User Tools

Site Tools



This page shows the main elements of configuring postfix and saslauth to authenticate users from a MySQL database.

I think this request sparked off from gmail having the ability to let people send emails through their own smtp server (as opposed to googles).

Main Files

1. /etc/postfix/ smtpd_tls_auth_only = yes #added to force people to use tls as opposed to sending passwords as plaintext.

########################### Usual TLS config and smtp configs here # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client, reject_rbl_client smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client, reject_rbl_client

smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = myserver broken_sasl_auth_clients = yes

2. /etc/postfix/sasl/smtpd.conf pwcheck_method: saslauthd mech_list: plain login

3. /etc/default/saslauthd MECHANISMS=“pam” OPTIONS=“-c -m /var/spool/postfix/var/run/saslauthd” #OPTIONS=“-c -m /var/spool/postfix/var/run/saslauthd -r” # The -r tries to resolve a domain. E.g: Without the -r, just a username is required for auth.

4. /etc/pam.d/smtp #only one of below is required. #auth required user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=0 #Plain text password in the MySQL db #auth required user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 #md5 password in MySQL db auth required user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 debug #append debug to end shows extra information in /var/log/auth.log

Extra Debugging

To see what was happenning I had to turn on extra logging. 1. Verbose Postfix Logging: vi /etc/postfix/ #change smtp inet n - - - - smtpd #to smtp inet n - - - - smtpd -v To see the logs, look in: /var/log/

2. Verbose MySQL Logging: vi /etc/mysql/my.cnf #uncomment the following two lines: general_log_file = /var/log/mysql/mysql.log general_log = 1 To see the logs, look in: /var/log/mysql/mysql.log

3. Verbose PAM Auth Logging: vi /etc/pam.d/smtp #auth required user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 debug #append on debug to the end.

Things I had to do

I had to run a strace on saslauthd as it just was not giving me enough information. ps -eaf | grep sasl strace -p 11231 This led me to finding “/lib/security/ (No such file or directory)” Volia. apt-get install libpam-mysql

I configured saslauth to use sasldb first to check it worked. It involved editing /etc/default/saslauth and changing mechanisms to “sasldb”.

I put the password in MySQL in plain text and then used: auth required user=mail passwd=foo db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=0

I created the md5 hash of password “123456” which is: e10adc3949ba59abbe56e057f20f883e and put this in the mysql db manually and then authed using crypt=3

I had to go: adduser postfix sasl This was to allow postfix access to sasl in the chroot.

Do a quick test for unauthed relays and external relays etc. etc.

Useful References

Other References

To Do

Test all of the above again on a vanilla setup. Rinse lather and repeat.


The MySQL Table for auth:

root@host:~# mysql Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 159 Server version: 5.1.48-1 (Debian)

Copyright © 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mail Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A

Database changed mysql> desc smtp_users; +——-+————-+——+—–+———+——-+ | Field | Type | Null | Key | Default | Extra | +——-+————-+——+—–+———+——-+ | user | varchar(50) | NO | PRI | NULL | | | pass | varchar(32) | NO | | NULL | | +——-+————-+——+—–+———+——-+ 2 rows in set (0.00 sec)

authed_outgoing_smtp_with_postfix_and_mysql.txt · Last modified: 2022/07/19 21:13 by