Community Packages

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#61696 - [opensmtpd] Need to add /etc/pam.d/smtpd

Attached to Project: Community Packages
Opened by [] (genkisky) - Sunday, 10 February 2019, 00:21 GMT
Last edited by T.J. Townsend (blakkheim) - Wednesday, 28 December 2022, 14:52 GMT
Task Type Bug Report
Category Packages
Status Assigned
Assigned To Lukas Fleischer (lfleischer)
Bruno Pagani (ArchangeGabriel)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 4
Private No

Details

Description: OpenSMTPD uses PAM, for example to do AUTH PLAIN. However due to  FS#48650 , the default /etc/pam.d/other is now to deny. So, since OpenSMTPD does not install a specific /etc/pam.d/smtpd entry, logins now fail with "535 Authentication failed".

This is potentially confusing to the user. Probably, a /etc/pam.d/smtpd should be provided with the opensmtpd package, like:

auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
session required pam_unix.so

Though, I am not a PAM expert.

Additional info:
* pambase=20190105.1-1, opensmtpd=*

Steps to reproduce:
$ useradd test
$ passwd test # use "test"
$ openssl s_client -starttls smtp host:587
[ ... ]
ehlo localhost
[ ... ]
auth plain AHRlc3QAdGVzdA== # This is: printf '\x00%s\x00%s' test test | base64
535 Authentication failed
^C
$ # Either downgrade to pambase-20171006-1, or add the above example /etc/pam.d/smtpd
$ openssl s_client -starttls smtp host:587
[ ... ]
ehlo localhost
[ ... ]
auth plain AHRlc3QAdGVzdA== # Exact same as earlier
235 2.0.0: Authentication succeeded
This task depends upon

Comment by [] (genkisky) - Sunday, 10 February 2019, 02:37 GMT
Relevant thread in arch-general: https://lists.archlinux.org/pipermail/arch-general/2019-February/046038.html
Comment by Robin Becker (replabrobin) - Sunday, 10 February 2019, 08:31 GMT
I confirm that we also need to add /etc/pam.d/atd for the atd service. Seems like there might be others affected by the new pambase.
Comment by loqs (loqs) - Sunday, 13 September 2020, 16:23 GMT
@genkisky does rebuilding the package with the attached diff applied work for you?

I changed the pam config from the one you suggested as smtpd does not appear to need password or session entries,
pam_nologin.so rejects access during system startup and shutdown, system-auth allows any authentication means configured for the system (by default pam_unix and pam_systemd_home).
   PKGBUILD.diff (1.7 KiB)

Loading...