493: Undecipherable

-Blog-

-Projects-

-Urlaub-

-About me-

-RSS-

Exim4 and Saslauthd [service=]

Dennis Guse

Hello! Since I upgraded g00se.org from Debian Sarge to Etch the authentification mechanism of my exim mail server doesn't run properly. I used as I descriped early the saslauthd to authentificate against the pam. Everything went fine. I believed, but a few weeks later (I used all the time my webinterface to send mails.) the exim couldn't use the same credentials as the imap server. The saslauthd always claimed that my credentials are false and so exim awnsered with a SMTP Error 535: Authentification failure. Tonight I managed to look into the problem and it's source. I checked the saslauthd using testsaslauthd. If I used: testsaslauthd -s smtp -u XXX - p XXX everything went fine and the saslauthd replied with credentials ok. But if I issued testsaslauthd -s "" -u XXX - p XXX I got a pam authentification error. I tried the same using exim and same behavior appeared, exim doesn't set the name of the service and so all authentification will fail. The problem is that the saslauthd will try to authenticate against a pam configuration which is not available. Note: I have in /etc/pam.d/ a file called smtp which defines the pam behavior for my smtp service ;).

The messages (/var/log/auth.log):

Dec 3 00:55:50 h1206589 saslauthd[22244]: doauth : auth failure: [user=XXX] [service=] [realm=] [mech=pam] [reason=PAM auth error] Dec 3 01:18:45 h1206589 saslauthd[22247]: doauth : auth success: [user=XXX] [service=imap] [realm=] [mech=pam]

As you can see the name of the service is in the first log empty. I found a solution: you can tell the exim how to call the saslauthd. (Snip of the authentification part of my exim service):

 1  plain_saslauthd_server: 
 2    driver = plaintext
 3    public_name = PLAIN
 4    server_condition = $\{if saslauthd\{\{$auth2}\{$auth3}}\{1}\{0}}
 5    server_set_id = $auth2
 6    server_prompts = : .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
 7    server_advertise_condition = $\{if eq\{$tls_cipher}\{}\{}\{\*}}
 8  .endif
 9 
10  login_saslauthd_server:
11    driver = plaintext
12    public_name = LOGIN
13    server_prompts = "Username:: : Password::" # don't send system passwords over unencrypted connections
14    server_condition = ${if saslauthd\{\{$auth1}\{$auth2}}\{1}\{0}}
15    server_set_id = $auth1 
16    .ifndef AUTH_SERVER_ALLOW_NOTLS_PASSWORDS
17      server_advertise_condition = $\{if eq{$tls_cipher}\{}\{}\{\*}}
18    .endif

Now tell exim that he has to use a service attribute for saslauthd change:

1 server_condition = $\{if saslauthd\{\{$auth2}\{$auth3}}\{1}\{0}} into server_condition = $\{if saslauthd\{\{$auth2}\{$auth3}*\{smtp}*}\{1}{0}}.

smtp have to be the name of the pam configuration file.

That's all. Everythings work as expected.