FS#61696 - [opensmtpd] Need to add /etc/pam.d/smtpd

Attached to Project: Community Packages
Opened by [] (genkisky) - Sunday, 10 February 2019, 00:21 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:00 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Lukas Fleischer (lfleischer)
Bruno Pagani (ArchangeGabriel)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 4
Private No

Details

Description: OpenSMTPD uses PAM, for example to do AUTH PLAIN. However due to  FS#48650 , the default /etc/pam.d/other is now to deny. So, since OpenSMTPD does not install a specific /etc/pam.d/smtpd entry, logins now fail with "535 Authentication failed".

This is potentially confusing to the user. Probably, a /etc/pam.d/smtpd should be provided with the opensmtpd package, like:

auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so

Though, I am not a PAM expert.

Additional info:
* pambase=20190105.1-1, opensmtpd=*

Steps to reproduce:
$ useradd test
$ passwd test # use "test"
$ openssl s_client -starttls smtp host:587
[ ... ]
ehlo localhost
[ ... ]
auth plain AHRlc3QAdGVzdA== # This is: printf '\x00%s\x00%s' test test | base64
535 Authentication failed
^C
$ # Either downgrade to pambase-20171006-1, or add the above example /etc/pam.d/smtpd
$ openssl s_client -starttls smtp host:587
[ ... ]
ehlo localhost
[ ... ]
auth plain AHRlc3QAdGVzdA== # Exact same as earlier
235 2.0.0: Authentication succeeded
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:00 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/opensmtpd/issues/2
Comment by [] (genkisky) - Sunday, 10 February 2019, 02:37 GMT Comment by Robin Becker (replabrobin) - Sunday, 10 February 2019, 08:31 GMT
I confirm that we also need to add /etc/pam.d/atd for the atd service. Seems like there might be others affected by the new pambase.
Comment by loqs (loqs) - Sunday, 13 September 2020, 16:23 GMT
@genkisky does rebuilding the package with the attached diff applied work for you?

I changed the pam config from the one you suggested as smtpd does not appear to need password or session entries,
pam_nologin.so rejects access during system startup and shutdown, system-auth allows any authentication means configured for the system (by default pam_unix and pam_systemd_home).
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...