# qmail, smtp-auth and checkpassword-pam problem [SOLVED]

## penetrode

I have an EXTREMELY puzzling problem.

I am running netqmail 1.05, built from source, patched with Bill Shupp's combo smtp-auth/tls patch and checkpassword-pam 0.97, built from an ebuild.

When I try an SMTP session and authenticate, authentication fails with '535 authentication failed (#5.7.1)'

When I try and do it with telnet, same error. 

If I invoke checkpassword-pam from the command line, using the same login and password, it succeeds:

```

echo -e "sfbosch\0flibbets\0\0"          | checkpassword-pam -s system-auth     --debug --stdout -- /usr/bin/id 3<&0

Reading username and password

Username 'sfbosch'

Password read successfully

Initializing PAM library using service name 'system-auth'

Pam library initialization succeeded

conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "

Authentication passed

Account management succeeded

Setting PAM credentials succeeded

PAM session opened

PAM session closed

Terminating PAM library

Executing /usr/bin/id

uid=1005(sfbosch) gid=100(users) groups=10(wheel),18(audio),100(users)

```

I have hacked up qmail-smtpd to make sure it is passing the right information to checkpassword-pam, and it is (i have it write a small output file in /tmp showing what it is passing to checkpassword-pam; . If I move the hacked up qmail-smtpd to a known good host, authentication works fine on the known good host. If I move the checkpassword-pam from the known good host to the broken host, authentication doesn't work. It doesn't matter if I use TLS or not - I have the same problem.

The major difference between these two machines is that the one that doesn't work is running kernel 2.6, and the other is running kernel 2.4.

I have found another post from a person with a similar problem they claim they solved, but the solution doesn't make any sense to me -- it's totally unintelligible (I also don't think it applies here).

Does anybody have an idea why this might be happening? I'm at the end of my rope here. I've tried damn near everything; I'm starting to think can't see the forest for the trees. This has got to be something stupid simple...Last edited by penetrode on Wed May 18, 2005 6:40 pm; edited 1 time in total

----------

## penetrode

touch

----------

## penetrode

touch

----------

## Pete M

Not sure if this will help but to get pam authentication in Sendmail with TLS to work I had to create 

/etc/pam.d/smtp

Then add to the file

auth     required  /lib/security/pam_stack.so service=system-auth

account  required  /lib/security/pam_stack.so service=system-auth

As I say this may be along shot but you never know

Pete

----------

## penetrode

We tried moving unix_chkpwd from a known good machine and got it to work -- once.

The fact that it successfully authenticated just one time is an indication that something is suspect in the hardware. We are now doing some memory tests and the tests are turning up errors.

I will post again as soon as we have more information.

----------

## penetrode

Okay --

it turns out there was some bad RAM. We've replaced the bad RAM, tested the replacement, and it's clean.

I've rebuilt the whole machine. I removed all the distfiles, did

```

emerge --emptytree -u world

```

and rebuilt checkpassword-pam. I rebuilt netqmail-1.05 from clean sources.

The problem is still there. I still get authentication failures on known good accounts.

Do my mail users have to be a member of any specific group? I know other people have had this problem. I really don't know what other option I have when it comes to qmail and smtp authentication...

----------

## penetrode

Okay --

I blame both the bad RAM and the permissions on checkpassword-pam.

The permissions on the last installation were set correctly. After doing the complete emerge world, checkpassword-pam was rebuilt and this time the permissions were incorrect:

```

228234 -rwxr-xr-x  1 root root 13672 May 18 12:07 checkpassword-pam

```

They should be

```

228234 -rwsr-xr-x  1 root root 13672 May 18 12:07 checkpassword-pam

```

Is there any way to fix this in the ebuild?

----------

## Vieri

fperms 4755 /usr/bin/checkpassword-pam

could be added to the ebuild or at least an einfo saying to chmod the file.

----------

## penetrode

 *Vieri wrote:*   

> fperms 4755 /usr/bin/checkpassword-pam
> 
> could be added to the ebuild or at least an einfo saying to chmod the file.

 

Did the ebuild ever actually get fixed, or is this problem still there?

----------

## Vieri

I filed a bug report:

https://bugs.gentoo.org/show_bug.cgi?id=142000

Feel free to add comments there.

Eventually a dev will pick it up.

----------

