I set up pwauth with mod_authnz_external and it works fine pulling id's from pam_mysql using a pretty standard setup and restricting users to the web group.

root@marvin:~# cat /etc/pam.d/pwauth auth required pam_succeed_if.so quiet_success user ingroup web auth sufficient pam_mysql.so \ user=nss-shadow \ passwd=secret \ db=nss_mysql \ table=user \ usercolumn=user_name \ passwdcolumn=password \ crypt=1 \ verbose=0 auth requisite pam_deny.so auth required pam_permit.so account sufficient pam_mysql.so \ user=nss-shadow \ passwd=secret \ db=nss_mysql \ table=user \ usercolumn=user_name \ passwdcolumn=password \ crypt=1 \ verbose=0 account requisite pam_deny.so account required pam_permit.so

root@marvin:~# pwauth arjag secret root@marvin:~# echo $? 0

Ok, so all good.

If i adjust the file; root@marvin:~# cat /etc/pam.d/pwauth

group checking removed for testing

auth required pam_succeed_if.so quiet_success user ingroup web

auth sufficient pam_mysql.so \ user=postfix \ passwd=secret \ host=localhost \ db=postfix \ table=mailbox \ usercolumn=username \ passwdcolumn=password \ crypt=1 \ md5=1 \ verbose=0 auth sufficient pam_mysql.so \ user=nss-shadow \ passwd=secret \ db=nss_mysql \ table=user \ usercolumn=user_name \ passwdcolumn=password \ crypt=1 \ verbose=0 auth requisite pam_deny.so auth required pam_permit.so account sufficient pam_mysql.so \ user=postfix \ passwd=secret \ host=localhost \ db=postfix \ table=mailbox \ usercolumn=username \ passwdcolumn=password \ crypt=1 \ md5=1 \ verbose=0 account sufficient pam_mysql.so \ user=nss-shadow \ passwd=secret \ db=nss_mysql \ table=user \ usercolumn=user_name \ passwdcolumn=password \ crypt=1 \ verbose=0 account requisite pam_deny.so account required pam_permit.so

if I try any of the accounts with "@" in the username (from the postfix database) I always get failure; root@marvin:~# pwauth (this one is just a test to show /etc/init.d/pwauth still works) arjag secret root@marvin:~# echo $? 0 root@marvin:~# pwauth arjag@y42.biz secret root@marvin:~# echo $? 1 root@marvin:~# pwauth arjag\@y42.biz root@marvin:~# echo $? 1

I think this should work as it does not seem to be a pam limitation as on the same host I can do;

root@marvin:~# testsaslauthd -u arjag -p secret -f /var/spool/postfix/var/run/saslauthd/mux -s pwauth 0: OK "Success." root@marvin:~# testsaslauthd -u arjag@y42.biz -p secret -f /var/spool/postfix/var/run/saslauthd/mux -s pwauth 0: OK "Success."

I have set verbose to 1 and it appears pwauth simply refuses to pass on a username with @

Thanks for your time,

R,

Todd