Authed Outgoing SMTP with Postfix and MySQL

From Wiki

Jump to: navigation, search

This page shows the main elements of configuring postfix and saslauth to authenticate users from a MySQL database.

I think this request sparked off from gmail having the ability to let people send emails through their own smtp server (as opposed to googles).


Main Files

1. /etc/postfix/

smtpd_tls_auth_only = yes
#added to force people to use tls as opposed to sending passwords as plaintext.

########################### Usual TLS config and smtp configs here
# TLS parameters
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client, reject_rbl_client
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client, reject_rbl_client

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = myserver
broken_sasl_auth_clients = yes

2. /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

3. /etc/default/saslauthd

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"  # The -r tries to resolve a domain. E.g: Without the -r, just a username is required for auth.

4. /etc/pam.d/smtp

#only one of below is required.
#auth required user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=0  #Plain text password in the MySQL db
#auth required user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3  #md5 password in MySQL db
auth required user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 debug  #append debug to end shows extra information in /var/log/auth.log

Extra Debugging

To see what was happenning I had to turn on extra logging. 1. Verbose Postfix Logging:

vi /etc/postfix/
smtp      inet  n       -       -       -       -       smtpd
smtp      inet  n       -       -       -       -       smtpd -v

To see the logs, look in: /var/log/

2. Verbose MySQL Logging:

vi /etc/mysql/my.cnf
#uncomment the following two lines:
general_log_file        = /var/log/mysql/mysql.log
general_log             = 1

To see the logs, look in: /var/log/mysql/mysql.log

3. Verbose PAM Auth Logging:

vi /etc/pam.d/smtp
#auth required user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 debug
#append on debug to the end.

Things I had to do

I had to run a strace on saslauthd as it just was not giving me enough information.

ps -eaf | grep sasl
strace -p 11231

This led me to finding "/lib/security/ (No such file or directory)" Volia.

apt-get install libpam-mysql

I configured saslauth to use sasldb first to check it worked. It involved editing /etc/default/saslauth and changing mechanisms to "sasldb".

I put the password in MySQL in plain text and then used: auth required user=mail passwd=foo db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=0

I created the md5 hash of password "123456" which is: e10adc3949ba59abbe56e057f20f883e and put this in the mysql db manually and then authed using crypt=3

I had to go: adduser postfix sasl This was to allow postfix access to sasl in the chroot.

Do a quick test for unauthed relays and external relays etc. etc.

Useful References

Crypt Methods and PAM-MySQL usage:

Other References Suggests using /etc/postfix/sasl/smtp.conf to communicate with MySQL without sasl. Gives information on a testsaslauthd utility. It saying "connect() : No such file or directory" to me. Unused. Reference only. and and and and and Information on saslauth in a chroot jail. Information on using saslauth and sasldb for a flat file for smtp users.

To Do

Test all of the above again on a vanilla setup. Rinse lather and repeat.


The MySQL Table for auth:

root@host:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 159
Server version: 5.1.48-1 (Debian)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mail
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> desc smtp_users;
| Field | Type        | Null | Key | Default | Extra |
| user  | varchar(50) | NO   | PRI | NULL    |       |
| pass  | varchar(32) | NO   |     | NULL    |       |
2 rows in set (0.00 sec)
Personal tools