Re: [exim] Current solutions for smtp auth via pam

Pàgina inicial
Delete this message
Reply to this message
Autor: Sam Michaels
Data:  
A: Jochen Gensch
CC: exim-users
Assumpte: Re: [exim] Current solutions for smtp auth via pam
On 1/15/06, Jochen Gensch <incmc@???> wrote:
> Ok, I have tried that right now, but cannot get it working. Maybe
> someone can direct me to the right direction...


I had a heck of a time getting it to work.

First, the permissions were wrong on the directory...and they go back
to being wrong everytime the box is rebooted. Default location of the
socket is for me is /var/lib/sasl2/mux (specified in the
Local/Makefile)...probably a misconfiguration on my part, but if the
box gets rebooted I'm there anyway.

Next, the authenticators I use are:

plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_set_id = $2
server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
server_advertise_condition = true

login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
server_set_id = $1
server_advertise_condition = true

I could force some security with $tls_cipher or something, but it
wasn't working properly with MS Outlook clients.

Then PAM wasn't working right for some reason. I had to change
/etc/pam.d/saslauthd to:

#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth


And /etc/pam.d/system-auth to:

#%PAM-1.0
auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_deny.so
account    required     pam_unix.so
password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so
session    required     pam_limits.so
session    required     pam_unix.so


Then it magically started working for valid users on the box.

Sam