sasl autentication

Check to make sure whatever userid, the daemons are running under has read access to the proper files. I believe the file is /etc/sasldb.

I just started playing with postfix + sasl yesterday and I ran into this problem a few times. But that's really all I know right now. I put that on hold for some other stuff.

> i start saslauthd -a shadow

You are telling saslauthd to look in your /etc/shadow file! You can add people with saslpasswd all day, but it won't get you anywhere. You need to add them to the passwd/shadow files on your box. Yes, that means they will have an account on the host, so if you don't want that, try this:

saslauthd -a sasldb

That will make saslauthd look in /etc/sasldb

– James

Depends on the MTA as well, for example, Postfix on Debian runs chrooted and has no access to /etc so you need to put it in /var/spool/postfix/etc or somewhere else that the user running the mta has access to

Do you just want authentication against /etc/passwd ? if you do, you should use Cyrus-SASL2 with pam (it can be done!!)

The following shows how

To compile it and install it:
./configure --prefix=/usr/local --enable-login --disable-krb4 --disable-gssapi --disable-cram --disable-digest
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
ldconfig
mkdir -p /var/state/saslauthd
chmod 711 /var/state/saslauthd

To configure it:
echo "pwcheck_method: saslauthd" > /usr/local/lib/sasl2/smtpd.conf

To setup a correct PAM entry:
cp /etc/pam.d/other /etc/pam.d/smtp

To run it:
/usr/local/sbin/saslauthd -a pam -n 2
(replace n with however many instances you want)

HTH

Sunny Dubey

PS: When running MTA's like Postfix or whatever … DO NOT PASS A "sasl local domain" OF ANY KIND. What ends up happening is that instead of authenticating "username", the MTA will pass along "username@domain", which obviously will fail. Check your logs to make sure this isn't happening (even with your current setup.) If this is, google for pam_realm (which strips the @domain part).

Like ppdorapa, I'm struggling with SMTP authentication. I've googled many different documents (and understood some of them :wink: ) but am having trouble figuring out the big picture – can someone give me an outline of the steps? The end result I'm looking for is secure POP, secure IMAP, and secure SMTP using Debian woody. I've played with exim and postfix, and am open to any solution that can be installed and updated with apt-get.

As I understand it, I need to enable some kind of wrapper (either sasl or sslwrap or something else) that will accept incoming SSL connection on behalf of the daemon listening at that port, and then pass the decrypted communication to the correct daemon.

With SMTP, should I then remove all relaying restrictions and allow access only through the SSL wrapper? (A related problem I'm trying to address is that the default configuration of exim blocks me from sending to anyone but myself.) How would I then configure my mail client? Obviously to use SSL in the connection, but what about authentication? Password or Kerberos 4 or 5 or MD5 Challenge-Response?

Does IMAP require this wrapper, or is encryption already supported by the IMAP protocol?

@schof:

As I understand it, I need to enable some kind of wrapper (either sasl or sslwrap or something else) that will accept incoming SSL connection on behalf of the daemon listening at that port, and then pass the decrypted communication to the correct daemon.

That is one way, but postfix can do this naturally via a TLS patch. Check out the docs on postfix.org and my own (WIP) howto at: http://opencurve.org/~sunny/nix/postfix/. Its far from being done, but it covers SASL, and TLS/SSL

As for IMAP-SSL? Courier-IMAP does that super easy. Their documentation is all one needs. However you may find yourself doing the following so that you don't use Courier-IMAP's broken PAM setup.

cp /etc/pam.d/other /etc/pam.d/pop3

cp /etc/pam.d/other /etc/pam.d/imap

@schof:

How would I then configure my mail client? Obviously to use SSL in the connection, but what about authentication? Password or Kerberos 4 or 5 or MD5 Challenge-Response?

Careful here, not all SASL authentication mechanisms work with all authentication sources. IIRC Pam only works with PLAIN and LOGIN. However saslauthdb works with CRAM-MD5, DIGEST-MD5. You gotta figure all of this out at compile time. (When you think about one way encryption hashes, you'll see why this is true.)

To make things more confusing PLAIN and LOGIN cannot be sent over a clear text network. However CRAM and DIGEST can.

Sunny Dubey

PS: Sorry for screwing up the posting

I've successfully set up Postfix's SMTP AUTH to use PAM on Debian Woody. This document tells how to do it fairly painlessly. I strongly recommend getting TLS working after this, since otherwise you'll be sending passwords in the clear.

~~[http://www.lugod.org/mailinglists/archives/vox-tech/2003-10/msg00207.html" target="_blank">](http://www.lugod.org/mailinglists/archi … 00207.html">http://www.lugod.org/mailinglists/archives/vox-tech/2003-10/msg00207.html](