Newbie lament on SASL authentication with Postscript...

Dan White dwhite at olp.net
Thu Jul 7 10:57:04 EDT 2011


On 07/07/11 11:01 +0200, Bernard T. Higonnet wrote:
>I am building a new mail server to replace an existing FreeBSD 
>8.1/Postfix/CourierIMAP/SQWebwail mail server that seems to be 
>working OK so far. It, and its predecessors, have been working for 
>years.
>
>But I want to make a new server (on another machine) that uses the 
>most recent software, has SMTP user authentication (and maybe some 
>other less important bells and whistles), and permit me to keep the 
>old server for backup.
>
>So I want to add SMTP user authentication to Postfix. Since Postfix's 
>main interest in life is email and not authentication as such, it 
>uses SASL from the Cyrus guys. Since Cyrus' main interest in life is 
>authentication, and not databases as such, it uses MySQL from the 
>MySQL guys. This is GOOD, in the spirit of Newton's remark "If I have 
>seen further it is by standing on the shoulders of giants."

>1) mail clients logging into postfix mail server
>2) postfix communicating (logging in?) to Cyrus SASL
>3) Cyrus logging in to MySQL
>4) and somewhere, Courier authdaemon is doing stuff

>PS I'll be happy with PLAIN LOGIN for now...

You'll want to grab Patrick Koetter's saslfinger, which may be
distributed with your OS's sasl packages, or can be download via a google
search. It will help trouble shoot your Postfix and SASL configuration.

smtptest is a good SMTP AUTH testing tool, which is distributed as part of
the Cyrus IMAP distribution.

There are several different approaches, depending on your needs.

Probably the most straight forward approach is to use the sql auxprop
plugin. You can find sasl documentation at:

http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/options.php

and a Postfix usage example at:

http://www.postfix.org/SASL_README.html

/etc/sasl2/smtpd.conf:
     pwcheck_method: auxprop
     auxprop_plugin: sql
     mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
     sql_engine: pgsql
     sql_hostnames: 127.0.0.1, 192.0.2.1
     sql_user: username
     sql_passwd: secret
     sql_database: dbname
     sql_select: SELECT password FROM users WHERE user = '%u'@'%r'

You'll want to change 'sql_engine: pgsql' to 'sql_engine: mysql'.

A requirement of this approach is that your passwords will need to be
stored in plain text (unhashed) within your MySQL database.

Another approach, if you have courier authdaemon already working, is:

/etc/sasl2/smtpd.conf
     pwcheck_method: authdaemond
     authdaemond_path: <path_to_authdaemon_socket>
     mech_list: PLAIN LOGIN

If you have Postfix chrooted, then your path_to_authdaemon_socket might be
a little tricky. For testing, you might disable any chroot configuration
(in master.cf).

Another approach would be to use saslauthd with PAM, which depends on
having a MySQL PAM module installed and configured:

/etc/sasl2/smtpd.conf
     pwcheck_method: saslauthd
     saslauthd_path: <path_to_saslauthd_mux>
     mech_list: PLAIN LOGIN

The same warning about running Postfix chrooted applies to the saslauthd
mux path.

You would then start saslauthd with a '-a pam' command line option, after
which you'll need to configure PAM/MySQL.

-- 
Dan White


More information about the Cyrus-sasl mailing list