Hello,

I am using Postfix version 2.5.2 with dovecot

I am having below problem for plain text authentication:

Jun 27 16:11:58 smtp(pam_unix)[3745]: check pass; user unknown
Jun 27 16:11:58 smtp(pam_unix)[3745]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jun 27 16:12:00 saslauthd[3745]: do_auth : auth failure: [user=abc] [service=smtp] [realm=xxxx.com] [mech=pam] [reason=PAM auth error]

My /etc/pam.d/smtp file is as under:

#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth

Just done know what is the problem. My POP server is getting properly authenticated.

Thanks for help!
onik

Which distribution are you using?

I am using Centso 4.6 linux distribution

I think it is the realm that is confusing your pam, it is working out the usernames as user@xxx.com.

Try turning off the -r flag if you have it set for your saslauthd.

I have a similar problem (running on Fedora Core 11). my /etc/sysconfig/saslauthd:


SOCKETDIR=/var/run/saslauthd
START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=5
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"


please note that I removed the -r from the last line but it didn't help. here's my /etc/pam.d/smtp:


auth required pam_mysql.so user=mail_admin passwd=whatever host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mail_admin passwd=whatever host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1


and if I look in the database I see what I would expect:
# mysql -u mail_admin -p mail
whatever
select * from users;
+--------------+------------------+----------+
| email | password | quota |
+--------------+------------------+----------+
| tst@arix.com | 5ce37c852c314c20 | 10485760 |
+--------------+------------------+----------+
1 row in set (0.00 sec)


I run a test, which fails with the included results:


# testsaslauthd -u tst -p testpass -s smtp -r arix.com
0: NO "authentication failed"


I'm running the daemon by hand like this, which also generates the included output:


# saslauthd -d -V -a pam
[...]
saslauthd[13741] :do_auth: auth failure: [user=tst] [service=smtp]
[realm=arix.com] [mech=pam] [reason=PAM auth error]


and curiously, in /var/log/secure I see:

Jul 26 00:27:49 janus saslauthd[13741]: pam_mysql - SELECT returned no result.


but there are no messages when I try the test like this (though obviously I still fail the test):


# testsaslauthd -u tst@arix.com -p testpass -s smtp
0: NO "authentication failed"


what else can I look at?

thx - e

a little more info... I discovered I can turn debugging info for PAM by adding "debug" to my /etc/pam.d/smtp file like this:


auth required pam_mysql.so user=mail_admin passwd=*** host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1 debug
account sufficient pam_mysql.so user=mail_admin passwd=*** host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1 debug


this allowed me to learn a little more. when I do:

# testsaslauthd -u tst -p *** -r arix.com -s smtp

...the SQL generated in /var/log/secure shows:

Jul 26 18:21:58 janus saslauthd[10002]: pam_mysql - SELECT password FROM users WHERE email = 'tst'

which is clearly wrong... therefore the test should be called like this:

# testsaslauthd -u tst@arix.com -p *** -s smtp

well... that also failed, I tried passing the encrypted version of the password:

# testsaslauthd -u tst@arix.com -p 5ce37c852c314c20 -s smtp

but it didn't work either. sigh...

ok, a little more progress... as per the HOWTO, /etc/pam.d/smtp contains crypt=1. According to the SASL README this means use of crypt() for password encryption... but the HOWTO has me using the MySQL PASSWORD() function to store the passwords in the database.

so I changed to crypt=mysql, which continued to fail (there's a note in the README that it might). Setting crypt=0 and testing with plain passwords worked. Then I used MySQL's encrypt() to store the password, and set crypt back to 1. everything works.

incidentally, md5 doesn't seem to work, in either crypt=Y md5 or crypt=md5 modes.

but this was all when running the deamon by hand with (yes, I figured out how to hand it a config file):

# saslauthd -d -a pam -O /etc/postfix/sasl/smtpd.conf


when I start the daemon:
# service saslauthd start

...it fails. in looking at the /etc/init.d/saslauthd I see that the mechanism is hard-coded to shadow, but I don't know if I should be modifying this file... I guess I don't know whether courier-imap or postfix will run saslauthd directly (and hand it its configuration file of choice), or it relies on the deamon being started at boot time.

anyone know the answer?

Is SELinux disabled?

yes, SELinux is disabled:


# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted


ok, answer to my last question: postfix/courier don't run their own copy of SASL. it was easy enough to test, turn off the daemon and run:


# perl -MMIME::Base64 -e 'print encode_base64("\0tst\@arix.com\0testpass");'
AGVAYXJpeC5jb20AZWtraXM=
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.arix.com ESMTP Postfix
AUTH PLAIN AGVAYXJpeC5jb20AZWtraXM=
535 5.7.8 Error: authentication failed: generic failure


then run the daemon and you get:


# perl -MMIME::Base64 -e 'print encode_base64("\0tst\@arix.com\0testpass");'
AGVAYXJpeC5jb20AZWtraXM=
# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.arix.com ESMTP Postfix
AUTH PLAIN AGVAYXJpeC5jb20AZWtraXM=
535 5.7.8 Error: authentication failed: authentication failure


however I also found that Postfix uses the equivalent of [user=tst] [realm=arix.com] instead of [user=tst@arix.com] [realm=], which means I still got an authentication failure. So, I can tell the daemon to join the two fields like this:
saslauthd -d -a pam -O /etc/postfix/sasl/smtpd.conf -r
which satisfies the test:
# testsaslauthd -u tst -p ekkis -r arix.com -s smtp
0: OK "Success."

...and, of course:
root@janus:~ # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.arix.com ESMTP Postfix
AUTH PLAIN AGVAYXJpeC5jb20AZWtraXM=
235 2.7.0 Authentication successful
but for whatever reason the daemon doesn't seem to care about the contents of /etc/sysconfig/saslauthd i.e. adding the -r to the OPTIONS line doesn't seem to make a difference. is this the wrong file to be editing in F11?

so my next question is: if I modify the /etc/init.d/saslauthd to call the daemon as I want it (for smtp) then what else will I mess up? how do I also call the daemon to work for imap?

for kicks I tried:
# saslauthd -d -a pam -r
as you can see, without the -O /etc/postfix/sasl/smtpd.conf. To my surprise, authentication still worked... so obviously whatever is in that file (information on how to log into MySQL) is either picked up anyway, or not used at all (so the PAM file figures out how to issue the needed SQL)... so i think that solves my issue above... I've modified the /etc/init.d/saslauthd and everything works now. yea!

here's IMAP:

# telnet localhost 143
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
a1 login e@arix.com ekkis
a1 OK LOGIN Ok.
a2 logout
* BYE Courier-IMAP server shutting down
a2 OK LOGOUT completed
Connection closed by foreign host.

and Postfix:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.arix.com ESMTP Postfix
AUTH PLAIN AGVAYXJpeC5jb20AZWtraXM=
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye
Connection closed by foreign host.


Case closed (I think)!