How to have postfix use saslauthd and pam?

Patrick Ben Koetter p at state-of-mind.de
Fri Nov 18 03:50:34 EST 2005


* Bill Kearney <wkearney99 at hotmail.com>:
> What's the right syntax to have postfix use saslauthd (and then on to pam)
> do authentication?
> 
> I can't for the life of me figure out what's the right combination to make
> it work.
> 
> I'm using these versions (the latest of each)
>     pam_mysql 0.7pre3,
>     postfix-2.2.5,
>     cyrus-sasl-2.1.21, cyrus-imap-2.1.12,
>     mysaql-4.1.12,
>     centos-4.2 (rhel4)
> 
> And clarify for me the purpose of using saslauthd and pam.
> 
> I realize this is just as much a postfix question as it is sasl, but I have
> to start somewhere.
> 
> What's better here, to use saslauthd to handle them or use sql directly?

The pam_mysql stuff has repeatedly been reported to be leaking memory. I can't
confirm that, since I never used it.

I'd prefer to use sql directly like this:

Create a DB. You must not encrypt the passwords or it will never work - the
shared secret mechanisms need to retrieve the passwords unencrypted.

Create a DB user, set appropriate permissions to access your DB and verify
this user is able to connect to the DB and is able to retrieve data from it.

Then create the following config in /usr/lib/sasl2/smtpd.conf:

pwcheck_method: auxprop
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
auxprop_plugin: sql
... SQL options according to options.html from the Cyrus-SASL.2.x
documentation...

Before using Postfix to test the setup, install cyrus-sasl-devel.* and use
sasl2-sample-server and sasl2-sample-client to test the configuration from
smtpd.conf. To test, create a symlink from /usr/lib/sasl2/smtpd.conf to
/usr/lib/sasl2/sample.conf (this is where sasl2-sample-server will look for
config), start sasl2-sample-server, on another terminal window start
sasl2-sample-client and then try to authenticate.

If that works, turn to main.cf and add the following config:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = FOOBAR

where FOOBAR matches the value you've added as realm (or domainpart) to the
usernames that authenticate.

Then reload Postfix, telnet to the server on port 25 and see if it offers AUTH
after an EHLO. If that works, test with a mail client. If it doesn't, use
"saslfinger -s" to provide helpful debug output on the list. For saslfinger
see my signature.

p at rick


-- 
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>


More information about the Cyrus-sasl mailing list