Is anyone using EXIM in PAM authentication mode with RedHat 7.1?
I'm having a heck of a time understanding whats up. Until earlier today,
Exim was responding FINE to the following authenticators:
fixed_plain:
driver = plaintext
public_name = PLAIN
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${if pam{$1:$2}{1}{0}}"
server_set_id = $1
However, around noon or one today, that all stopped. The only thing that had
changed in my exim.conf file was adding mail quotas. Nothing changed in my
Pam setup. But when running in d9 mode, I can see the pam return code
indicating that the login was unsuccessfull. However, the $1 and $2
variables presented in the debug are correct!
For this example, I have created a user: joe
joe's password is: 123456
[root@shortcircuit pam.d]# exim -d9 -bd
Exim version 3.22 debug level 9 uid=0 gid=0
Berkeley DB: Sleepycat Software: DB 2.4.14: (6/2/98)
Caller is an admin user
Caller is a trusted user
originator: uid=0 gid=0 login=root name=root
port = 25
listening on all interfaces
pid written to /var/run/exim.pid-bd
LOG: 0 MAIN
exim 3.22 daemon started: pid=3625, no queue runs, listening for SMTP on
port 25
set_process_info: 3625 daemon: no queue runs, port 25
daemon running with uid=8 gid=12 euid=8 egid=12
listening on port 25...
2001-10-24 18:46:09 exim 3.22 daemon started: pid=3625, no queue runs,
listening for SMTP on port 25
Connection request from 166.70.8.43/43524
1 SMTP accept process running
listening on port 25...
interface address = 10.0.0.75
host in rfc1413_hosts? yes (*)
sender_fullhost = [166.70.8.43]
sender_rcvhost = [166.70.8.43]
Process 3626 is handling incoming connection from [166.70.8.43]
checking for IP options
no IP options found
host in host_lookup? yes (*)
looking up host name for 166.70.8.43
IP address lookup yielded slc1059.modem.xmission.com
sender_fullhost = slc1059.modem.xmission.com [166.70.8.43]
sender_rcvhost = slc1059.modem.xmission.com ([166.70.8.43])
set_process_info: 3626 handling incoming connection from
slc1059.modem.xmission.com [166.70.8.43]
host in host_reject? no (option unset)
host in host_reject_recipients? no (option unset)
host in rbl_hosts? yes (0.0.0.0/0)
checking RBL domain blackholes.mail-abuse.org/reject
DNS lookup of 43.8.70.166.blackholes.mail-abuse.org (A) gave HOST_NOT_FOUND
returning DNS_NOMATCH
RBL lookup for 43.8.70.166.blackholes.mail-abuse.org failed
=> that means it's not black listed at blackholes.mail-abuse.org
checking RBL domain dialups.mail-abuse.org/warn
DNS lookup of 43.8.70.166.dialups.mail-abuse.org (A) gave HOST_NOT_FOUND
returning DNS_NOMATCH
RBL lookup for 43.8.70.166.dialups.mail-abuse.org failed
=> that means it's not black listed at dialups.mail-abuse.org
checking RBL domain relays.mail-abuse.org/reject
DNS lookup of 43.8.70.166.relays.mail-abuse.org (A) gave HOST_NOT_FOUND
returning DNS_NOMATCH
RBL lookup for 43.8.70.166.relays.mail-abuse.org failed
=> that means it's not black listed at relays.mail-abuse.org
checking RBL domain relays.ordb.org/reject
DNS lookup of 43.8.70.166.relays.ordb.org (A) gave HOST_NOT_FOUND
returning DNS_NOMATCH
RBL lookup for 43.8.70.166.relays.ordb.org failed
=> that means it's not black listed at relays.ordb.org
host in auth_hosts? yes (166.70.7.0/20)
host in auth_over_tls_hosts? no (option unset)
host in tls_hosts? no (option unset)
host in sender_unqualified_hosts? no (option unset)
host in receiver_unqualified_hosts? no (option unset)
host in helo_verify? no (option unset)
host in helo_accept_junk_hosts? no (option unset)
SMTP>> 220 shortcircuit.dyndns.org ESMTP Exim 3.22 #1 Wed, 24 Oct 2001
18:46:17 -0600
set_process_info: 3626 handling incoming connection from
slc1059.modem.xmission.com [166.70.8.43]
ready for new message
smtp_setup_msg entered
SMTP<< EHLO duron
sender_fullhost = slc1059.modem.xmission.com (duron) [166.70.8.43]
sender_rcvhost = slc1059.modem.xmission.com ([166.70.8.43] helo=duron)
set_process_info: 3626 handling incoming connection from
slc1059.modem.xmission.com (duron) [166.70.8.43]
host in tls_advertise_hosts? no (option unset)
SMTP>> 250-shortcircuit.dyndns.org Hello slc1059.modem.xmission.com
[166.70.8.43]
250-SIZE
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
SMTP<< AUTH LOGIN
SMTP>> 334 VXNlcm5hbWU6
SMTP>> 334 UGFzc3dvcmQ6
Running PAM authentication for user "joe"
PAM error: Authentication failure
login authenticator:
$1 = joe
$2 = 123456
expanded string: 0
SMTP>> 535 Incorrect authentication data
LOG: 0 MAIN REJECT
Authentication failed for slc1059.modem.xmission.com (duron)
[166.70.8.43]: 535 Incorrect authentication data
SMTP>> 421 shortcircuit.dyndns.org lost input connection
search_tidyup called
child 3626 ended: status=0x100
0 SMTP accept processes now running
listening on port 25...
2001-10-24 18:46:21 Authentication failed for slc1059.modem.xmission.com
(duron) [166.70.8.43]: 535 Incorrect authentication data
As you can see from this test, Exim is reading a failure from Pam. It
happens regardless of if I use RedHat's 3.22 version, or the 3.32 that I
compiled myself.
I am at a complete loss to explain it. I'm using the /etc/pam.d/exim file
that came with RedHat's exim RPM. It contains:
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
Anyone else ever encounter this? I can work around it for now by setting up
a lookup file for the few users that access this box, but I'd really like to
get exim working properly again.
Thanks in advance!
Dan Egli
