# sasl - pam problems (updated, help still needed please)

## antifa

Hi all,

Yes I know, yet another sasl issue. But I'm completely baffled at this point. I'm using postfix 1.1.11.20020917 and cyrus-sasl 2.1.7.

I configured sasl like so:

```
./configure  --prefix=/usr --host=i586-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --with-saslauthd=/var/lib/sasl2 --with-pwcheck=/var/lib/sasl2 --with-configdir=/etc/sasl2 --with-openssl --with-pam --with-plugindir=/usr/lib/sasl2 --with-dbpath=/etc/sasl2/sasldb2 --with-des --with-rc4 --disable-krb4 --with-gnu-ld --enable-shared --disable-sample --enable-login --without-ldap --with-mysql --with-dblib=berkeley --disable-static --without-staticsasl --disable-gssapi --cache-file=.././config.cache --srcdir=.
```

The first thing that confuses me is the output from saslauthd after installation, saslauthd -v: 

```
saslauthd 2.1.7

authentication mechanisms: getpwent pam rimap shadow
```

So where did my pwcheck go? No idea. I haven't been able to test pwcheck because saslauthd errors out stating pwcheck is an 'unknown password verifier'.

```
>From /etc/sasl2/smtpd.conf - pwcheck_method:saslauthd

>From /etc/init.d/saslauthd - /usr/sbin/saslauthd -a pam

```

From /etc/pam.d/smtpd (copy of pam.d/login (that should work right?))

```
auth       required     /lib/security/pam_securetty.so

auth       required     /lib/security/pam_stack.so service=system-auth

auth       required     /lib/security/pam_nologin.so

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

```

I'm trying to set up sasl to use pam, or pwcheck, whichever works a this point. Either way I get the following error when trying to auth against sasl using the standard Base64 mime encoding string sent via telnet to smtpd.

```
[postfix/smtpd] smtpd_sasl_authenticate: decoded initial response ken Nov 10 09:12:20 

[postfix/smtpd] warning: SASL authentication failure: Password verification failed Nov 10 09:12:20 

[postfix/smtpd] warning: sub26-149.member.dsl-only.net[63.105.26.149]: SASL PLAIN authentication failed Nov 10 09:12:20 

[postfix/smtpd] > sub26-149.member.dsl-only.net[63.105.26.149]: 535 Error: authentication failed

```

I've tried just about everything I can think of at this point,searched through the mailing lists,  doc's, read all available how-tos, check the gentoo forums, and still have had no luck. 

Here's a strace of the smtp pid:

```
connect(10, {sin_family=AF_UNIX, path="/var/lib/sasl2/mux"}, 110) = 0

writev(10, [{"\0\32ken@mail.kickasskungfu.com\0\10b7"..., 68}], 1) = 68

read(10, "\0\21", 2)                    = 2

read(10, "NO PAM auth error", 17)       = 17

close(10)                               = 0

time([1036948552])                      = 1036948552

getpid()                                = 23848

rt_sigaction(SIGPIPE, {0x4034e7e0, [], 0x4000000}, {SIG_IGN}, 8) = 0

send(7, "<20>Nov 10 09:15:52 postfix/smtp"..., 108, 0) = 108

rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0

brk(0x8099000)                          = 0x8099000

time([1036948552])                      = 1036948552

getpid()                                = 23848

rt_sigaction(SIGPIPE, {0x4034e7e0, [], 0x4000000}, {SIG_IGN}, 8) = 0

send(7, "<20>Nov 10 09:15:52 postfix/smtp"..., 129, 0) = 129

rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0

time([1036948552])                      = 1036948552

getpid()                                = 23848

rt_sigaction(SIGPIPE, {0x4034e7e0, [], 0x4000000}, {SIG_IGN}, 8) = 0

send(7, "<22>Nov 10 09:15:52 postfix/smtp"..., 122, 0) = 122

rt_sigaction(SIGPIPE, {SIG_IGN}, NULL, 8) = 0

rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0

rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0

rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0

nanosleep({1, 0}, {1, 0})               = 0

time(NULL)                              = 1036948553

select(10, NULL, [9], [9], {300, 0})    = 1 (out [9], left {300, 0})

write(9, "535 Error: authentication failed"..., 34) = 34

```

Could someone who uses sasl at least post a strace of their successful auth against pam for comparison please? And does anyone know if it's failing due to the user name with @mail.kickasskungfu.com appended?

Thanks in advance for any help.

antifa

----------

## SmegTheLight

Perhaps this might be a part of your problem:

https://bugs.gentoo.org/show_bug.cgi?id=10650

----------

## SmegTheLight

Also try setting 

    smtpd_sasl_local_domain =

in /etc/postfix/main.cf

That will take care of the @mail.kickasskungfu.com problem.

I am using saslauthd -> pam -> ldap.

My strace on the smtp pid is rather bland (since I start it at the client password prompt)

```

read(13, "OK", 2)                       = 2

close(13)                               = 0

time(NULL)                              = 1037143530

time(NULL)                              = 1037143530

select(13, NULL, [12], [12], {300, 0})  = 1 (out [12], left {300, 0})

write(12, "235 Authentication successful\r\n", 31) = 31

time(NULL)                              = 1037143530

select(13, [12], NULL, [12], {300, 0})  = 1 (in [12], left {300, 0})

```

----------

## tgnb

I had the same problem, but (semi)solved it by commenting out a line in /etc/postfix/main.cf

#smtpd_sasl_local_domain = $myhostname

found this solution on google...

http://groups.google.com/groups?selm=aqm6j3%248l7%241%40FreeBSD.csie.NCTU.edu.tw&output=gplain

I guess I have to read up on realms and such too  :Smile: 

Can anyone explain why this works when that line is commented out?

----------

## cerebroso

I don't know too, but it woooooorks!

----------

## jon123

Thanks tgnb that fixed my login problems too.

I had my smtpd_sasl_local_domain = mail.domainname.com

Does anyone know why that would cause a authentication problem?

----------

