Re: Newbie lament on SASL authentication with Postscript...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/07/11 11:01 +0200, Bernard T. Higonnet wrote:
I am building a new mail server to replace an existing FreeBSD 8.1/Postfix/CourierIMAP/SQWebwail mail server that seems to be working OK so far. It, and its predecessors, have been working for years.

But I want to make a new server (on another machine) that uses the most recent software, has SMTP user authentication (and maybe some other less important bells and whistles), and permit me to keep the old server for backup.

So I want to add SMTP user authentication to Postfix. Since Postfix's main interest in life is email and not authentication as such, it uses SASL from the Cyrus guys. Since Cyrus' main interest in life is authentication, and not databases as such, it uses MySQL from the MySQL guys. This is GOOD, in the spirit of Newton's remark "If I have seen further it is by standing on the shoulders of giants."

1) mail clients logging into postfix mail server
2) postfix communicating (logging in?) to Cyrus SASL
3) Cyrus logging in to MySQL
4) and somewhere, Courier authdaemon is doing stuff

PS I'll be happy with PLAIN LOGIN for now...

You'll want to grab Patrick Koetter's saslfinger, which may be
distributed with your OS's sasl packages, or can be download via a google
search. It will help trouble shoot your Postfix and SASL configuration.

smtptest is a good SMTP AUTH testing tool, which is distributed as part of
the Cyrus IMAP distribution.

There are several different approaches, depending on your needs.

Probably the most straight forward approach is to use the sql auxprop
plugin. You can find sasl documentation at:

http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/options.php

and a Postfix usage example at:

http://www.postfix.org/SASL_README.html

/etc/sasl2/smtpd.conf:
    pwcheck_method: auxprop
    auxprop_plugin: sql
    mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
    sql_engine: pgsql
    sql_hostnames: 127.0.0.1, 192.0.2.1
    sql_user: username
    sql_passwd: secret
    sql_database: dbname
    sql_select: SELECT password FROM users WHERE user = '%u'@'%r'

You'll want to change 'sql_engine: pgsql' to 'sql_engine: mysql'.

A requirement of this approach is that your passwords will need to be
stored in plain text (unhashed) within your MySQL database.

Another approach, if you have courier authdaemon already working, is:

/etc/sasl2/smtpd.conf
    pwcheck_method: authdaemond
    authdaemond_path: <path_to_authdaemon_socket>
    mech_list: PLAIN LOGIN

If you have Postfix chrooted, then your path_to_authdaemon_socket might be
a little tricky. For testing, you might disable any chroot configuration
(in master.cf).

Another approach would be to use saslauthd with PAM, which depends on
having a MySQL PAM module installed and configured:

/etc/sasl2/smtpd.conf
    pwcheck_method: saslauthd
    saslauthd_path: <path_to_saslauthd_mux>
    mech_list: PLAIN LOGIN

The same warning about running Postfix chrooted applies to the saslauthd
mux path.

You would then start saslauthd with a '-a pam' command line option, after
which you'll need to configure PAM/MySQL.

--
Dan White


[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux