Re: Newbie lament on SASL authentication with Postscript...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 07/07/11 16:57, Dan White wrote:
On 07/07/11 11:01 +0200, Bernard T. Higonnet wrote:
I am building a new mail server to replace an existing FreeBSD
8.1/Postfix/CourierIMAP/SQWebwail mail server that seems to be working
OK so far. It, and its predecessors, have been working for years.

But I want to make a new server (on another machine) that uses the
most recent software, has SMTP user authentication (and maybe some
other less important bells and whistles), and permit me to keep the
old server for backup.

So I want to add SMTP user authentication to Postfix. Since Postfix's
main interest in life is email and not authentication as such, it uses
SASL from the Cyrus guys. Since Cyrus' main interest in life is
authentication, and not databases as such, it uses MySQL from the
MySQL guys. This is GOOD, in the spirit of Newton's remark "If I have
seen further it is by standing on the shoulders of giants."

1) mail clients logging into postfix mail server
2) postfix communicating (logging in?) to Cyrus SASL
3) Cyrus logging in to MySQL
4) and somewhere, Courier authdaemon is doing stuff

PS I'll be happy with PLAIN LOGIN for now...

You'll want to grab Patrick Koetter's saslfinger, which may be
distributed with your OS's sasl packages, or can be download via a google
search. It will help trouble shoot your Postfix and SASL configuration.

smtptest is a good SMTP AUTH testing tool, which is distributed as part of
the Cyrus IMAP distribution.

There are several different approaches, depending on your needs.

Probably the most straight forward approach is to use the sql auxprop
plugin. You can find sasl documentation at:

and a Postfix usage example at:

pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: pgsql
sql_user: username
sql_passwd: secret
sql_database: dbname
sql_select: SELECT password FROM users WHERE user = '%u'@'%r'

You'll want to change 'sql_engine: pgsql' to 'sql_engine: mysql'.

A requirement of this approach is that your passwords will need to be
stored in plain text (unhashed) within your MySQL database.

Another approach, if you have courier authdaemon already working, is:

pwcheck_method: authdaemond
authdaemond_path: <path_to_authdaemon_socket>
mech_list: PLAIN LOGIN

If you have Postfix chrooted, then your path_to_authdaemon_socket might be
a little tricky. For testing, you might disable any chroot configuration

Another approach would be to use saslauthd with PAM, which depends on
having a MySQL PAM module installed and configured:

pwcheck_method: saslauthd
saslauthd_path: <path_to_saslauthd_mux>
mech_list: PLAIN LOGIN

The same warning about running Postfix chrooted applies to the saslauthd
mux path.

You would then start saslauthd with a '-a pam' command line option, after
which you'll need to configure PAM/MySQL.

It's very kind of you to ignore the rant part of my rant!

I have made some progress thanks to saslfinger.

Just in case other people read this, I found while looking for saslfinger and I've found that helpful.

As of this moment, Postfix is willing to do this:


which perplexes me since in smtpd.conf I say

mech_list: PLAIN LOGIN

but that's my task for this morning!

Thanks again
Bernard Higonnet

[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux