SASL MySQL Backend Considered Beneficial
Ian G Batten
ian.batten at uk.fujitsu.com
Tue Aug 12 07:08:06 EDT 2008
On 11 Aug 08, at 1648, Martin Schweizer wrote:
> Hello
>
> I have two mail server (FreeBSD 7.0, sendmail/cyrus v2.3.12p2), incl.
> replication with sync_client/-master. Until now they works perfect.
> Now I changed on the sync_server from sasldb (Berkeley db1.85) to
> saslauthd (with saslauthd -a getpwent, the Unix password file). All
> works but not the replication (but the login to cyrus imapd works). So
> I tracked down the problem to the sasldb file. I seems that the sync
> mechanism needs the sync_authname in the sasldb (it not check the
> password file). Is this correct?
In passing, and for what it's worth, one of the best moves I ever made
on my private Cyrus server, which I'm working myself up to do for my
day job Cyrus server, was to switch over to using the mysql backend to
SASL and divorcing it both from the password file and from the /etc/
sasldb mechanism.
I did it because it means I can operate mail accounts disjoint from
real user accounts: I can log in, but my wife, kids, parents etc only
have the ability to send and receive email. But most importantly it
means I have an authentication database which I can secure on a per-
subsystem basis while sharing records. Trying to use /etc/sasldb with
the same authenticators shared between cyrus (running as uid cyrus)
and sendmail (running as uid smmta) is a living hell, whereas with
MySQL I just use imapd.conf settings:
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: sql
sasl_auto_transition: yes
sasl_sql_engine: mysql
sasl_sql_hostnames: localhost
sasl_sql_user: cyrus
sasl_sql_passwd: xxxx
sasl_sql_database: cyrussasl
sasl_sql_select: select %p from users where username = '%u'
sasl_sql_insert: insert into users (username, realm, %p) values ('%u',
'%r', '%v')
sasl_sql_update: update users set %p='%v' where username='%u'
and in Sendmail.conf (in my case in /opt/sasl2/lib/sasl2, but your
mileage will vary):
pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: localhost
sql_user: sendmail
sql_passwd: xxxx
sql_database: cyrussasl
sql_select: SELECT userPassword FROM users WHERE username = '%u'
mech_list: digest-md5 cram-md5
sql_verbose: yes
My database has accreted columns, so when I commission users I have to
put their secret into several of them, which I should fix one day:
CREATE TABLE `users` (
`username` varchar(64) NOT NULL default '',
`realm` varchar(64) default NULL,
`userPassword` varchar(64) default NULL,
`cmusaslsecretPLAIN` varchar(64) default NULL,
`cmusaslsecretDIGEST` varchar(64) default NULL,
`MD5` varchar(64) default NULL,
`cmusaslsecretCRAM` varchar(64) default NULL,
PRIMARY KEY (`username`)
) TYPE=InnoDB
Not the question you asked, I know, but I'm been meaning to mention
just how flexible this setup is.
ian
More information about the Info-cyrus
mailing list