Bug#330309: exim4-config: smtp auth using plain_saslauthd_server
and login_saslauthd_server fail if pam mechanism selected
Nick Woolley
nick at noodlefactory.co.uk
Tue Sep 27 13:36:02 UTC 2005
Package: exim4-config
Version: 4.50-8
Severity: normal
Tags: patch
-- Package-specific info:
Exim version 4.50 #1 built 27-May-2005 08:08:19
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003)
Support for: iconv() IPv6 GnuTLS
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dsearch nis nis0 passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /etc/exim4/exim4.conf
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to replace
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file
dc_eximconfig_configtype='smarthost'
dc_other_hostnames='noodlefactory.co.uk:*.noodlefactory.co.uk:udon.vm.bytemark.co.uk:scifri.org.uk:*.scifri.org.uk:udon.noodlefactory.co.uk'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='smtp.bytemark.co.uk'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='false'
dc_mailname_in_oh='true'
mailname:noodlefactory.co.uk
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.26-bytemark-uml-20040706-1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages exim4-config depends on:
ii adduser 3.63 Add and remove users and groups
ii debconf [debconf-2.0] 1.4.30.13 Debian configuration management sy
ii passwd 1:4.0.3-31sarge5 change and administer password and
-- debconf information:
* exim4/dc_smarthost: smtp.bytemark.co.uk
exim4/dc_relay_domains:
* exim4/exim3_upgrade: true
* exim4/dc_eximconfig_configtype: mail sent by smarthost; received via SMTP or fetchmail
exim4/dc_readhost:
exim4/exim4-config-title:
exim4/dc_noalias_regenerate: false
* exim4/dc_relay_nets:
* exim4/mailname: noodlefactory.co.uk
* exim4/dc_local_interfaces:
* exim4/dc_minimaldns: false
* exim4/dc_other_hostnames: noodlefactory.co.uk:*.noodlefactory.co.uk:udon.vm.bytemark.co.uk:scifri.org.uk:*.scifri.org.uk:udon.noodlefactory.co.uk
exim4/no_config: true
* exim4/hide_mailname: false
exim4/dc_postmaster:
* exim4/use_split_config: false
exim4/internal/exim4-config.reconfigure: false
*** ebr
If the examples in the config are used to authenticate smtp
connections using saslauthd, it fails if saslauthd is configured in
/ec/default/saslauthd to use the pam mechanism.
Typically this manifests itself in the /var/log/auth.log with a
failing pam authentication with 'service=[]' like this:
Sep 27 12:39:23 udon su[1363]: (pam_unix) session opened for user root by nick(uid=1000)
Sep 27 12:42:57 udon PAM-warn[17351]: function=[pam_sm_authenticate] service=[] terminal=[<unknown>] user=[nick] ruser=[<unknown>] rhost=[<unknown>]
Sep 27 12:42:59 udon saslauthd[17351]: DEBUG: auth_pam: pam_authenticate failed: Error in service module
Sep 27 12:42:59 udon saslauthd[17351]: do_auth : auth failure: [user=nick] [service=] [realm=] [mech=pam] [reason=PAM auth error]
When this happens, running exim with 'exim4 -bd -d -v -q5m' shows an error 'NO PAM auth error' during authentication.
The reason for this problem seems to be that :
a) no service is specified when exim4 invokes saslauthd
b) anyway, there is no pam.d/exim4 file
The examples supplied in /etc/exim4/ in question are:
# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
# plain_saslauthd_server:
# driver = plaintext
# public_name = PLAIN
# server_condition = ${if saslauthd{{$2}{$3}}{1}{0}}
# server_set_id = $2
# server_prompts = :
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# .endif
#
# login_saslauthd_server:
# driver = plaintext
# public_name = LOGIN
# server_prompts = "Username:: : Password::"
# # don't send system passwords over unencrypted connections
# server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}}
# server_condition = ${if saslauthd{{$1}{$2}}{1}{0}}
# server_set_id = $1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# .endif
A corrected version which works, providing a file /etc/pam.d/exim4 exists, is:
# Authenticate against local passwords using sasl2-bin
# Requires exim_uid to be a member of sasl group, see README.SMTP-AUTH
# plain_saslauthd_server:
# driver = plaintext
# public_name = PLAIN
# server_condition = ${if saslauthd{{$2}{$3}{exim4}}{1}{0}}
# server_set_id = $2
# server_prompts = :
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# .endif
#
# login_saslauthd_server:
# driver = plaintext
# public_name = LOGIN
# server_prompts = "Username:: : Password::"
# # don't send system passwords over unencrypted connections
# # server_advertise_condition = ${if eq{$tls_cipher}{}{0}{1}} this causes a configuration error
# server_condition = ${if saslauthd{{$1}{$2}{exim4}}{1}{0}}
# server_set_id = $1
# .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
# server_advertise_condition = ${if eq{$tls_cipher}{}{}{*}}
# .endif
A pam configuration file /etc/pam.d/exim4 containing something like
the following is required:
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
More information about the Pkg-exim4-maintainers
mailing list