# Qmail and checkpassword-pam problem [SOLVED]

## wado

Hi

I have a problem about qmail and smtp auth and I don't know how resolve it. I have been searching in this forums but all solutions I have try have no effect. Shortly, I have recently installed a server with LDAP, samba, imap and qmail. To accept incomings connectios from mail clients in safety mode I have tried to use checkpassword-pam module authentication, configured to send the new requests to the system-auth service. Of course, it doesn't work.

The error:

```
localhost root # telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mail.example.com ESMTP

ehlo

250-mail.example.com

250-AUTH LOGIN CRAM-MD5 PLAIN

250-AUTH=LOGIN CRAM-MD5 PLAIN

250-STARTTLS

250-SIZE 0

250-PIPELINING

250 8BITMIME

auth login

334 VXNlcm5hbWU6

base64(login)

334 UGFzc3dvcmQ6

base64(passwd)

535 authorization failed (#5.7.0)

```

The involved files are:

/var/qmail/control/conf-smtpd

```
QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

QMAIL_SMTP_CHECKPASSWORD="/usr/bin/checkpassword-pam -s system-auth"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"

```

```
localhost root # ls -l /usr/bin/checkpassword-pam

-rwsr-s---  1 root nofiles 13352 mar 15 23:47 /usr/bin/checkpassword-pam
```

/etc/tcp.smtp

```
127.0.0.1:allow,RELAYCLIENT=""
```

And

```
localhost root # ps aux | grep tcpserver

qmaild   21385  0.0  0.0  2624  812 pts/1    S    14:26   0:00 /usr/bin/tcpserver -p -v -R -x /etc/tcp.smtp.cdb -c 20 -u 201 -g 200 0.0.0.0 smtp /var/qmail/bin/qmail-smtpd mail.example.com /usr/bin/checkpassword-pam -s system-auth /bin/true
```

(If you need more files or information tell me)

My question is: what I also have to do or what am I doing wrong?

Thanks  :Wink: Last edited by wado on Wed Apr 13, 2005 10:23 pm; edited 1 time in total

----------

## arch4nge1

Hi,

Just guessing here, but try turning off TLS and testing if that works. I believe the extra encryption might complicate things with testing.

Hope it helps.

Cheers

----------

## wado

Hi

Thank you for your post but it still doesn't work. I like your idea because telnet doesn't support TLS for my tests, but the result is the same. Since I'm using pam, syslog shows the following message:

```
Apr 13 13:50:21 localhost checkpassword-pam[31925]: Reading username and password

Apr 13 13:50:21 localhost checkpassword-pam[31925]: Username 'user '

Apr 13 13:50:21 localhost checkpassword-pam[31925]: Password read successfully

Apr 13 13:50:21 localhost checkpassword-pam[31925]: Initializing PAM library using service name 'system-auth'

Apr 13 13:50:21 localhost checkpassword-pam[31925]: Pam library initialization succeeded

Apr 13 13:50:21 localhost checkpassword-pam[31925]: conversation(): msg[0], style PAM_PROMPT_ECHO_OFF, msg = "Password: "

Apr 13 13:50:21 localhost system-auth(pam_unix)[31925]: check pass; user unknown

Apr 13 13:50:21 localhost system-auth(pam_unix)[31925]: authentication failure; logname= uid=201 euid=0 tty= ruser= rhost=

Apr 13 13:50:23 localhost checkpassword-pam[31925]: Authentication failed: Authentication failure

Apr 13 13:50:23 localhost checkpassword-pam[31925]: Exiting with status 1

```

And of course, the user exists in both the machine and ldap.

What do you think could be happening?

Thanks and bye  :Wink: 

----------

## hegga

i tried to find a solution to your problem yesterday, and i came across that checkpasswd-pam

uses \0 to seperate username and password on login. is it possible that system-auth don't support this?

```

# echo -e "username\0password\0timestamp\0" \

         | checkpassword-pam -s SERVICE \

           --debug --stdout -- /usr/bin/id 3<&0

```

source: http://checkpasswd-pam.sourceforge.net/checkpassword-pam.8.html

----------

## wado

Thanks hegga, but I test that code yesterday and it works. However, when it is appended to bin/qmail-smtpd, the system-auth fails. However you are right because analyzing the LDAP logs I have seen the error: the request is ended with '\0A', so what do you think? I suppose this will be a checkpassword-pam bug, no?

Thanks guys, cheers

----------

## wado

At last!! I achieved send mail via auth login and I am who has a bug (well, I and the base64 command). All moment the problem was in that command because I used it to generate the base 64 strings, and of course if you start wrong...

So thanks you very much your help  :Wink: 

----------

## penetrode

Just to clarify that last post, which isn't really properly explained (in the interests of assisting other Gentoo users who may be suffering from similar grief):

The problem is that base64 embeds the newline character in the encoded output.

If you want to get proper base64 encoded output that you can use in a telnet smtp testing session, you have to pass echo the -n switch, like so:

echo -n <string> | base64 -e

*bows*

----------

