# Using PAM to authenicate emails using system users

## pcameron

Hi All,

I have been setting up an email server using postfix, saslauth, and pam and courier-imap. 

Things have been going well over the last few days and I have a small problem I would like some help resolving. 

Firstly, from mutt, I can send and receive emails locally and externally. Which is great!

I got postfix to authenticate against pam using saslauthd which I can see doing its bits and pieces from the debugging. 

So I fired up thunderbird and attempted to create the account and got the following

Oct 19 16:07:18 blah authdaemond: received auth request, service=imap, authtype=login

Oct 19 16:07:18 blah authdaemond: authpam: trying this module

Oct 19 16:07:18 blah authdaemond: authpam: username 'root@blah.com' not found in password file

Now I can see that thunderbird is attempting to auth using appending the @blah.com in the logs.I have to assume most email clients would also do the same. I had a look in the software but I couldnt find a setting to only auth just to first prefix. 

I would like to continue to use local users on the system and stay with the .maildir.

I dont think the password file will take the @blah.com as a valid user. Could be wrong? 

How do people get around this situation while using local users? 

Thanks, 

Lock

----------

## ianw1974

I can only assume one of two things are happening.  The username and password stored in Thunderbird has the username@domain.com - so maybe change so that it just has the username without the @domain.com part.

Alternatively, courier is appending the domain perhaps?

----------

## pcameron

 *ianw1974 wrote:*   

> 
> 
> Alternatively, courier is appending the domain perhaps?

 

Thanks for the tip, will look into that. 

I noticed that saslauthd supports mysql auth, and on the http://www.gentoo.org/doc/en/virt-mail-howto.xml I found an mysql  template for a system user to user@blah.com. 

Im not much of dba having a comm's background but im going to give it a shot and setup auth for mysql referencing the full email address to the local system user  then just add in the the mysql auth into saslauthd.

FYI. 

There was no @blah.com in the username field, 

tested on windows7 and thunderbird in portage. 

tried microsoft mail on windows.

All the same results. 

Move to a bump, but was a good experience. will post on the success of the auth via sql

Lock

----------

## pcameron

Good news is auth is working now, 

PAM does fail but with the sql template and some of the config from the vhosts, I can authenticate.

Bad news is next error, indicates the mail client cant create what it needs to. 

At least im on the way. 

 :Smile: 

----------

## pcameron

following the guide above and using the sql template

http://www.gentoo.org/doc/en/files/genericmailsql.sql

what does postfix want the quota in? bits, bytes, etc. 

Thanks

----------

## ianw1974

Difficult to say, you can try different values.  When I configured with dovecot once and roundcube webmail, had to specify in dovecot exactly the config for the quota to work, and if I remember by default it was bytes, but changed it to reflect megabytes later as it was easier to work everything out.

----------

## cach0rr0

if

-you tell postfix to use saslauthd

-you tell courier to use saslauthd

then what it uses to authenticate against is based on what backend youve set saslauthd to use

which is controlled by /etc/conf.d/saslauthd

there are also other ways of specifying e.g. 'defaultdomain' in postfix/courier configuration files, but the "-a pam" in /etc/conf.d/saslauthd should be all that's needed

```

# grep -v ^\# /etc/conf.d/saslauthd |grep -v ^$

SASLAUTHD_OPTS=""

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam"

```

and on postfix, main.cf

```

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain = whitehathouston.com

smtpd_sasl_authenticated_header = yes

broken_sasl_auth_clients = yes

```

plus 'permit_sasl_authenticated' in smtpd_recipient_restrictions

The other alternative, instead of using saslauthd, is to set the pwcheck_method to 'pam' in /etc/sasl2/smtpd.conf

Which should tell postfix to check directly against your passwd users. 

All saslauthd does is provide an extra layer of flexibility, support for multiple backends, etc. 

On the courier side, no idea, as i despise courier

by the by

http://whitehathouston.com/documentation/gentoo/postfix_cyrus_vhost_howto.htm

----------

