Re: saslauthd

martin f krafft Fri, 05 Nov 2004 01:43:43 -0800

also sprach W.Andrew Loe III <[EMAIL PROTECTED]> [2004.11.05.1034 +0100]:
> I am trying to get PLAIN authentication over TLS to work with postfix. 
> I am having a problem with getting saslauthd (checking against system 
> users) to run. /etc/init.d/saslauthd exists, but it doesn't do anything


make sure START=yes is set in /etc/default/saslauthd.

sh -x helps... :)

albatross:/etc/postfix# cat /etc/default/saslauthd
START=yes
MECHANISMS="pam"
PARAMS="-O /etc/saslauthd.conf -m /var/spool/postfix/var/run/saslauthd"

The last one makes sure to put the multiplexer into the postfix
chroot. You have to create the appropriate directories:

albatross:/etc/postfix# ls -la /var/spool/postfix/var/run/saslauthd       [314]
total 64
drwxr-xr-x    2 root     root           53 2004-10-20 15:52 ./
drwxr-xr-x    3 root     root           22 2004-07-10 12:37 ../
srwxrwxrwx    1 root     root            0 2004-10-20 15:52 mux=
-rw-------    1 root     root            0 2004-10-20 15:52 mux.accept
-rw-------    1 root     root            4 2004-10-20 15:52 saslauthd.pid

Then start saslauthd and see if the three files are created.

> properly use sasl2 not sasl, but it seems that it never finds my 
> smtpd.conf, so it doesn't know to use saslauthd to check if the user 
> authenticates - leaving me out in the cold :(

albatross:/etc/postfix# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

Finally, here are the relevant parts from postfix:

main.cf:

  smtpd_use_tls = yes
  smtpd_enforce_tls = no
  smtpd_tls_wrappermode = no

  smtpd_sasl_auth_enable = no
  smtpd_sasl_local_domain = smtprelay.madduck.net
  smtpd_sasl_security_options = noanonymous, noplaintext
  broken_sasl_auth_clients = no

master.cf:

  smtps   inet  n - - - - smtpd
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_security_options=noanonymous

This will make SASL work only if you connect to port 465, which is
the standard SMTP-SSL/TLS port. Thus, use SSL/TLS on connect, not
STARTTLS.

-- 
Please do not send copies of list mail to me; I read the list!
 
 .''`.     martin f. krafft <[EMAIL PROTECTED]>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
 
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!

signature.asc
Description: Digital signature

Re: saslauthd

Reply via email to