question on sasl2 auth thru mysql
Adrian Mak
linux shell account is not necessary for just using email service)
Existing sasl2 work well on auth. users from remote client
If postfix implement virtual mailbox, does sasl2 need support mysql too ?
I checked that my existing sasl2 didn't link to any mysql library, so
I think that sasl2 should be recomplie with mysql support.
What anything else besides recompile the sasl2?
Patrick Ben Koetter
> I'm going to implement virtual mailbox thru mysql db (i.e. creation of
> linux shell account is not necessary for just using email service)
>
> Existing sasl2 work well on auth. users from remote client
> If postfix implement virtual mailbox, does sasl2 need support mysql too ?
Postfix and Cyrus-SASL.2.x are two different softwares. You can configure
Postfix to lookup information in MySQL and leave SASL the way it was at the
same time without any problems.
However in most situations when you put the Postfix lookup tables in a SQL
database, it makes sense to use the SQL database as authentication
backend for Cyrus-SASL.2.x as well.
In this case all you need to do is rebuild Cyrus-SASL.2.x --with-sql and
--mysql=/usr (providing the full path doesn't work because there's a bug in
the configure (?) script) and then copy the libsql.* stuff to your SASL dir.
Refer to options.html from the SASL docs to identify the correct parameters,
options and notation (!) for MySQL configuration, but most important don't (!)
use crypted passwords in your MySQL table to store the passwords.
The reason is that SASL SQL support is done via auxprop-plugins, which
additionally gives you shared-secret mechanisms. These mechanisms must be
able to read a password from the authenication backend (MySQL). If the
passwords are crypted, it will not work.
Use "sample-server" and "sample-client" from the sample subdir in the SASL
sources to test authentication before (!) you try to test authentication using
a MUA and Postfix. Only if the sample-* binares succeed proceed to configure
Postfix or you will never know which (Cyrus-SASL.2.x or Postfix) causes
problems during authentication.
p@rick
--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Mohammad Al-Shami
Adrian Mak
> Postfix to lookup information in MySQL and leave SASL the way it was at the
> same time without any problems.
This made me a little bit confuse.
Do you mean that if i put postfix email accounts in backend database,
SASL still able to authenticate for those users (virtual email user)
stored in database without SASL-SQL support ?
Magnus Bäck
Adrian Mak <makka...@gmail.com> wrote:
No, he means that you don't need MySQL support in SASL just because
you have Postfix look up virtual mailboxes in MySQL. You will need a
MySQL-enabled SASL if you want to look up user credentials in MySQL.
--
Magnus Bäck
mag...@dsek.lth.se
Adrian Mak
> You will need a MySQL-enabled SASL if you want to look up user credentials
> in MySQL.
This is the point. To prevent my mail server to become a relay server
from others sending spammail. I configured postfix only local subnet
will allow to send mail. For others like remote clients, they should
use smtp authentication (SASL) to get pass and able to send email.
Please note that all email users account are stored in database ( this
is called virtual user, am i right ?)
So I want to ask in this case, the SASL without a mysql support still
can authenticate users whose account information are stored in
database (i.e. not a physical linux account) .
Magnus Bäck
Adrian Mak <makka...@gmail.com> wrote:
> > You will need a MySQL-enabled SASL if you want to look up user
> > credentials in MySQL.
>
> This is the point. To prevent my mail server to become a relay server
> from others sending spammail. I configured postfix only local subnet
> will allow to send mail. For others like remote clients, they should
> use smtp authentication (SASL) to get pass and able to send email.
> Please note that all email users account are stored in database ( this
> is called virtual user, am i right ?)
In your case, yes.
> So I want to ask in this case, the SASL without a mysql support
> still can authenticate users whose account information are stored
> in database (i.e. not a physical linux account) .
If you want SASL to authenticate users against a MySQL database,
i.e. users have name and password is stored in MySQL, SASL must
be compiled with MySQL support.
--
Magnus Bäck
mag...@dsek.lth.se
Adrian Mak
> If you want SASL to authenticate users against a MySQL database,
> i.e. users have name and password is stored in MySQL, SASL must
> be compiled with MySQL support.
>
During reading postfix installation guide on the Internet , I found
that to let SASL authenciate against a mysql db, besides compiling
SASL to support mysql (direct authenicate) , another method is to let
SASL use PAM and let PAM to authenticate against a mysql db.
You know using PAM is far more simply as I don't need to add MD5 patch
and reconmpile SASL. PAM-Mysql does support MD5.
I downloaded pam-mysql 0.6 tarball
I performed
./configure --with-mysql=/usr/local/mysql --with-openssl --with-sas2
during the configuration process,
checking if "/usr/local/mysql" is a mysql_config script... no
checking mysql_config availability in /usr/local/mysql/bin... yes
checking for mysql_real_query... yes
checking for mysql_real_escape_string... yes
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for openssl_CFLAGS... -I/usr/kerberos/include
checking for openssl_LIBS... -L/usr/kerberos/lib -lssl -lcrypto
-lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto -lresolv -ldl -lz
checking pam_appl.h usability... yes
checking pam_appl.h presence... yes
checking for pam_appl.h... yes
checking pam_modules.h usability... yes
checking PAM_CONV_AGAIN availability... yes
checking PAM_INCOMPLETE availability... yes
checking if the second argument of pam_get_user() takes const pointer... yes
checking if the third argument of pam_get_data() takes const pointer... yes
checking if the third argument of pam_get_item() takes const pointer... yes
checking if the second argument of pam_conv.conv() takes const pointer... yes
checking if md5.h is derived from Cyrus SASL Version 1... yes
checking for crypt in -lcrypt... yes
checking for crypt... yes
configure: creating ./config.status
config.status: creating Makefile
does it mean it can find mysql & sasl libraries and headers ? and also
during the make process, it is linking to mysql libraries and database
Then I copied pam_mysql.so to /lib/security/
I created /etc/pam.d/smtp, add two lines is added
auth sufficient pam_mysql.so user=postfixuser
passwd=userpostfix host=localhost db=postfix
table=mailbox usercolumn=username passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=postfixuser
passwd=userpostfix host=localhost db=postfix
table=mailbox usercolumn=username passwdcolumn=password crypt=1
restart sasuthd and postfix
I tried testsaslauth to test whether it can authenitcate user which stored in db
# /usr/sbin/testsaslauthd -u adri...@example.net -p secret
0: NO "authentication failed"
/var/log/message showed
Aug 20 10:46:12 dmhy imap(pam_unix)[19757]: check pass; user unknown
Aug 20 10:46:12 dmhy imap(pam_unix)[19757]: authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost=
Aug 20 10:46:14 dmhy saslauthd[19757]: do_auth : auth failure:
[user=adri...@example.net] [service=imap] [realm=] [mech=pam]
[reason=PAM auth error]
What's wrong with it ?
Unlucky, it return
Adrian Mak
2005/8/20, Adrian Mak <makka...@gmail.com>: