courier authlib with smtp auth

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

courier authlib with smtp auth

James Grant-3
Hi all, I've exhausted myself trying to figure this one out...   im using
courier-authlib and its setup and working properly, imap/pop works fine,
authtest from the commandline works fine.

for some reason, my smtp auth wont use it, it says it cant even find it..

#cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: authdaemond
authdaemond_path: /var/run/courier/authdaemon/socket
mech_list: plain login

# ls -al /var/run/courier/authdaemon/socket
srwxrwxrwx 1 root root 0 2008-11-14 13:52 /var/run/courier/authdaemon/socket

# ls -al /var/run/courier/authdaemon
total 4
drwxr-xr-x 2 daemon daemon 100 2008-11-14 13:52 .
drwxr-xr-x 4 daemon daemon 240 2008-11-13 01:07 ..
-rw-r--r-- 1 root   root     6 2008-11-14 13:52 pid
-rw------- 1 root   root     0 2008-11-13 01:07 pid.lock
srwxrwxrwx 1 root   root     0 2008-11-14 13:52 socket

But yet, when trying to authenticate, i get this in my mail.log

Nov 14 14:29:19 mx1 postfix/smtpd[17982]: warning: SASL authentication failure:
cannot connect to Courier authdaemond: No such file or directory

I even turned on the crazy debugging but it doesnt give me any extra details
about that (like, where its looking for authdaemond, or permissions, or
anything) .. im thinking an strace of smtpd would be useful but no clue how
I can do that since i cant run smtpd from the command line.

Any help would be appreciated!

PS:
I was originally using auxprop with the sql plugin, but it can only check
clear text passwords stored in the database, and in most cases, i dont have
clear text passwords for my users (since I'm migrating them over from another
system, i only have the crypt'd password, which courier-authlib uses no
problem)

James


--
James Grant

Lightbox Technologies
312-240 Catherine St.
Ottawa, ON. K2P 2G8

http://www.lightbox.org
[hidden email]
613-686-1661 x101

Reply | Threaded
Open this post in threaded view
|

Re: courier authlib with smtp auth

Brian Evans - Postfix List
James Grant wrote:
> Hi all, I've exhausted myself trying to figure this one out...   im using
> courier-authlib and its setup and working properly, imap/pop works fine,
> authtest from the commandline works fine.
>
> for some reason, my smtp auth wont use it, it says it cant even find it..
>
> #cat /etc/postfix/sasl/smtpd.conf
>  
This is often a path that is incorrect, but different systems can be set
to use it.

> pwcheck_method: authdaemond
> authdaemond_path: /var/run/courier/authdaemon/socket
> mech_list: plain login
>
> # ls -al /var/run/courier/authdaemon/socket
> srwxrwxrwx 1 root root 0 2008-11-14 13:52 /var/run/courier/authdaemon/socket
>
> # ls -al /var/run/courier/authdaemon
> total 4
> drwxr-xr-x 2 daemon daemon 100 2008-11-14 13:52 .
> drwxr-xr-x 4 daemon daemon 240 2008-11-13 01:07 ..
> -rw-r--r-- 1 root   root     6 2008-11-14 13:52 pid
> -rw------- 1 root   root     0 2008-11-13 01:07 pid.lock
> srwxrwxrwx 1 root   root     0 2008-11-14 13:52 socket
>
> But yet, when trying to authenticate, i get this in my mail.log
>
> Nov 14 14:29:19 mx1 postfix/smtpd[17982]: warning: SASL authentication failure:
> cannot connect to Courier authdaemond: No such file or directory
>
>  

Is the smtp service chroot'ed? Doing so is a real exorcise in getting it
to work.

Grab saslfinger from
http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ and then run
'saslfinger -s'.
Check result and then report back if you need more assistance.

Brian

Reply | Threaded
Open this post in threaded view
|

Re: courier authlib with smtp auth

James Grant-3
On November 14, 2008 02:45:56 pm Brian Evans - Postfix List wrote:

> James Grant wrote:
> > Hi all, I've exhausted myself trying to figure this one out...   im
> > using courier-authlib and its setup and working properly, imap/pop
> > works fine, authtest from the commandline works fine.
> >
> > for some reason, my smtp auth wont use it, it says it cant even find
> > it..
> >
> > #cat /etc/postfix/sasl/smtpd.conf
>
> This is often a path that is incorrect, but different systems can be set
> to use it.

It is definitely using this file. I made sure of it... i used to have it set
to use auxprop with sql auth

> > pwcheck_method: authdaemond
> > authdaemond_path: /var/run/courier/authdaemon/socket
> > mech_list: plain login
> >
> > # ls -al /var/run/courier/authdaemon/socket
> > srwxrwxrwx 1 root root 0 2008-11-14 13:52
> > /var/run/courier/authdaemon/socket
> >
> > # ls -al /var/run/courier/authdaemon
> > total 4
> > drwxr-xr-x 2 daemon daemon 100 2008-11-14 13:52 .
> > drwxr-xr-x 4 daemon daemon 240 2008-11-13 01:07 ..
> > -rw-r--r-- 1 root   root     6 2008-11-14 13:52 pid
> > -rw------- 1 root   root     0 2008-11-13 01:07 pid.lock
> > srwxrwxrwx 1 root   root     0 2008-11-14 13:52 socket
> >
> > But yet, when trying to authenticate, i get this in my mail.log
> >
> > Nov 14 14:29:19 mx1 postfix/smtpd[17982]: warning: SASL authentication
> > failure: cannot connect to Courier authdaemond: No such file or
> > directory
>
> Is the smtp service chroot'ed? Doing so is a real exorcise in getting it
> to work.

gah that was exactly it!   a chroot wont follow symlinks out of the chroot
will it?  I disabled the chroot in master.cf and it works fine.  I think for
now im just going to run smtpd without the chroot.. man.. what a hassle...

Thank you thank you thank you :)  

 James


> Grab saslfinger from
> http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ and then run
> 'saslfinger -s'.
> Check result and then report back if you need more assistance.
>
> Brian

--
James Grant

Lightbox Technologies
312-240 Catherine St.
Ottawa, ON. K2P 2G8

http://www.lightbox.org
[hidden email]
613-686-1661 x101

Reply | Threaded
Open this post in threaded view
|

Re: courier authlib with smtp auth

Wietse Venema
James Grant:
> > Is the smtp service chroot'ed? Doing so is a real exorcise in getting it
> > to work.
>
> gah that was exactly it!   a chroot wont follow symlinks out of the chroot
> will it?  I disabled the chroot in master.cf and it works fine.  I think for
> now im just going to run smtpd without the chroot.. man.. what a hassle...

Postfix as released by me does not chroot anything. Some
Linux distributors insist on setting up things this way,
which only can give Postfix a bad reputation.

Perhaps if enough people complain it will be changed.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: courier authlib with smtp auth

Charles Marcus
On 11/14/2008, Wietse Venema ([hidden email]) wrote:
> Postfix as released by me does not chroot anything. Some
> Linux distributors insist on setting up things this way,
> which only can give Postfix a bad reputation.
>
> Perhaps if enough people complain it will be changed.

I'd be very interested in the response that the postfix author (and
other vastly more knowledgable people than I, like Victor) would give to
the people who claim that if it isn't chrooted, it isn't secure.

The only answer I can give right now is 'well, I've heard the author
Witese enema) on the email support list say that it doesn't really
provide any more security and isn't worth the headache'.

:)

--

Best regards,

Charles
Reply | Threaded
Open this post in threaded view
|

Re: courier authlib with smtp auth

Victor Duchovni
On Fri, Nov 14, 2008 at 04:13:19PM -0500, Charles Marcus wrote:

> On 11/14/2008, Wietse Venema ([hidden email]) wrote:
> > Postfix as released by me does not chroot anything. Some
> > Linux distributors insist on setting up things this way,
> > which only can give Postfix a bad reputation.
> >
> > Perhaps if enough people complain it will be changed.
>
> I'd be very interested in the response that the postfix author (and
> other vastly more knowledgable people than I, like Victor) would give to
> the people who claim that if it isn't chrooted, it isn't secure.
>
> The only answer I can give right now is 'well, I've heard the author
> Witese enema) on the email support list say that it doesn't really
> provide any more security and isn't worth the headache'.

My $0.02:

Chroot only helps if the rest of the system is nailed down as tight. So
few are, that chroot provides very little real benefit. Postfix is
already the most hardened code on the box, chrooting Postfix does not
fix the other far more vulnerable components of the system.

If you are not running Postfix on BSD firewall mail gateway, don't chroot.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: courier authlib with smtp auth

Wietse Venema
In reply to this post by Charles Marcus
Charles Marcus:

> On 11/14/2008, Wietse Venema ([hidden email]) wrote:
> > Postfix as released by me does not chroot anything. Some
> > Linux distributors insist on setting up things this way,
> > which only can give Postfix a bad reputation.
> >
> > Perhaps if enough people complain it will be changed.
>
> I'd be very interested in the response that the postfix author (and
> other vastly more knowledgable people than I, like Victor) would give to
> the people who claim that if it isn't chrooted, it isn't secure.
>
> The only answer I can give right now is 'well, I've heard the author
> Witese enema) on the email support list say that it doesn't really
> provide any more security and isn't worth the headache'.

That is certainly not what I wrote. I would appreciate it if you
kept your fantasies in check.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: courier authlib with smtp auth

Charles Marcus
On 11/14/2008 4:28 PM, Wietse Venema wrote:
>> I'd be very interested in the response that the postfix author (and
>> other vastly more knowledgable people than I, like Victor) would give to
>> the people who claim that if it isn't chrooted, it isn't secure.
>>
>> The only answer I can give right now is 'well, I've heard the author
>> Witese enema) on the email support list say that it doesn't really
>> provide any more security and isn't worth the headache'.

> That is certainly not what I wrote. I would appreciate it if you
> kept your fantasies in check.

Well, I was certainly para-phrasing, and no offense was intended, but on
what seems like more than a few occasions over the last couple of years
(that I've been on the list), when people show up with problems and it
turns out to be related to some [often a debian] package that is
configured to run chrooted by default, I have seen comments from you like:

"Postfix as released by me does not chroot anything. Some Linux
distributors insist on setting up things this way, which only can give
Postfix a bad reputation."

Seeing this many times must have given me the wrong impression, and it
certainly isn't the same as '... doesn't really provide any more
security...', so my apologies for remembering it wrong.

--

Best regards,

Charles