Re: SASL, PAM and realms

* Vlad Berditchevskiy <vlad@hashbang.de>:
> Hello,
>
> I posted this question on the SASL mailing list, but that list seems to
> be almost dead. :-( I hope that someone on this list knows better.
>
> I want to use SASL to authenticate two groups of SMTP users:
>
> Group 1: Users who have a unix account and should be authenticated by
> the shadow file
>
> Group 2: Virtual mail users, whose passwords are stored in a postgresql
> database.

Try this in smtpd.conf:

pwcheck_method: saslauthd auxprop
mech_list: PLAIN LOGIN
auxprop_plugin: sql
.... auxprop sql settings for postgresql...


Take a look at options.html from the SASL documentation to find out what you
need to add for "auxprop sql settings for postgresql".

Then start saslauthd to access shadow files.

SASL should check for matches in shadow first and try auxprop if it fails in
shadow.

Don't use Postfix to test this, but use sample-server and sample-client from
the SASL utilities (sample/ in the SASL sources) to test authentication. If
they do the job, you know SASL works and you can take care of how Postfix and
SASL should interact.

> This seems to be a simple requirement, however while configuring SASL I
> faced the following problem: I can authenticate either of those groups
> but not both at the same time. :-(
>
> I used PAM as the authentication mechanism. However, PAM ignores the
> realm, which is required for the second group. If I start saslauthd with
> '-r', this works for virtual mail users (the user name looks like
> 'user@domain'), but doesn't work for the first group (there are no
> domains in the shadow file). So, there is a dilemma:
>
> w/o '-r' -- works for local users only
> with '-r' -- works for virtual users only
>
> I tried something like 'saslauthd -a shadow -a pam -r' in a hope that
> saslauthd would use shadow mechanism for local users and PAM for virtual
> users, but it didn't work. It seems that sasl can only use one mechanism
> at the same time.
>
> Is there a way to allow the authentication for both groups at the same
> time?
>
>
> P.S. The only workaround that works so far is to use -r and create a
> virtual mailbox account for every local user for SMTP only, but it's an
> ugly workaround. I hope, there is a better solution.

That's not true. SASL is unaware of Postfix' virtual user configuration. It
only looks for a username, password and maybe a realm. You could add local
users to postgresql tables without the virtual stuff. However if you put it
all in one table Postfix might complain that your local users miss the config
for virtual users.


p@rick


--
SMTP AUTH howto:
<http://postfix.state-of-mind.de/patrick.koetter/smtpauth/>
SMTP AUTH debug utility:
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>