[CentOS] saslauthd

Thu Aug 27 09:55:27 UTC 2009
Alexander Dalloz <ad+lists at uni-x.org>

> Alexander Dalloz wrote:
>> First you will have to configure Postfix through main.cf:
> ...
>
>> Next you have to make the link between Postfix and Cyrus-SASL in
>> /usr/lib{64}/sasl2/smtpd.conf:
> ...
>
>> You are done.
>
> Yes I am! :-)
> In fact, I DID all the above (with more or less variants), but I was
> wondering why the command testsaslauthd wouldn't allow me to test
> authentication. Now I don't care anymore - what I need it for is: "postfix
> with SASL AUTH agains smtp clients" and for THAT I only need a properly
> filled and protected (postfix will have to be able to read the file)
> /etc/sasldb2 file.
> I was also wondering because on the machine that I'm migrating away from
> the testsaslauthd command worked. Same config and both using the same
> centos release. Ok - nevermind, the authentication works, a nice thing to
> start a thursday with.
>
> Thanks @Alexander, Kai and Nataraj and all others who cared!
> Kind regards
> Michael

Hello Michael,

glad that you managed to migrate to the new server.

If testsaslauthd gives an OK, this just means that saslauthd is running
and could verify the given credentials against the backend. If that
backend (-a) is shadow, then auth is checked against system users within
the shadow file. If the backend is pam, then a more complex setup is
possible. Besides checking too against system users in shadow, PAM could
be configured to test against an SQL database or an LDAP server.

If testsaslauthd is successful, it does not mean that Postfix client auth
must be successful too. That's because Postfix can be configured to use a
different authentication scheme: like as you did to use cyrus-sasl's
auxprop or even to use dovecot's sasl.

You can easily imagine a situation where the admin fills a sasldb with
users and their password and where all these users can be found as well as
system accounts within the shadow file. It may be intention by the admin
or just lack of understanding. Postfix using cyrus-sasl may be configured
to auth against the sasldb data, while saslauthd would work as well. (Here
with the difference that usernames in sasldb are of format
<user at domain.tld> where using saslauthd -a shadow the usernames can just
be <user>.)

You may counter check what the smtpd.conf file contained on your old host.
It could be that saslauthd was the primary mechanism, but set as well the
option "auto_transition". You find that explained in
/usr/share/doc/cyrus-sasl*/options.html. Running that it will fill the
sasldb by itself. So you may have the impression that sasldb was your
primary authentication pool.

One final note: For cyrus-sasl using auxprop with plugin sasldb is the
default and fault back. If nothing is configured or the configured setup
fails, then cyrus-sasl test with auxprop and sasldb.

Best regards

Alexander