postfix + cyrus-sasl + PAM + pam_ruby

Sean O'Malley omalleys at msu.edu
Wed Jul 22 15:36:40 EDT 2009


try:
testsaslauthd -u username -p password -r "127.0.0.1;234" -s servicename

(the -r flag probably isn't needed, i believe it specifies the realm
name.)

This should test saslauthd and your pam configuration.

I believe on redhat they called it cyrus-testsaslauthd or something along
those lines if it is included.

If that works, you know your backend is configured correctly.

I would probably try it with pam_unix and a local account if that doesnt
work, just to see if the problem is with your pam stack or with the pam
module.


On Wed, 22 Jul 2009, David van Geest wrote:

> Hi All,
>
> We've abandoned previous efforts to use pam_mysql with postfix and
> cyrus-sasl (see previous post...), and have decided to make use of our
> own Ruby libraries to access the DB.  Therefore, we're now attempting to
> use pam_ruby.  I started out with the example implementation found here:
> http://ruby-pam.sourceforge.net/pam-ruby.html.
>
> Not having any luck so far telnet'ing to our SMTP server on port 2525
> and authenticating, so I'm wondering what could be wrong.
>
> I ran saslfinger -s on the server and got this output:
>
> -bash-3.2# saslfinger -s
> saslfinger - postfix Cyrus sasl configuration Wed Jul 22 14:26:23 EDT 2009
> version: 1.0.2
> mode: server-side SMTP AUTH
>
> -- basics --
> Postfix: 2.5.5
> System: CentOS release 5.2 (Final)
>
> -- smtpd is linked to --
>         libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f43000)
>
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = cyrus
> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
> smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
> smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
>
>
> -- listing of /usr/lib/sasl --
> total 28
> drwxr-xr-x  2 root root  4096 Jul 21 11:55 .
> drwxr-xr-x 62 root root 24576 Jul 21 13:49 ..
>
> -- listing of /usr/lib/sasl2 --
> total 3392
> drwxr-xr-x  2 root root   4096 Jul 22 14:15 .
> drwxr-xr-x 62 root root  24576 Jul 21 13:49 ..
> -rw-r--r--  1 root root     25 Mar 14  2007 Sendmail.conf
> -rwxr-xr-x  1 root root    884 Jan  7  2007 libanonymous.la
> -rwxr-xr-x  1 root root  14372 Jan  7  2007 libanonymous.so
> -rwxr-xr-x  1 root root  14372 Jan  7  2007 libanonymous.so.2
> -rwxr-xr-x  1 root root  14372 Jan  7  2007 libanonymous.so.2.0.22
> -rwxr-xr-x  1 root root    870 Jan  7  2007 libcrammd5.la
> -rwxr-xr-x  1 root root  16832 Jan  7  2007 libcrammd5.so
> -rwxr-xr-x  1 root root  16832 Jan  7  2007 libcrammd5.so.2
> -rwxr-xr-x  1 root root  16832 Jan  7  2007 libcrammd5.so.2.0.22
> -rwxr-xr-x  1 root root    893 Jan  7  2007 libdigestmd5.la
> -rwxr-xr-x  1 root root  47204 Jan  7  2007 libdigestmd5.so
> -rwxr-xr-x  1 root root  47204 Jan  7  2007 libdigestmd5.so.2
> -rwxr-xr-x  1 root root  47204 Jan  7  2007 libdigestmd5.so.2.0.22
> -rwxr-xr-x  1 root root    933 Jan  7  2007 libgssapiv2.la
> -rwxr-xr-x  1 root root  26528 Jan  7  2007 libgssapiv2.so
> -rwxr-xr-x  1 root root  26528 Jan  7  2007 libgssapiv2.so.2
> -rwxr-xr-x  1 root root  26528 Jan  7  2007 libgssapiv2.so.2.0.22
> -rwxr-xr-x  1 root root    877 Jan  7  2007 libldapdb.la
> -rwxr-xr-x  1 root root  15472 Jan  7  2007 libldapdb.so
> -rwxr-xr-x  1 root root  15472 Jan  7  2007 libldapdb.so.2
> -rwxr-xr-x  1 root root  15472 Jan  7  2007 libldapdb.so.2.0.22
> -rwxr-xr-x  1 root root    856 Jan  7  2007 liblogin.la
> -rwxr-xr-x  1 root root  14752 Jan  7  2007 liblogin.so
> -rwxr-xr-x  1 root root  14752 Jan  7  2007 liblogin.so.2
> -rwxr-xr-x  1 root root  14752 Jan  7  2007 liblogin.so.2.0.22
> -rwxr-xr-x  1 root root    858 Jan  7  2007 libntlm.la
> -rwxr-xr-x  1 root root  31516 Jan  7  2007 libntlm.so
> -rwxr-xr-x  1 root root  31516 Jan  7  2007 libntlm.so.2
> -rwxr-xr-x  1 root root  31516 Jan  7  2007 libntlm.so.2.0.22
> -rwxr-xr-x  1 root root    856 Jan  7  2007 libplain.la
> -rwxr-xr-x  1 root root  14848 Jan  7  2007 libplain.so
> -rwxr-xr-x  1 root root  14848 Jan  7  2007 libplain.so.2
> -rwxr-xr-x  1 root root  14848 Jan  7  2007 libplain.so.2.0.22
> -rwxr-xr-x  1 root root    930 Jan  7  2007 libsasldb.la
> -rwxr-xr-x  1 root root 905200 Jan  7  2007 libsasldb.so
> -rwxr-xr-x  1 root root 905200 Jan  7  2007 libsasldb.so.2
> -rwxr-xr-x  1 root root 905200 Jan  7  2007 libsasldb.so.2.0.22
> -rwxr-xr-x  1 root root    878 Jan  7  2007 libsql.la
> -rwxr-xr-x  1 root root  23084 Jan  7  2007 libsql.so
> -rwxr-xr-x  1 root root  23084 Jan  7  2007 libsql.so.2
> -rwxr-xr-x  1 root root  23084 Jan  7  2007 libsql.so.2.0.22
> -rw-r--r--  1 root root     57 Jul 21 11:56 sample.conf
> -rw-r--r--  1 root root     57 Jul 21 11:56 smtpd.conf
>
> -- listing of /etc/sasl2 --
> total 12
> drwxr-xr-x  2 root root 4096 Jul 22 13:49 .
> drwxr-xr-x 80 root root 4096 Jul 22 13:59 ..
> -rw-r--r--  1 root root   57 Jul 22 13:49 smtpd.conf
>
>
>
>
> -- content of /usr/lib/sasl2/smtpd.conf --
>     pwcheck_method: saslauthd
>     mech_list: PLAIN LOGIN
>
> -- content of /etc/sasl2/smtpd.conf --
>     pwcheck_method: saslauthd
>     mech_list: PLAIN LOGIN
>
>
> -- active services in /etc/postfix/master.cf --
> # service type  private unpriv  chroot  wakeup  maxproc command + args
> #               (yes)   (yes)   (yes)   (never) (100)
> smtp       inet n       -       n       -       -       smtpd
> submission inet n       -       n       -       -       smtpd
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> 2525       inet n       -       n       -       -       smtpd
>   -o smtpd_sasl_auth_enable=yes
> smtps     inet  n       -       n       -       -       smtpd
>   -o smtpd_tls_wrappermode=yes
>   -o smtpd_tls_security_level=encrypt
>   -o smtpd_sasl_auth_enable=yes
>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
>         -o fallback_relay=
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
> maildrop  unix  -       n       n       -       -       pipe
>   flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> old-cyrus unix  -       n       n       -       -       pipe
>   flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m
> ${extension} ${user}
> cyrus     unix  -       n       n       -       -       pipe
>   user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m
> ${extension} ${user}
> uucp      unix  -       n       n       -       -       pipe
>   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> ifmail    unix  -       n       n       -       -       pipe
>   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp     unix  -       n       n       -       -       pipe
>   flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
> retry     unix  -       -       n       -       -       error
> proxywrite unix -       -       n       -       1       proxymap
>
> -- mechanisms on localhost --
> 250-AUTH LOGIN PLAIN
> 250-AUTH=LOGIN PLAIN
>
>
> -- end of saslfinger output --
>
> Also looked a bit at the sasl2-sample-server and -client (with  ln -s
> /usr/lib/sasl2/smtpd.conf /usr/lib/sasl2/sample.conf):
>
> sasl2-sample-server -s rcmd -p 8000
>
> then in another terminal
>
> -bash-3.2# sasl2-sample-client -s rcmd -p 8000 -m PLAIN 127.0.0.1
> receiving capability list... recv: {11}
> LOGIN PLAIN
> LOGIN PLAIN
> please enter an authentication id: PLAIN
> please enter an authorization id: <myunixuser>
> Password:
> send: {5}
> PLAIN
> send: {1}
> Y
> send: {23}
> <myunixuser>[0]<myunixuser>[0]<mypass>
> authentication failed
> closing connection
>
> And if it matters, /etc/sysconfig/saslauthd has "mech=PAM" in it.
>
> Any ideas?  Am I even testing this out correctly?
> -David
>
>
>

--------------------------------------
  Sean O'Malley, Information Technologist
  Michigan State University
-------------------------------------



More information about the Cyrus-sasl mailing list