr-xr-x 1 root root 870 Jan 7 2007 libcrammd5.la
> -rwxr-xr-x 1 root root 16832 Jan 7 2007 libcrammd5.so
> -rwxr-xr-x 1 root root 16832 Jan 7 2007 libcrammd5.so.2
> -rwxr-xr-x 1 root root 16832 Jan 7 2007 libcrammd5.so.2.0.22
> -rwxr-xr-x 1 root root 893 Jan 7 2007 libdigestmd5.la
> -rwxr-xr-x 1 root root 47204 Jan 7 2007 libdigestmd5.so
> -rwxr-xr-x 1 root root 47204 Jan 7 2007 libdigestmd5.so.2
> -rwxr-xr-x 1 root root 47204 Jan 7 2007 libdigestmd5.so.2.0.22
> -rwxr-xr-x 1 root root 933 Jan 7 2007 libgssapiv2.la
> -rwxr-xr-x 1 root root 26528 Jan 7 2007 libgssapiv2.so
> -rwxr-xr-x 1 root root 26528 Jan 7 2007 libgssapiv2.so.2
> -rwxr-xr-x 1 root root 26528 Jan 7 2007 libgssapiv2.so.2.0.22
> -rwxr-xr-x 1 root root 877 Jan 7 2007 libldapdb.la
> -rwxr-xr-x 1 root root 15472 Jan 7 2007 libldapdb.so
> -rwxr-xr-x 1 root root 15472 Jan 7 2007 libldapdb.so.2
> -rwxr-xr-x 1 root root 15472 Jan 7 2007 libldapdb.so.2.0.22
> -rwxr-xr-x 1 root root 856 Jan 7 2007 liblogin.la
> -rwxr-xr-x 1 root root 14752 Jan 7 2007 liblogin.so
> -rwxr-xr-x 1 root root 14752 Jan 7 2007 liblogin.so.2
> -rwxr-xr-x 1 root root 14752 Jan 7 2007 liblogin.so.2.0.22
> -rwxr-xr-x 1 root root 858 Jan 7 2007 libntlm.la
> -rwxr-xr-x 1 root root 31516 Jan 7 2007 libntlm.so
> -rwxr-xr-x 1 root root 31516 Jan 7 2007 libntlm.so.2
> -rwxr-xr-x 1 root root 31516 Jan 7 2007 libntlm.so.2.0.22
> -rwxr-xr-x 1 root root 856 Jan 7 2007 libplain.la
> -rwxr-xr-x 1 root root 14848 Jan 7 2007 libplain.so
> -rwxr-xr-x 1 root root 14848 Jan 7 2007 libplain.so.2
> -rwxr-xr-x 1 root root 14848 Jan 7 2007 libplain.so.2.0.22
> -rwxr-xr-x 1 root root 930 Jan 7 2007 libsasldb.la
> -rwxr-xr-x 1 root root 905200 Jan 7 2007 libsasldb.so
> -rwxr-xr-x 1 root root 905200 Jan 7 2007 libsasldb.so.2
> -rwxr-xr-x 1 root root 905200 Jan 7 2007 libsasldb.so.2.0.22
> -rwxr-xr-x 1 root root 878 Jan 7 2007 libsql.la
> -rwxr-xr-x 1 root root 23084 Jan 7 2007 libsql.so
> -rwxr-xr-x 1 root root 23084 Jan 7 2007 libsql.so.2
> -rwxr-xr-x 1 root root 23084 Jan 7 2007 libsql.so.2.0.22
> -rw-r--r-- 1 root root 57 Jul 21 11:56 sample.conf
> -rw-r--r-- 1 root root 57 Jul 21 11:56 smtpd.conf
>
> -- listing of /etc/sasl2 --
> total 12
> drwxr-xr-x 2 root root 4096 Jul 22 13:49 .
> drwxr-xr-x 80 root root 4096 Jul 22 13:59 ..
> -rw-r--r-- 1 root root 57 Jul 22 13:49 smtpd.conf
>
>
>
>
> -- content of /usr/lib/sasl2/smtpd.conf --
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN
>
> -- content of /etc/sasl2/smtpd.conf --
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN
>
>
> -- active services in /etc/postfix/master.cf --
> # service type private unpriv chroot wakeup maxproc command + args
> # (yes) (yes) (yes) (never) (100)
> smtp inet n - n - - smtpd
> submission inet n - n - - smtpd
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> 2525 inet n - n - - smtpd
> -o smtpd_sasl_auth_enable=yes
> smtps inet n - n - - smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_tls_security_level=encrypt
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> cleanup unix n - n - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> tlsmgr unix - - n 1000? 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> smtp unix - - n - - smtp
> relay unix - - n - - smtp
> -o fallback_relay=
> showq unix n - n - - showq
> error unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> old-cyrus unix - n n - - pipe
> flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
> ${extension} ${user}
> cyrus unix - n n - - pipe
> user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
> ${extension} ${user}
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
> retry unix - - n - - error
> proxywrite unix - - n - 1 proxymap
>
> -- mechanisms on localhost --
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN
>
>
> -- end of saslfinger output --
>
> Also looked a bit at the sasl2-sample-server and -client (with ln -s
> /usr/lib/sasl2/smtpd.conf /usr/lib/sasl2/sample.conf):
>
> sasl2-sample-server -s rcmd -p 8000
>
> then in another terminal
>
> -bash-3.2# sasl2-sample-client -s rcmd -p 8000 -m PLAIN 127.0.0.1
> receiving capability list... recv: {11}
> LOGIN PLAIN
> LOGIN PLAIN
> please enter an authentication id: PLAIN
> please enter an authorization id: <myunixuser>
> Password:
> send: {5}
> PLAIN
> send: {1}
> Y
> send: {23}
> <myunixuser>[0]<myunixuser>[0]<mypass>
> authentication failed
> closing connection
>
> And if it matters, /etc/sysconfig/saslauthd has "mech=PAM" in it.
>
> Any ideas? Am I even testing this out correctly?
> -David
>
>
>
--------------------------------------
Sean O'Malley, Information Technologist
Michigan State University
-------------------------------------
More information about the Cyrus-sasl
mailing list