Thread: pam_pgsql, Postfix, imap and PostgreSQL

pam_pgsql, Postfix, imap and PostgreSQL

From
Devrim GÜNDÜZ
Date:
Hi,

I'm not really sure that this is the right list not or, but I feel that
there may be some people who has some ezperiences with my problem below:

Case : A mail server, which will server 30K people. I want to use
PostgreSQL at the backend, for authentication mechanism. Postfix is used
as the MTA. Wu-imapd is the imap/pop3 server. All these are on Red Hat
8.0.

Since authentication must be done using PostgreSQL,I compiled
pam_pgsql.so and moved it to /lib/security. Then, created a file
/etc/pam_pgsql.conf, as suggested, and wrote the following lines
---
database = mailing
user = postfix
password = password
table = accounts
user_column = username
pwd_column = passwd
expired_column = acc_expired
newtok_column = acc_newpwdreq
pwtype = clear
debug
----

Then, modified /etc/pam.d/pop and /etc/pam.d/imap as follows:

----
#%PAM-1.0
#auth       required    /lib/security/pam_stack.so service=system-auth
#account    required    /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_pgsql.so
account    required     /lib/security/pam_pgsql
----

Created a database called mailing, here is the schema of two tables:
mailing=# \d accounts
                   Table "accounts"
    Column     |          Type          |  Modifiers
---------------+------------------------+-------------
 username      | character varying(255) | not null
 passwd        | character varying(255) | not null
 acc_expired   | boolean                | default '0'
 acc_newpwdreq | boolean                | default '0'

mailing=# \d vmailbox
                Table "vmailbox"
 Column  |          Type          |  Modifiers
---------+------------------------+-------------
 address | character varying(255) | not null
 mbox    | character varying(255) |
 active  | boolean                | default 'T'
Unique keys: vmailbox_address_key


ANd a sample data from accounts table:

        username             |  passwd  | acc_expired |acc_newpwdreq
-----------------------------+----------+-------------+---------------
 devrim@my.hostname          | test     | f           | f


Everything seems to be ok. But not.

Problem:
-------
This is the first problem.

The following program test the connection through pam_pgsql.


 ./test devrim@my.hostname
PID:16472
PAM started.
Password:
Authentication succeeded, checking access.
Access permitted.
Changing authentication token...
Failed: Authentication token manipulation error


It permits access, but fails while checking the auth token. I think
fails probably in acc_newpwdreq column, but I'm not sure.

And the second and main problem: pop3 does not authenticate ...
Here it comes:

#telnet  0 110
Trying 0.0.0.0...
Connected to 0.
Escape character is '^]'.
+OK POP3 localhost.localdomain v2001.78rh server ready
USER devrim@my.hostname
+OK User name accepted, password please
PASS test
-ERR Bad login

As I trace the logs, I see that pop3d does not send request to
postgresql...

The same is valid for imap.

However, if I insert a user into table, without @ sign, I mean, devrim
for example, pop3d sends authencication request to pam_pgsql and I
succeed. However, I think I need to define users with @ sign, since
there will be more than 1 domain on the system...

Does anyone know how to solve this problem? I do not want to use Courier
imap/Postfix/MySQL :(

BTW, I'm subscribed to the list but have not been receiving e-mails
since about a day. So, please CC my address in your post.

Best regards,


--

Devrim GUNDUZ
TR.NET System Support Specialist

devrim@tr.net

Tel : +90 (312) 295 93 18
Fax : +90 (312) 295 94 94
Tel : +90 (216) 542 90 00


Re: pam_pgsql, Postfix, imap and PostgreSQL

From
Tommi Maekitalo
Date:
Hi,

you need nss_pgsql too. But old versions of it were really ugly. I wouldn't
trust them. But I have heard, that someone have got it working. Search the
archives of pgsql-general.

Tommi

Am Freitag, 1. November 2002 10:35 schrieb Devrim GÜNDÜZ:
> Hi,
>
> I'm not really sure that this is the right list not or, but I feel that
> there may be some people who has some ezperiences with my problem below:
>
> Case : A mail server, which will server 30K people. I want to use
> PostgreSQL at the backend, for authentication mechanism. Postfix is used
> as the MTA. Wu-imapd is the imap/pop3 server. All these are on Red Hat
> 8.0.
>
> Since authentication must be done using PostgreSQL,I compiled
> pam_pgsql.so and moved it to /lib/security. Then, created a file
> /etc/pam_pgsql.conf, as suggested, and wrote the following lines
> ---
> database = mailing
> user = postfix
> password = password
> table = accounts
> user_column = username
> pwd_column = passwd
> expired_column = acc_expired
> newtok_column = acc_newpwdreq
> pwtype = clear
> debug
> ----
>
> Then, modified /etc/pam.d/pop and /etc/pam.d/imap as follows:
>
> ----
> #%PAM-1.0
> #auth       required    /lib/security/pam_stack.so service=system-auth
> #account    required    /lib/security/pam_stack.so service=system-auth
> auth       required     /lib/security/pam_pgsql.so
> account    required     /lib/security/pam_pgsql
> ----
>
> Created a database called mailing, here is the schema of two tables:
> mailing=# \d accounts
>                    Table "accounts"
>     Column     |          Type          |  Modifiers
> ---------------+------------------------+-------------
>  username      | character varying(255) | not null
>  passwd        | character varying(255) | not null
>  acc_expired   | boolean                | default '0'
>  acc_newpwdreq | boolean                | default '0'
>
> mailing=# \d vmailbox
>                 Table "vmailbox"
>  Column  |          Type          |  Modifiers
> ---------+------------------------+-------------
>  address | character varying(255) | not null
>  mbox    | character varying(255) |
>  active  | boolean                | default 'T'
> Unique keys: vmailbox_address_key
>
>
> ANd a sample data from accounts table:
>
>         username             |  passwd  | acc_expired |acc_newpwdreq
> -----------------------------+----------+-------------+---------------
>  devrim@my.hostname          | test     | f           | f
>
>
> Everything seems to be ok. But not.
>
> Problem:
> -------
> This is the first problem.
>
> The following program test the connection through pam_pgsql.
>
>
>  ./test devrim@my.hostname
> PID:16472
> PAM started.
> Password:
> Authentication succeeded, checking access.
> Access permitted.
> Changing authentication token...
> Failed: Authentication token manipulation error
>
>
> It permits access, but fails while checking the auth token. I think
> fails probably in acc_newpwdreq column, but I'm not sure.
>
> And the second and main problem: pop3 does not authenticate ...
> Here it comes:
>
> #telnet  0 110
> Trying 0.0.0.0...
> Connected to 0.
> Escape character is '^]'.
> +OK POP3 localhost.localdomain v2001.78rh server ready
> USER devrim@my.hostname
> +OK User name accepted, password please
> PASS test
> -ERR Bad login
>
> As I trace the logs, I see that pop3d does not send request to
> postgresql...
>
> The same is valid for imap.
>
> However, if I insert a user into table, without @ sign, I mean, devrim
> for example, pop3d sends authencication request to pam_pgsql and I
> succeed. However, I think I need to define users with @ sign, since
> there will be more than 1 domain on the system...
>
> Does anyone know how to solve this problem? I do not want to use Courier
> imap/Postfix/MySQL :(
>
> BTW, I'm subscribed to the list but have not been receiving e-mails
> since about a day. So, please CC my address in your post.
>
> Best regards,

--
Dr. Eckhardt + Partner GmbH
http://www.epgmbh.de