Hi Mark,
pam_mysql would be the easier approach, and typically doesn't require much configuration within sasl/imapd to support it. Most of your configuration will be done within the pam system configuration. To tell imapd to authenticate against pam, you'd use saslauthd. In imapd.conf:
sasl_pwcheck_method: saslauthd
sasl_mech_list: plain login
#allowplaintext: 1 # May be needed, but be sure you understand the security consequences
You would then configure the saslauthd service to start on boot, and specify the pam as the automech (-a), which is probably the default. Use testsaslauthd to verify your configuration. Consult your system pam documentation to have it reference your mysql database.
The drawback to this approach is that you lose SASL's security layer, and your passwords will be sent in cleartext over the wire. You can configure SSL to protect your passwords.
Alternatively, there is a mysql auxprop plugin available within sasl that you can use to store/reference authentication material, which commonly requires you to store your secrets in clear text, but has the advantage of opening up multiple authentication mechanisms along with their associated security layers. See:
You would prepend these options with sasl_ within imapd.conf. Auxprop plugins allow you to transparently use saslpasswd2 to store and manage your user database, and it also would allow you to manage them outside of the sasl utilities, e.g. with sql client tools.
The corresponding options from above (in addition to the sql specific options) would be:
sasl_pwcheck_method: saslauthd
#sasl_mech_list: # Use all available mechs
allowplaintext: 0
To test your auxprop/mysql config, you'll need to create a saslpasswd2.conf file, similar to the one in this post:
On Thu, Mar 4, 2021 at 6:12 PM Mark Constable via SASL <sasl@xxxxxxxxxxxxxxxxxx> wrote:
I'm confused about the difference between accessing mysql via pam_mysql in the official docs and all the other examples I've seen with mysql directives directly in imapd.conf. I can't get either method to work atm so I am wondering what is the difference between them so I can focus on one or the other approach?
