Bug 62505 - postfix compiled without SASL support
postfix compiled without SASL support
Product: Red Hat Linux
Classification: Retired
Component: postfix (Show other bugs)
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Phil Knirsch
Depends On: 68741
  Show dependency treegraph
Reported: 2002-04-01 17:10 EST by Chris Ricker
Modified: 2015-03-04 20:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-01-10 01:34:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch for postfix spec to include SASL (3.03 KB, patch)
2002-04-05 15:23 EST, Chris Ricker
no flags Details | Diff
smtpd.conf file needed in SOURCES for postfix (23 bytes, text/plain)
2002-04-05 15:24 EST, Chris Ricker
no flags Details
documentation file to be placed in SOURCES (7.70 KB, text/plain)
2002-04-05 15:24 EST, Chris Ricker
no flags Details

  None (edit)
Description Chris Ricker 2002-04-01 17:10:20 EST
The postfix RPMs are compiled without SASL support, making SMTP AUTH using
postfix impossible.  This doesn't seem to be an inherent Red Hat policy, since
the sendmail RPMs are compiled with SASL support.

Changing %define SASL 0 to %define SASL 1 in the spec should fix it
Comment 1 Chris Ricker 2002-04-02 17:09:26 EST
For the record, here's exactly what has to be done to get SASL working with the
RH postfix RPMs.

0.  Change define SASL 0 to define SASL 1 and recompile.
1.  echo "pwcheck_method:sasldb" > /usr/lib/sasl/smtpd.conf
2.  use saslpasswd to create /etc/sasldb and add accounts
3.  chgrp postfix /etc/sasldb
4.  chmod 0640 /etc/sasldb

Out of that, the only two that I think the postfix RPM should do are steps 0 and
1.  RH ships sendmail compiled to do SASL, and already provides
/usr/lib/sasl/Sendmail.conf (the analogous SASL config file for sendmail)

Beyond that, the facts that

* SASL cannot do PAM with postfix, since postfix does not run as root, so sasldb
is the only real option
* sasldb has to be readable by the user Postfix smtpd runs as

should be mentioned in a README under /usr/share/doc/postfix-###.  I don't think
that the postfix rpm should make /etc/sasldb permission changes automatically,
though, since those changes are only needed if you're using postfix....

I'll write up a patch that changes the spec and adds a README that mentions that
and also the necessary main.cf / master.cf changes if you're willing to include it
Comment 2 Bernhard Rosenkraenzer 2002-04-04 05:56:42 EST
I am... Please attach a patch (if I don't have one by Monday, I'll create one myself).
Comment 3 Chris Ricker 2002-04-05 15:23:24 EST
Created attachment 52445 [details]
patch for postfix spec to include SASL
Comment 4 Chris Ricker 2002-04-05 15:24:07 EST
Created attachment 52446 [details]
smtpd.conf file needed in SOURCES for postfix
Comment 5 Chris Ricker 2002-04-05 15:24:49 EST
Created attachment 52447 [details]
documentation file to be placed in SOURCES
Comment 6 Chris Ricker 2002-04-05 15:28:27 EST
I just attached three files.  SASL-Red_Hat.txt is documentation on getting SASL
going on RH.  I'll try to write something similar for TLS in a few days. 
smtpd.conf is the configuration file needed by the SASL libraries for Postfix to
do SASL.  postfix-spec.patch is a patch against the Postfix spec for 1.1.5-3
which enables SASL and includes the two additional source files
(SASL-Red_Hat.txt and smtpd.conf) iff SASL support is enabled.

Other than ripping my name out of the spec if you want, it should be ready to
go.  Oh, it does also expect that it's for Postfix 1.1.7 and tls-0.8.7, but
those are bugfix only releases and are what should be used anyway....
Comment 7 Chris Ricker 2002-06-09 18:49:26 EDT
This is partially fixed for beta1 of the next release.  beta1 is compiled with
SASL support, but really also needs the attached README documenting how to use
SASL, and needs /usr/lib/sasl/smtpd.conf created.
Comment 8 Chris Ricker 2002-07-09 22:50:49 EDT
/usr/lib/sasl/smtpd.conf still needs to be created.  sendmail creates the
analogous /usr/lib/sasl/Sendmail.conf file which is needed with sendmail SASL
Comment 9 Phil Knirsch 2002-07-15 12:11:26 EDT
Fixed in latest rawhide build (postfix-1.1.11-2).

Read ya, Phil
Comment 10 Chris Ricker 2002-08-30 18:01:19 EDT
This is still broken.  The comments I made above were all appropriate for
pre-7.3 beta (when I made them), which used SASL1.  By the time these changes
were integrated, RH had switched to SASL2, which of course does everything
differently because SASL sucks ;-)

Here's what needs to be done *now* for SASL to work with sasldb.

1.  echo "pwcheck_method:auxprop" > /usr/lib/sasl2/smtpd.conf
2.  use saslpasswd2 to create /etc/sasldb2 and add accounts
3.  cp /etc/sasldb2 /var/spool/postfix/etc/sasldb2
3.  chgrp postfix /var/spool/postfix/etc/sasldb2
4.  chmod 0640 /var/spool/postfix/etc/sasldb2

Currently, the only step of this the postfix RPM does is #1, but it does it
completely wrong.  It does the equivalent of

echo "pwcheck_method:sasldb" > /usr/lib/sasl/smtpd.conf

which only worked with the old SASL1 libs that are no longer included.

Also, when I wrote this prior to 7.3 I asked for sasldb support in smtpd.conf,
just because with the version of SASL1 shipped with RH, only sasldb was possible
with postfix (SASL1 authentication against system user databases using PAM,
which is what sendmail in 7.3 shipped configured to do, isn't possible, since
postfix isn't root at that point).  With the switch to SASL2 and its auxillary
authentication daemon (saslauthd), Postfix actually can authenticate against
user accounts (ie, the same way RH configures sendmail SASL2 by default). 
Depending on what the official RH policy is regarding SASL databases, it might
make sense to do

echo "pwcheck_method:saslauthd" > /usr/lib/sasl2/smtpd.conf

instead, configuring postfix by default to use system accounts.  I personally
prefer SASL authentications to be separate and different from user accounts (in
case of compromise), but most people don't do that and RH doesn't default to
that on sendmail.

*shrug*  Not sure which of the two above should be done, but either one is
acceptable for fixing the current brokenness....
Comment 11 Chris Ricker 2002-09-04 10:19:45 EDT
Ignore my above comments.  I spent some time with a debugger, and figured out
why my attempts to get SASL working with postfix weren't working.

AFAICT, Postfix is still compiled to use only SASL1, not SASL2.

I'm not sure if that's a bug or not, since I don't know what the RH policy
regarding SASL1 vs SASL2 is....  If it is a bug, the problem is probably related
to the patch in Bug 68800 (and I assume it's just a matter of the Makefile
needing adjustment to link the right libs?).  If it's not a bug, feel free to
close this.
Comment 12 Chris Ricker 2002-09-04 12:20:50 EDT
The problem was with Bug 68800.  Along with the patch I posted there, the spec
file also needed to be changed.  This change to the current spec file from
1.1.11-5 (latest postfix in rawhide):

--- postfix.spec.orig   2002-09-04 10:01:52.000000000 -0600
+++ postfix.spec        2002-09-04 10:02:53.000000000 -0600
@@ -165,7 +165,7 @@
 %if %{SASL}
-  AUXLIBS="${AUXLIBS} -lsasl"
+  AUXLIBS="${AUXLIBS} -lsasl2"
 %if %{TLS}

will correct the mistake, compiling against SASL2 instead of SASL1.

Now, the question is, should SASL2 or SASL1 be used?  Bug 68741 covers that, but
hasn't been answered yet....
Comment 13 Chris Ricker 2002-09-04 13:48:32 EDT
And if you want both SASL1 and SASL2 in postfix (which is what the null sendmail
does), this change to the spec:

--- postfix.spec.orig   2002-09-04 10:01:52.000000000 -0600
+++ postfix.spec        2002-09-04 10:27:29.000000000 -0600
@@ -165,7 +165,7 @@
 %if %{SASL}
-  AUXLIBS="${AUXLIBS} -lsasl"
+  AUXLIBS="${AUXLIBS} -lsasl2 -lsasl"
 %if %{TLS}

will work 

(running that currently here, so it has been (very lightly) tested)
Comment 14 Chris Ricker 2002-09-04 17:19:05 EDT
That last change (linking both libsasl and libsasl2) blows up very badly if you
actually try to use SASL, so it's obviously not an option.....
Comment 15 Chris Ricker 2002-09-07 11:11:53 EDT
Hmm, using sasl2 at all with Postfix dies eventually under SASL load.  I'm not
sure where the problem is -- I'm using Postfix and SASL2 on Solaris 8 and RH 7.3
boxes where I compiled SASL2 myself w/o any problems, so all I can guess is that
maybe the SASL2 stuff is broken in some fashion in null....

At any rate, since things are starting to look like null will go gold Any Day
Now, switching postfix from sasl1 to sasl2 will probably have to be deferred.
Comment 16 Chris Ricker 2003-01-10 01:34:09 EST
Closing this -- the original request (for compilation w/ SASL support) was
resolved in the next release, and the rest is too messy for one bug report

Note You need to log in before you can comment on or make changes to this bug.