SMTP authentication with saslauthd against PAM


SMTP authentication with saslauthd against PAM
\ Gianluca Culot (13 Apr 2007)
. \ Mario Casola (13 Apr 2007)
. . \ Gianluca Culot (13 Apr 2007)
. . . \ Mario Casola (13 Apr 2007)
. . . . \ Gianluca Culot (13 Apr 2007)
. . . . . \ Mario Casola (13 Apr 2007)
. . . . . . \ Gianluca Culot (13 Apr 2007)
. . . . . . . \ Gianluca Culot (13 Apr 2007)
. . . . . . . . \ Noel Jones (13 Apr 2007)
. . . . . . . . . \ Gerard Seibert (13 Apr 2007)
. . . . . . . . . \ Gianluca Culot (17 Apr 2007)

7 msg	Error in SMTP sequence
2 msg	dkim-milter on relay server unknown-jobid exter...
11 msg	Stubborn Cert issue
3 msg	Problems with false positives
4 msg	reject_unverified_recipient case sensitive?
3 msg	dkim=fail (verification error: invalid key gran...
5 msg	? Using header checks on (Postini) X-pstn-levels
2 msg	Can't find error in my config file. Can you?
1 msg	chroot postgresql ssl problem
15 msg	What cert to buy
3 msg	Address re-writing
9 msg	Mail Rejected when we relay for a client.
8 msg	Queueing up archive messages
2 msg	Cannot send e-mails from any e-mail clients
1 msg	Re: outbound mail failure - need to fix asap -S...
4 msg	outbound mail failure - need to fix asap
3 msg	Postfix alias problem
2 msg	problem to send a mail to a command in aliases
3 msg	smtpd_auth

Subject:	SMTP authentication with saslauthd against PAM
Group:	Postfix-users
From:	Gianluca Culot
Date:	13 Apr 2007

Hi all

I'm setting up a Mail server wich will authenticated users for smtp and pop3
against Active Directory
currently the server runs smtp (postfix) and pop3 (dovecot) services without
problems, POP3 AUTHenticating users against active directory through samba3
services

What is missing is the SMTP AUTHentication, so that roaming users from my
network can send email when not at office.

I've successfully set up samba3 for AD user authentication and configured
PAM services for system wide authentication. so user can login or
authenticate using local freebsd uid and password (if they have any) or
ActiceDirectory User and password.
local terminal, SSH, POP3 service are correctly working
But I cannot make postfix authenticate users via saslauthd. If I it turn on

smtpd_sasl_auth_enable = yes

and restart (or reload) the postfix daemon the service aborts with this
message in syslog ( /var/log/maillog )

Apr 12 10:35:33 mail postfix/smtpd[11722]: warning: SASL: Connect to smtpd
failed: No such file or directory
Apr 12 10:35:33 mail postfix/smtpd[11722]: fatal: no SASL authentication
mechanisms
Apr 12 10:35:33 mail postfix/smtpd[11724]: warning: SASL: Connect to smtpd
failed: No such file or directory

I'm positive I'm missing something in / with the configuration file. But I
cannot figure out anything else
I've created

mail# /usr/local/lib/sasl2 > ls -al smtpd.conf
-rw-r--r-- 3 root wheel 98 Apr 12 12:30 smtpd.conf

and created this symbolic links

/usr/lib/sasl -> /usr/local/lib/sasl2/ # this was suggested in
cyrus-sasl install
/usr/lib/sasl2 -> /usr/local/lib/sasl2/ # this was suggested in
cyrus-sasl install

and these symbolic links to trying to /usr/local/lib/sasl2/smtpd.conf
trying to figure out where the configuration file should be created

/usr/local/lib/sasl2/dovecot.conf -> /usr/local/lib/sasl2/smtpd.conf
/usr/local/lib/sasl/dovecot.conf -> /usr/local/lib/sasl2/smtpd.conf
/usr/local/lib/sasl/dovecot.conf -> /usr/local/lib/sasl2/smtpd.conf
/etc/postfix/sasl/smtpd.conf -> /usr/local/lib/sasl2/smtpd.conf
/etc/postfix/sasl/dovecot.conf -> /usr/local/lib/sasl2/smtpd.conf
/etc/postfix/sasl2/smtpd.conf -> /usr/local/lib/sasl2/smtpd.conf
/etc/postfix/sasl2/dovecot.conf -> /usr/local/lib/sasl2/smtpd.conf

The problem remains.

in many other posts I've found hints aboutn testing for cyrus correct
installation before proceeding (or posting :-) )
here is the log I could get from Cyrus test Utilities

mail# /usr/lib > smtptest
WARNING: no hostname supplied, assuming localhost

S: 220 mail.dmsware.com ESMTP Postfix
C: EHLO example.com
S: 250-mail.dmsware.com
S: 250-PIPELINING
S: 250-SIZE 100000768
S: 250-VRFY
S: 250-ETRN
S: 250-ENHANCEDSTATUSCODES
S: 250-8BITMIME
S: 250 DSN
Authenticated.
Security strength factor: 0

SMTPTEST didnt' asked for user or password

-----------------------------
mail - ~ > pop3test
WARNING: no hostname supplied, assuming localhost

S: +OK Dovecot ready.
C: CAPA
S: +OK
S: CAPA
S: TOP
S: UIDL
S: RESP-CODES
S: PIPELINING
S: USER
S: SASL PLAIN LOGIN
S: .
Please enter your password:
C: AUTH PLAIN <not_going_to_post_it>
S: +OK Logged in.
Authenticated.
Security strength factor: 0
^CC: QUIT
Connection closed.

POP3TEST succeded with local user and AD User

here is a summary of my configuration

Postfix 2.3.5 ( compiled from sources)
postfix patches pfixtls-0.8.19-2.2-20040829-0.9.7d
cyrus-sasl-2 ( cyrus-sasl-2.1.21 compiled from ports)
dovecot (dovecot-0.99.14 compiled from ports)
cyrus-imap22 (cyrus-imapd-2.2.12)
samba3 ( samba-3.0.14a compiled from ports)

=======================
mail# /etc/postfix/sasl > postconf -a
dovecot

mail# /usr/lib/sasl2 > less dovecot.conf
pwcheck_method: saslauthd
log_level: 3
mech_list: PLAIN LOGIN
saslauthd_path: /var/run/sasl2/mux

dovecot.conf (END)

=======================
mail# /etc/postfix > less main.cf
#--------------- excerpt ----------------
smtpd_sasl_type = dovecot
#smtpd_sasl_path = private/auth
smtpd_sasl_path = dovecot
#--------------- excerpt ----------------
# Set smtpd_sasl_auth_enable equal to yes to enable the advertisement of
# AUTH in the ESMTP capabilities.
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname

#--------------- excerpt ----------------
broken_sasl_auth_clients = yes
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_rhsbl_sender relays.ordb.org, reject_rhsbl_sender
sbl-xbl.spamhaus.org, reject_rhsbl_sender bl.spamcop.net
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination

#--------------- excerpt ----------------
home_mailbox = mail/
#--------------- excerpt ----------------
# INSTALL-TIME CONFIGURATION INFORMATION
sendmail_path = /usr/sbin/sendmail
mailq_path = /usr/bin/mailq
setgid_group = postdrop

=======================
mail# /etc > less rc.conf
#--------------- excerpt ----------------
#-- SMTP Authentication
saslauthd_enable="YES"
saslauthd_flags=" -a pam"

#--- Postfix Configuration
sendmail_enable="YES"
sendmail_flags="-bd"
sendmail_pidfile="/var/spool/postfix/pid/master.pid"
sendmail_procname="/usr/local/libexec/postfix/master"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"

dovecot_enable="YES"

#--- Samba Configuration
winbindd_enable="YES"

=======================
mail# /etc/pam.d > less dovecot
#
# $FreeBSD: src/etc/pam.d/pop3,v 1.5 2003/03/08 09:50:11 markm Exp $
#
# PAM configuration for the "pop3" service
#

# auth
auth sufficient pam_winbind.so try_first_pass
#auth required pam_nologin.so no_warn
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass

=======================
mail# /etc/pam.d > less system
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#

# auth
auth sufficient pam_opie.so no_warn
no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
auth sufficient pam_winbind.so try_first_pass
#auth sufficient pam_krb5.so no_warn
try_first_pass
#auth sufficient pam_ssh.so no_warn
try_first_pass
auth required pam_unix.so no_warn
try_first_pass nullok

# account
account required pam_winbind.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so

# session
#session optional pam_ssh.so
session required pam_lastlog.so no_fail

# password
password sufficient pam_winbind.so try_first_pass
#password sufficient pam_krb5.so no_warn
try_first_pass
password required pam_unix.so no_warn
try_first_pass
system (END)

Thanks for any help or hint you can give me
----------------------------------------------
Gianluca Culot
DMS Multimedia
Via delle Arti e dei Mestieri, 6
20050 Sulbiate (Mi) - Italy
Tel: +39 039 5968925
Fax: +39 039 3309813
<mailto:gianlucaculot>
www.dmsware.com <http://www.dmsware.com/>

Ai sensi del D.Lgs. 196/2003 si precisa che le informazioni contenute in
questo messaggio sono riservate ed a uso esclusivo del destinatario. Qualora
il messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza
copiarlo e a non inoltrarlo a terzi, dandocene gentilmente comunicazione. Il
mittente comunica che il presente messaggio ed ogni suo allegato, al momento
dell�invio, era esente da ogni tipo di virus, worm, trojan e/o ogni altri
tipo di codice software dannoso. Questo messaggio e i suoi allegati
potrebbero essere stati infettati durante la trasmissione. Leggendo il
messaggio e/o aprendo gli allegati, il Destinatario si prende la piena
responsabilit� nei confronti di ogni azione protettiva o di rimedio per la
rimozione di virus ed altri difetti. DMS Multimedia non potr� essere
considerata responsabile per qualsivoglia danno o perdita derivata qualunque
modo da questo messaggio o dai suoi allegati.

The information in this electronic mail message, including any attachments,
is confidential and may be legally privileged. It is intended solely for the
addressee(s). Access to this Internet electronic mail message by anyone else
is unauthorised. If you are not the intended recipient, any disclosure,
copying, distribution or action taken or omitted to be taken in reliance on
it is prohibited and may be unlawful. The sender believes that this E-mail
and any attachments were free of any virus, worm, Trojan horse, and/or
malicious code when sent. This message and its attachments could have been
infected during transmission. By reading the message and opening the
attachments, the recipient accepts full responsibility for taking protective
and remedial action about viruses and other defects.DMS Multimedia is not
liable for any loss or damage arising in any way from this message or its
attachments