OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Confused about SASL+MySQL Authenticaton in Postfix

From: Rainer Poisel (rainer.poiselxfreaks.net)
Date: Tue Dec 02 2003 - 11:10:03 CST

Hello!

Thanks for the nice work all the programmers did on postfix! I'm very
satisfied about it.

I only have a few problems with including the SASL-Authentication (User-IDs,
Passwords, etc. in a MySQL-Databse). I'm not using PAM for that!

The critical part from my main.cf of postfix looks like the following:

8<=====================
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = mehmed.local
broken_sasl_auth_clients = yes
smtp_sasl_password_maps = mysql:/etc/postfix/mysql_auth.conf
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
8<=====================

The /etc/postfix/mysql_auth.conf contains the following:

8<=====================
user = mail
password = password
dbname = mail
table = auth
select field = username
where_field = password
8<=====================

My auth table in the mail-MySQL-Database looks like the following:

+-----------------------+----------+---------+
| username | password | realm |
+-----------------------+----------+---------+
| usermehmed.local | 1234 | |
+-----------------------+----------+---------+

Whenever I connect to my Postfix via KMail (Digest-MD5 encryption) I get the
following error message (directly from /var/log/syslog)

8<=====================
Dec 2 17:01:58 phylos postfix/smtpd[14488]: connect from
unknown[192.168.6.96]
Dec 2 17:01:58 phylos postfix/smtpd[14488]: warning: SASL authentication
failure: no secret in database
Dec 2 17:01:58 phylos postfix/smtpd[14488]: warning: unknown[192.168.6.96]:
SASL DIGEST-MD5 authentication failed
Dec 2 17:02:00 phylos postfix/smtpd[14488]: disconnect from
unknown[192.168.6.96]
8<=====================

So I decided to create a /usr/local/lib/sasl2/smtpd.conf file with the
following content:

8<=====================
pwcheck_method: auxprop
auxprop_plugin: mysql
allowanonymouslogin: no
allowplaintext: yes
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
mysql_user: mail
mysql_passwd: password
mysql_hostnames: localhost
mysql_database: mail
mysql_statement: select password from auth where username='%u'
mysql_verbose: yes
8<=====================

I thought that postfix didn't parse this file, but when I changed
"mysql_verbose: yes" to "mysql_verbose:" postfix wasn't able to start "smtpd"
again:

8<=====================
Dec 2 15:01:57 phylos postfix/smtpd[13359]: fatal: SASL per-process
initialization failed
Dec 2 15:01:58 phylos postfix/master[13319]: warning: process
/usr/libexec/postfix/smtpd pid 13359 exit status 1
Dec 2 15:01:58 phylos postfix/master[13319]: warning:
/usr/libexec/postfix/smtpd: bad command startup -- throttling
8<=====================

My problem now is, that I really don't know, why postfix always writes the
same error message, EVEN WHEN MySQL ISN'T STARTED!!!
They only line, that postfix really parses (I'm absolutely sure about that)
is:

8<=====================
smtpd_sasl_auth_enable = yes
8<=====================

I saw it in a telnet session on port 25. (auth is not enabled, bla, bla,...)

An example:

8<=====================
fileserver_eth0 root # telnet phylos 25
Trying 192.168.6.61...
Connected to phylos.
Escape character is '^]'.
220 phylos.mehmed ESMTP Postfix
ehlo phylos
250-phylos.mehmed
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
8<=====================

At last, I wanted to give you my "configure-runs" for postfix and the SASL -
Packages:

SASL:
8<=====================
./configure --with-mysql=/usr/ --enable-anon --enable-plain --enable-login
--enable-krb4 --with-saslauthd=/var/run/saslauthd/ --with-pam
--with-dblib=berkeley --with-bdb-libdir=/usr/local/db-4.1.25/lib/
--with-bdb-incdir=/usr/local/db-4.1.25/include/ -with-openssl=/usr/local/ssl/
--with-plugindir=/usr/local/lib/sasl2/
8<=====================

Postfix:
8<=====================
make makefiles "CCARGS=-DHAS_MYSQL -I/usr/include/mysql -DUSE_SASL_AUTH
-I/usr/local/include/sasl -I/usr/local/db-4.1.25/include"
"AUXLIBS=-L/usr/lib/mysql -lmysqlclient -lz -lm -L/usr/local/lib -lsasl2
-L/usr/local/db-4.1.25/lib"
8<=====================

I'm using Gentoo Linux 1.4rc4 with a 2.4.20 Linux-Kernel.

Thanks for reading!
Friendly regards,
Rainer