SASL MySQL Backend Considered Beneficial
Ian G Batten
ian.batten at uk.fujitsu.com
Tue Aug 12 07:08:06 EDT 2008
On 11 Aug 08, at 1648, Martin Schweizer wrote:
> I have two mail server (FreeBSD 7.0, sendmail/cyrus v2.3.12p2), incl.
> replication with sync_client/-master. Until now they works perfect.
> Now I changed on the sync_server from sasldb (Berkeley db1.85) to
> saslauthd (with saslauthd -a getpwent, the Unix password file). All
> works but not the replication (but the login to cyrus imapd works). So
> I tracked down the problem to the sasldb file. I seems that the sync
> mechanism needs the sync_authname in the sasldb (it not check the
> password file). Is this correct?
In passing, and for what it's worth, one of the best moves I ever made
on my private Cyrus server, which I'm working myself up to do for my
day job Cyrus server, was to switch over to using the mysql backend to
SASL and divorcing it both from the password file and from the /etc/
I did it because it means I can operate mail accounts disjoint from
real user accounts: I can log in, but my wife, kids, parents etc only
have the ability to send and receive email. But most importantly it
means I have an authentication database which I can secure on a per-
subsystem basis while sharing records. Trying to use /etc/sasldb with
the same authenticators shared between cyrus (running as uid cyrus)
and sendmail (running as uid smmta) is a living hell, whereas with
MySQL I just use imapd.conf settings:
sasl_sql_select: select %p from users where username = '%u'
sasl_sql_insert: insert into users (username, realm, %p) values ('%u',
sasl_sql_update: update users set %p='%v' where username='%u'
and in Sendmail.conf (in my case in /opt/sasl2/lib/sasl2, but your
mileage will vary):
sql_select: SELECT userPassword FROM users WHERE username = '%u'
mech_list: digest-md5 cram-md5
My database has accreted columns, so when I commission users I have to
put their secret into several of them, which I should fix one day:
CREATE TABLE `users` (
`username` varchar(64) NOT NULL default '',
`realm` varchar(64) default NULL,
`userPassword` varchar(64) default NULL,
`cmusaslsecretPLAIN` varchar(64) default NULL,
`cmusaslsecretDIGEST` varchar(64) default NULL,
`MD5` varchar(64) default NULL,
`cmusaslsecretCRAM` varchar(64) default NULL,
PRIMARY KEY (`username`)
Not the question you asked, I know, but I'm been meaning to mention
just how flexible this setup is.
More information about the Info-cyrus