Postgresql – Debugging a Postfix Saslauthd PAM-PGsql authentication failure

pampostfixpostgresqlsaslauthd

I've set up pam-pgsql to lookup passwords in my database for Postfix via Saslauthd.

I can test credentials using the command line:

$ sudo testsaslauthd -u user@email.com -p password

0: NO "authentication failed"

Authentication will fail, and I don't know why.

$ sudo tail /var/log/auth.log

Feb  5 15:33:12 saslauthd[7460]: pam_unix(imap:auth): check pass; user unknown
Feb  5 15:33:12 saslauthd[7460]: pam_unix(imap:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Feb  5 15:33:14 saslauthd[7460]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Feb  5 15:33:14 saslauthd[7460]: do_auth         : auth failure: [user=user@email.com] [service=imap] [realm=] [mech=pam] [reason=PAM auth error]

How can I know what pam-pgsql is doing? How can I get more helpful messages?

Best Answer

Jon from the past! I have the answer to all your problems.

There's a clue right in your log:

saslauthd[8044]: pam_unix(imap:auth): check pass; user unknown

Remember how you put the PAM config in /etc/pam.d/smtp and not imap? And your log says imap? Yup, you're trying to auth on the wrong service.

I actually found the solution in the Postfix SASL manual, just under where you found that Sasl test command:

Testing saslauthd authentication

Specify an additional "-s smtp" if saslauthd was configured to contact the PAM authentication framework

Yup, you will soon find that the right invocation is rather:

$ sudo testsaslauthd -u user@email.com -p password -s smtp
0: OK "Success."

Related Solutions

Debian – saslauthd and PAM: “Too many open files” error – saslauthd restart fixes this – what is wrong

This seems to be a reported bug in samba's winbind, although it was saslauthd which complained. Here is the bug report:

https://bugzilla.samba.org/show_bug.cgi?id=7265

A workaround, until this is released, is to restart winbind and saslauthd every few days (in a cron).

SMTP authentication failure + PAM-MySQL cannot authenticate

I have exactly the same config as you (Postfix + Cyrus SASL using saslauthd + PAM), and I also spent hours to configure it. But know it works perfectly.

In my case, I have the same settings as you in /etc/pam.d/smtp but not in /etc/postfix/sasl/smtp.conf.

It seems you are mixing use of SQL Cyrus plugin (auxprop_plugin: sql) with saslauthd and PAM mysql.

Postfix documentation says that if you want to store encrypted passwords (which seem to be the case since you set up "crypt=2" in PAM configuration), then you CANNOT use Cyrus SASL sql plugin.

You can try using PAM only. For this, you only need following in /etc/postfix/sasl/smtp.conf

pwcheck_method: saslauthd
mech_list: login plain
log_level: 4

You don't need any database / password configuration in this file, since PAM already knows everything!

Also check /etc/default/saslautd, I have following:

START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=1
OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"

Check you chose pam in MECHANISMS variable, and check the flags in the OPTIONS variable. Normally, you should have more than 1 in the THREADS variable. You can let it like this. You don't need to set "1" like me.

EDIT: it seems I answered to a very old question! It doesn't matter, this will be referenced by Google and may be useful to anyone setting up SASL with PAM.

Best Answer

Testing saslauthd authentication

Related Solutions

Debian – saslauthd and PAM: “Too many open files” error – saslauthd restart fixes this – what is wrong

SMTP authentication failure + PAM-MySQL cannot authenticate

Related Topic