Newbie lament on SASL authentication with Postscript...

Fri Jul 8 04:36:25 EDT 2011

On 07/07/11 16:57, Dan White wrote:
> On 07/07/11 11:01 +0200, Bernard T. Higonnet wrote:
>> I am building a new mail server to replace an existing FreeBSD
>> 8.1/Postfix/CourierIMAP/SQWebwail mail server that seems to be working
>> OK so far. It, and its predecessors, have been working for years.
>>
>> But I want to make a new server (on another machine) that uses the
>> most recent software, has SMTP user authentication (and maybe some
>> other less important bells and whistles), and permit me to keep the
>> old server for backup.
>>
>> So I want to add SMTP user authentication to Postfix. Since Postfix's
>> main interest in life is email and not authentication as such, it uses
>> SASL from the Cyrus guys. Since Cyrus' main interest in life is
>> authentication, and not databases as such, it uses MySQL from the
>> MySQL guys. This is GOOD, in the spirit of Newton's remark "If I have
>> seen further it is by standing on the shoulders of giants."
>
>> 1) mail clients logging into postfix mail server
>> 2) postfix communicating (logging in?) to Cyrus SASL
>> 3) Cyrus logging in to MySQL
>> 4) and somewhere, Courier authdaemon is doing stuff
>
>> PS I'll be happy with PLAIN LOGIN for now...
>
> You'll want to grab Patrick Koetter's saslfinger, which may be
> distributed with your OS's sasl packages, or can be download via a google
> search. It will help trouble shoot your Postfix and SASL configuration.
>
> smtptest is a good SMTP AUTH testing tool, which is distributed as part of
> the Cyrus IMAP distribution.
>
> There are several different approaches, depending on your needs.
>
> Probably the most straight forward approach is to use the sql auxprop
> plugin. You can find sasl documentation at:
>
> http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/options.php
>
> and a Postfix usage example at:
>
> http://www.postfix.org/SASL_README.html
>
> /etc/sasl2/smtpd.conf:
> pwcheck_method: auxprop
> auxprop_plugin: sql
> mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
> sql_engine: pgsql
> sql_hostnames: 127.0.0.1, 192.0.2.1
> sql_user: username
> sql_passwd: secret
> sql_database: dbname
> sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
>
> You'll want to change 'sql_engine: pgsql' to 'sql_engine: mysql'.
>
> A requirement of this approach is that your passwords will need to be
> stored in plain text (unhashed) within your MySQL database.
>
> Another approach, if you have courier authdaemon already working, is:
>
> /etc/sasl2/smtpd.conf
> pwcheck_method: authdaemond
> authdaemond_path: <path_to_authdaemon_socket>
> mech_list: PLAIN LOGIN
>
> If you have Postfix chrooted, then your path_to_authdaemon_socket might be
> a little tricky. For testing, you might disable any chroot configuration
> (in master.cf).
>
> Another approach would be to use saslauthd with PAM, which depends on
> having a MySQL PAM module installed and configured:
>
> /etc/sasl2/smtpd.conf
> pwcheck_method: saslauthd
> saslauthd_path: <path_to_saslauthd_mux>
> mech_list: PLAIN LOGIN
>
> The same warning about running Postfix chrooted applies to the saslauthd
> mux path.
>
> You would then start saslauthd with a '-a pam' command line option, after
> which you'll need to configure PAM/MySQL.

It's very kind of you to ignore the rant part of my rant!

I have made some progress thanks to saslfinger.

Just in case other people read this, I found 
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ while looking 
for saslfinger and I've found that helpful.

As of this moment, Postfix is willing to do this:

250-AUTH NTLM LOGIN GSSAPI CRAM-MD5
250-AUTH=NTLM LOGIN GSSAPI CRAM-MD5

which perplexes me since in smtpd.conf I say

mech_list: PLAIN LOGIN

but that's my task for this morning!

Thanks again
Bernard Higonnet