On 07/07/11 16:57, Dan White wrote:
On 07/07/11 11:01 +0200, Bernard T. Higonnet wrote:
I am building a new mail server to replace an existing FreeBSD
8.1/Postfix/CourierIMAP/SQWebwail mail server that seems to be working
OK so far. It, and its predecessors, have been working for years.
But I want to make a new server (on another machine) that uses the
most recent software, has SMTP user authentication (and maybe some
other less important bells and whistles), and permit me to keep the
old server for backup.
So I want to add SMTP user authentication to Postfix. Since Postfix's
main interest in life is email and not authentication as such, it uses
SASL from the Cyrus guys. Since Cyrus' main interest in life is
authentication, and not databases as such, it uses MySQL from the
MySQL guys. This is GOOD, in the spirit of Newton's remark "If I have
seen further it is by standing on the shoulders of giants."
1) mail clients logging into postfix mail server
2) postfix communicating (logging in?) to Cyrus SASL
3) Cyrus logging in to MySQL
4) and somewhere, Courier authdaemon is doing stuff
PS I'll be happy with PLAIN LOGIN for now...
You'll want to grab Patrick Koetter's saslfinger, which may be
distributed with your OS's sasl packages, or can be download via a google
search. It will help trouble shoot your Postfix and SASL configuration.
smtptest is a good SMTP AUTH testing tool, which is distributed as part of
the Cyrus IMAP distribution.
There are several different approaches, depending on your needs.
Probably the most straight forward approach is to use the sql auxprop
plugin. You can find sasl documentation at:
http://www.cyrusimap.org/docs/cyrus-sasl/2.1.23/options.php
and a Postfix usage example at:
http://www.postfix.org/SASL_README.html
/etc/sasl2/smtpd.conf:
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
sql_engine: pgsql
sql_hostnames: 127.0.0.1, 192.0.2.1
sql_user: username
sql_passwd: secret
sql_database: dbname
sql_select: SELECT password FROM users WHERE user = '%u'@'%r'
You'll want to change 'sql_engine: pgsql' to 'sql_engine: mysql'.
A requirement of this approach is that your passwords will need to be
stored in plain text (unhashed) within your MySQL database.
Another approach, if you have courier authdaemon already working, is:
/etc/sasl2/smtpd.conf
pwcheck_method: authdaemond
authdaemond_path: <path_to_authdaemon_socket>
mech_list: PLAIN LOGIN
If you have Postfix chrooted, then your path_to_authdaemon_socket might be
a little tricky. For testing, you might disable any chroot configuration
(in master.cf).
Another approach would be to use saslauthd with PAM, which depends on
having a MySQL PAM module installed and configured:
/etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
saslauthd_path: <path_to_saslauthd_mux>
mech_list: PLAIN LOGIN
The same warning about running Postfix chrooted applies to the saslauthd
mux path.
You would then start saslauthd with a '-a pam' command line option, after
which you'll need to configure PAM/MySQL.
It's very kind of you to ignore the rant part of my rant!
I have made some progress thanks to saslfinger.
Just in case other people read this, I found
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/ while looking
for saslfinger and I've found that helpful.
As of this moment, Postfix is willing to do this:
250-AUTH NTLM LOGIN GSSAPI CRAM-MD5
250-AUTH=NTLM LOGIN GSSAPI CRAM-MD5
which perplexes me since in smtpd.conf I say
mech_list: PLAIN LOGIN
but that's my task for this morning!
Thanks again
Bernard Higonnet