This page shows the main elements of configuring postfix and saslauth to authenticate users from a MySQL database.
I think this request sparked off from gmail having the ability to let people send emails through their own smtp server (as opposed to googles).
1. /etc/postfix/main.cf smtpd_tls_auth_only = yes #added to force people to use tls as opposed to sending passwords as plaintext.
########################### Usual TLS config and smtp configs here # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = myserver broken_sasl_auth_clients = yes
2. /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login
3. /etc/default/saslauthd MECHANISMS=“pam” OPTIONS=“-c -m /var/spool/postfix/var/run/saslauthd” #OPTIONS=“-c -m /var/spool/postfix/var/run/saslauthd -r” # The -r tries to resolve a domain. E.g: username@domain.com. Without the -r, just a username is required for auth.
4. /etc/pam.d/smtp #only one of below is required. #auth required pam_mysql.so user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=0 #Plain text password in the MySQL db #auth required pam_mysql.so user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 #md5 password in MySQL db auth required pam_mysql.so user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 debug #append debug to end shows extra information in /var/log/auth.log
To see what was happenning I had to turn on extra logging. 1. Verbose Postfix Logging: vi /etc/postfix/master.cf #change smtp inet n - - - - smtpd #to smtp inet n - - - - smtpd -v To see the logs, look in: /var/log/mail.info
2. Verbose MySQL Logging: vi /etc/mysql/my.cnf #uncomment the following two lines: general_log_file = /var/log/mysql/mysql.log general_log = 1 To see the logs, look in: /var/log/mysql/mysql.log
3. Verbose PAM Auth Logging: vi /etc/pam.d/smtp #auth required pam_mysql.so user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 debug #append on debug to the end.
I had to run a strace on saslauthd as it just was not giving me enough information. ps -eaf | grep sasl strace -p 11231 This led me to finding “/lib/security/pam_mysql.so (No such file or directory)” Volia. apt-get install libpam-mysql
I configured saslauth to use sasldb first to check it worked. It involved editing /etc/default/saslauth and changing mechanisms to “sasldb”.
I put the password in MySQL in plain text and then used: auth required pam_mysql.so user=mail passwd=foo db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=0
I created the md5 hash of password “123456” which is: e10adc3949ba59abbe56e057f20f883e and put this in the mysql db manually and then authed using crypt=3
I had to go: adduser postfix sasl This was to allow postfix access to sasl in the chroot.
Do a quick test for unauthed relays and external relays etc. etc. https://www.dnsexit.com/Direct.sv?cmd=testMailServer
Crypt Methods and PAM-MySQL usage: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2007-March/001024.html
http://www.howtoforge.com/forums/archive/index.php/t-12797.html
http://www.rmacd.com/howto/saslauthd-postfix-debian-etch-configuration.php Suggests using /etc/postfix/sasl/smtp.conf to communicate with MySQL without sasl.
http://www.howtoforge.com/virtual_postfix_mysql_quota_courier_p2
http://osdir.com/ml/fedora-list/2009-06/msg03110.html Gives information on a testsaslauthd utility. It saying “connect() : No such file or directory” to me.
http://ubuntuforums.org/showthread.php?t=1489737 Unused. Reference only.
http://www.postfix.org/SASL_README.html and http://www.greens.org/~cls/linux/howtos/smtp-auth-saslauthd.html
http://forums.fedoraforum.org/showthread.php?t=113802 and http://www.howtoforge.org/forums/showthread.php?t=7201 and http://www.irbs.net/internet/postfix/0508/1633.html and http://www.web-cyradm.org/pipermail/web-cyradm/2003-April/015717.html and http://www.howtoforge.com/forums/showthread.php?t=22730 Information on saslauth in a chroot jail.
http://www.nervous.it/txt/Postfix-SMTP-AUTH-4-DUMMIES.html
http://danielmiessler.com/study/postfix/ Information on using saslauth and sasldb for a flat file for smtp users.
http://www.howtoforge.com/forums/archive/index.php/t-2199.html
Test all of the above again on a vanilla setup. Rinse lather and repeat.
The MySQL Table for auth:
root@host:~# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 159 Server version: 5.1.48-1 (Debian)
Copyright © 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> use mail Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Database changed mysql> desc smtp_users; +——-+————-+——+—–+———+——-+ | Field | Type | Null | Key | Default | Extra | +——-+————-+——+—–+———+——-+ | user | varchar(50) | NO | PRI | NULL | | | pass | varchar(32) | NO | | NULL | | +——-+————-+——+—–+———+——-+ 2 rows in set (0.00 sec)