postfix+cyrus-sasl+dovecot+pam_radius，dovecot認證的問題

postfix+cyrus-sasl+dovecot+pam_radius，dovecot認證的問題

新建一個郵件系統，為了跟現有認證系統（radius+openldap）對接作為郵件系統的認證系統，因為現有的ldap系統格式是固定的，所以只能採用radius的認證，使用postfix+cyrus-sasl+dovecot+pam_radius，現在的問題如下：
1、系統所有組件都安裝成功，postfix+sasl+pam_radius工作也正常，可以正常發信，通過radius系統認證
2、dovecot+pam_radius認證存在問題，具體如下：
# more /etc/pam.d/dovecot
#%PAM-1.0
auth       sufficient     /lib/security/pam_radius_auth.so
account    sufficient      /lib/security/pam_radius_auth.so
password        sufficient      /lib/security/pam_radius_auth.so

# telnet localhost 110
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
+OK Dovecot ready.
user systemman2
+OK
pass 123456
-ERR Internal login failure. Refer to server log for more information.

# tail maillog
Jul 11 00:52:15 zhengmk dovecot: Dovecot v1.0.7 starting up
Jul 11 00:52:32 zhengmk dovecot: auth(default): userdb(systemman,::ffff:127.0.0.1): user not found from userdb
Jul 11 00:52:32 zhengmk dovecot: pop3-login: Internal login failure: user=<systemman>, method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured
Jul 11 00:53:57 zhengmk dovecot: auth(default): userdb(systemman2,::ffff:127.0.0.1): user not found from userdb
Jul 11 00:53:57 zhengmk dovecot: pop3-login: Internal login failure: user=<systemman2>, method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured

# tail audit.log
type=AVC msg=audit(1215708837.905:680456): avc:  denied  { name_bind } for  pid=26749 comm="dovecot-auth" src=32767 scontext=user_u:system_r:dovecot_auth_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket
type=SYSCALL msg=audit(1215708837.905:680456): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bf881a90 a2=3f8800 a3=96d39e0 items=0 ppid=26673 pid=26749 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=7 comm="dovecot-auth" exe="/usr/libexec/dovecot/dovecot-auth" subj=user_u:system_r:dovecot_auth_t:s0 key=(null)
type=USER_AUTH msg=audit(1215708837.927:680457): user pid=26749 uid=0 auid=1000 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: authentication acct="systemman2" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)'
type=USER_ACCT msg=audit(1215708837.928:680458): user pid=26749 uid=0 auid=1000 subj=user_u:system_r:dovecot_auth_t:s0 msg='PAM: accounting acct="systemman2" : exe="/usr/libexec/dovecot/dovecot-auth" (hostname=::ffff:127.0.0.1, addr=::ffff:127.0.0.1, terminal=dovecot res=success)'

從audit.log跟伺服器radius.log文件可看出認證已經通過，但通過maillog可以看出在本地userdb找不到此用戶。我的理解是這樣的：radius只是提供認證，並不存儲用戶等信息，而dovecot需要有一個用戶庫來存相關的信息，從而導致認證可通過但無法收信，不知對否。具體如何解決，忘各位兄弟指點一二，TKS。

Tags: