# saslauthd configuration

## lizardqueen

I've been following the postfix virtual mailhosting guide, but am having problems with sasl authorisation for relaying. From my logs I can see that saslauthd /tls receives and decodes the user / password ok, but then will not authenticate.  For some reason saslauthd always goes to try to decode sasldb2. 

eg log extract:

```
Mar 14 20:33:02 mycroft postfix/smtpd[8130]: < unknown[192.168.42.165]: AUTH LOGIN

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: smtpd_sasl_authenticate: sasl_method LOGIN

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: smtpd_sasl_authenticate: uncoded challenge: Username:

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: > unknown[192.168.42.165]: 334 VXNlcm5hbWU6

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: < unknown[192.168.42.165]: YnJhZA==

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: smtpd_sasl_authenticate: decoded response: [username correctly decoded]

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: smtpd_sasl_authenticate: uncoded challenge: Password:

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: > unknown[192.168.42.165]: 334 UGFzc3dvcmQ6

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: < unknown[192.168.42.165]: bTFwY2F0

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: smtpd_sasl_authenticate: decoded response: [password correctly decoded]

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasl2/sasldb2: Permission denied

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: warning: SASL authentication problem: unable to open Berkeley db /etc/sasl2/sasldb2: Permission denied

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: warning: unknown[192.168.42.165]: SASL LOGIN authentication failed

Mar 14 20:33:02 mycroft postfix/smtpd[8130]: > unknown[192.168.42.165]: 535 Error: authentication failed

```

My /etc/pam.d/smtpd looks like:

```

auth required pam_warn.so

auth required pam_permit.so

auth    sufficient        /lib/security/pam_stack.so service=system-auth

account required  pam_warn.so

account required  pam_permit.so

account sufficient        /lib/security/pam_stack.so service=system-auth

auth sufficient pam_mysql.so host=localhost db=mailsql user=mailsql \

  passwd=[password] table=users usercolumn=email passwdcolumn=clear crypt=0

account sufficient   pam_mysql.so host=localhost db=mailsql user=mailsql \

  passwd=[password] table=users usercolumn=email passwdcolumn=clear crypt=0

```

Why is saslauthd even going to look at sasldb2? It is obviously not using /etc/pam.d/smtpd for configuration. what should I be using?

(nb - this file was originally the same as given in the virtual mailhost guide, but nothing changed here seems to make a difference...)

Thanks

LQ

----------

## Plaz

Did you copy or link your /etc/sasl2/smtpd.conf file to /usr/lib/sasl2?  I don't think the former is actually used by anything.  I had the same problem you did and ran the following:

% ln /etc/sasl2/smtpd.conf /usr/lib/sasl2/smtpd.conf

At least that's what I think fixed the problem...it was late and I was messing with a lot of stuff, so maybe it was something else   :Smile: 

----------

## lizardqueen

Yes, I sym-linked those files. From what I can tell they are being read - Sasl is restricting itself to offering just LOGIN and PLAIN methods, so the mech_list is being read from one of those files.

However, changing the pwdcheck_method doesn't seem to do anything.

I tried changing it to pam - no change. 

The logging from saslauthd leaves a bit to be desired.

I'll probably just relax to the inevitable and use sasldb2 unless anyone has some bright suggestions. 

LQ

----------

## Plaz

 *Quote:*   

> However, changing the pwdcheck_method doesn't seem to do anything. 

 

You meant pwcheck_method without the 'd', right?  Here's my smtpd.conf file:

```
pwcheck_method:saslauthd

mech_list: plain login

```

I'm (obviously) running saslauthd, here's my /etc/conf.d/saslauthd file:

```

# Config file for /etc/init.d/saslauthd

# Authentications mechanism (for list see saslauthd -v)

# SASL_AUTHMECH=pam

SASL_AUTHMECH=shadow

# Hostname for remote IMAP server (if rimap auth mech is used)

SASL_RIMAP_HOSTNAME=""

# Honour time-of-day login restrictions (if shadow auth mech is used)

# Make this ="" to turn it off.  Putting =no will turn it on!

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

# Tack the above options together

[ -n ${SASL_AUTHMECH} ] && \

        SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"

# [ -n ${SASL_RIMAP_HOSTNAME} ] && \

#       SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -H ${SASL_RIMAP_HOSTNAME}"

#[ -n ${SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS} ] && \

#       SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -T"

```

It's working fine for me without using the sasldb2 file.  Let me know if there are any other files you want me to post.

----------

## lizardqueen

My, how embarrassing.   :Embarassed:  I'd only stared at smtpd.conf a good 100 times over the last week trying different options. I had pwdcheck_method, not pwcheck_method.

Thanks for the help!

(hangs head in shame)

LQ

----------

