The postfix RPMs are compiled without SASL support, making SMTP AUTH using postfix impossible. This doesn't seem to be an inherent Red Hat policy, since the sendmail RPMs are compiled with SASL support. Changing %define SASL 0 to %define SASL 1 in the spec should fix it
For the record, here's exactly what has to be done to get SASL working with the RH postfix RPMs. 0. Change define SASL 0 to define SASL 1 and recompile. 1. echo "pwcheck_method:sasldb" > /usr/lib/sasl/smtpd.conf 2. use saslpasswd to create /etc/sasldb and add accounts 3. chgrp postfix /etc/sasldb 4. chmod 0640 /etc/sasldb Out of that, the only two that I think the postfix RPM should do are steps 0 and 1. RH ships sendmail compiled to do SASL, and already provides /usr/lib/sasl/Sendmail.conf (the analogous SASL config file for sendmail) Beyond that, the facts that * SASL cannot do PAM with postfix, since postfix does not run as root, so sasldb is the only real option * sasldb has to be readable by the user Postfix smtpd runs as should be mentioned in a README under /usr/share/doc/postfix-###. I don't think that the postfix rpm should make /etc/sasldb permission changes automatically, though, since those changes are only needed if you're using postfix.... I'll write up a patch that changes the spec and adds a README that mentions that and also the necessary main.cf / master.cf changes if you're willing to include it
I am... Please attach a patch (if I don't have one by Monday, I'll create one myself).
Created attachment 52445 [details] patch for postfix spec to include SASL
Created attachment 52446 [details] smtpd.conf file needed in SOURCES for postfix
Created attachment 52447 [details] documentation file to be placed in SOURCES
I just attached three files. SASL-Red_Hat.txt is documentation on getting SASL going on RH. I'll try to write something similar for TLS in a few days. smtpd.conf is the configuration file needed by the SASL libraries for Postfix to do SASL. postfix-spec.patch is a patch against the Postfix spec for 1.1.5-3 which enables SASL and includes the two additional source files (SASL-Red_Hat.txt and smtpd.conf) iff SASL support is enabled. Other than ripping my name out of the spec if you want, it should be ready to go. Oh, it does also expect that it's for Postfix 1.1.7 and tls-0.8.7, but those are bugfix only releases and are what should be used anyway....
This is partially fixed for beta1 of the next release. beta1 is compiled with SASL support, but really also needs the attached README documenting how to use SASL, and needs /usr/lib/sasl/smtpd.conf created.
/usr/lib/sasl/smtpd.conf still needs to be created. sendmail creates the analogous /usr/lib/sasl/Sendmail.conf file which is needed with sendmail SASL
Fixed in latest rawhide build (postfix-1.1.11-2). Read ya, Phil
This is still broken. The comments I made above were all appropriate for pre-7.3 beta (when I made them), which used SASL1. By the time these changes were integrated, RH had switched to SASL2, which of course does everything differently because SASL sucks ;-) Here's what needs to be done *now* for SASL to work with sasldb. 1. echo "pwcheck_method:auxprop" > /usr/lib/sasl2/smtpd.conf 2. use saslpasswd2 to create /etc/sasldb2 and add accounts 3. cp /etc/sasldb2 /var/spool/postfix/etc/sasldb2 3. chgrp postfix /var/spool/postfix/etc/sasldb2 4. chmod 0640 /var/spool/postfix/etc/sasldb2 Currently, the only step of this the postfix RPM does is #1, but it does it completely wrong. It does the equivalent of echo "pwcheck_method:sasldb" > /usr/lib/sasl/smtpd.conf which only worked with the old SASL1 libs that are no longer included. Also, when I wrote this prior to 7.3 I asked for sasldb support in smtpd.conf, just because with the version of SASL1 shipped with RH, only sasldb was possible with postfix (SASL1 authentication against system user databases using PAM, which is what sendmail in 7.3 shipped configured to do, isn't possible, since postfix isn't root at that point). With the switch to SASL2 and its auxillary authentication daemon (saslauthd), Postfix actually can authenticate against user accounts (ie, the same way RH configures sendmail SASL2 by default). Depending on what the official RH policy is regarding SASL databases, it might make sense to do echo "pwcheck_method:saslauthd" > /usr/lib/sasl2/smtpd.conf instead, configuring postfix by default to use system accounts. I personally prefer SASL authentications to be separate and different from user accounts (in case of compromise), but most people don't do that and RH doesn't default to that on sendmail. *shrug* Not sure which of the two above should be done, but either one is acceptable for fixing the current brokenness....
Ignore my above comments. I spent some time with a debugger, and figured out why my attempts to get SASL working with postfix weren't working. AFAICT, Postfix is still compiled to use only SASL1, not SASL2. I'm not sure if that's a bug or not, since I don't know what the RH policy regarding SASL1 vs SASL2 is.... If it is a bug, the problem is probably related to the patch in Bug 68800 (and I assume it's just a matter of the Makefile needing adjustment to link the right libs?). If it's not a bug, feel free to close this.
The problem was with Bug 68800. Along with the patch I posted there, the spec file also needed to be changed. This change to the current spec file from 1.1.11-5 (latest postfix in rawhide): --- postfix.spec.orig 2002-09-04 10:01:52.000000000 -0600 +++ postfix.spec 2002-09-04 10:02:53.000000000 -0600 @@ -165,7 +165,7 @@ %endif %if %{SASL} CCARGS="${CCARGS} -DUSE_SASL_AUTH" - AUXLIBS="${AUXLIBS} -lsasl" + AUXLIBS="${AUXLIBS} -lsasl2" %endif %if %{TLS} LIBS= will correct the mistake, compiling against SASL2 instead of SASL1. Now, the question is, should SASL2 or SASL1 be used? Bug 68741 covers that, but hasn't been answered yet....
And if you want both SASL1 and SASL2 in postfix (which is what the null sendmail does), this change to the spec: --- postfix.spec.orig 2002-09-04 10:01:52.000000000 -0600 +++ postfix.spec 2002-09-04 10:27:29.000000000 -0600 @@ -165,7 +165,7 @@ %endif %if %{SASL} CCARGS="${CCARGS} -DUSE_SASL_AUTH" - AUXLIBS="${AUXLIBS} -lsasl" + AUXLIBS="${AUXLIBS} -lsasl2 -lsasl" %endif %if %{TLS} LIBS= will work (running that currently here, so it has been (very lightly) tested)
That last change (linking both libsasl and libsasl2) blows up very badly if you actually try to use SASL, so it's obviously not an option.....
Hmm, using sasl2 at all with Postfix dies eventually under SASL load. I'm not sure where the problem is -- I'm using Postfix and SASL2 on Solaris 8 and RH 7.3 boxes where I compiled SASL2 myself w/o any problems, so all I can guess is that maybe the SASL2 stuff is broken in some fashion in null.... At any rate, since things are starting to look like null will go gold Any Day Now, switching postfix from sasl1 to sasl2 will probably have to be deferred.
Closing this -- the original request (for compilation w/ SASL support) was resolved in the next release, and the rest is too messy for one bug report