NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-05

Re: SASL postgresql backend doesn't work. Please help.

From: Andreas Winkelmann (mlawinkelmann.de)
Date: Thu May 15 2008 - 14:24:23 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Donnerstag, 15. Mai 2008, Chris St Denis wrote:

> I am trying to get SASL to work authenticated to a postgresql database
> for SMTP auth with postfix. But it sasl is being very uncooperative.
>
> basic system info
>
> barium# uname -mrs
> FreeBSD 7.0-RELEASE-p1 amd64
>
> cyrus-sasl version: 2.1.22
> postfix version: 2.5.1
>
> One of my biggest problems is I can't find any documentation of the
> smtpd.conf file, but form what I've pieced together from tutorials and
> such I've got this.
>
> pwcheck_method: auxprop
> auxprop_plugin: sql
> sql_engine: pgsql

> allowanonymouslogin: no

Not a Cyrus-SASL Option

> allowplaintext: yes

Not a Cyrus-SASL Option

> mech_list: LOGIN PLAIN

> password_format: plaintext

Not a Cyrus-SASL Option. Maybe implemented with a Patch?

> sql_user: mail
> sql_passwd:
> sql_hostnames: localhost
> sql_database: mail
> sql_select: SELECT pass FROM emails_view WHERE email = '%u%r'
> log_level: 7
> sql_verbose: true
>
> If I use saslpasswd2 on an account I get "generic failure". Does
> saslpasswd2 even work on sql or is it sasldb only?

It works generally with MySQL or PostgreSQL, too. But not with your
Config-File above. To add or change Data to/in a SQL Database, normally
someone would expect UPDATE- or INSERT-Commands. I see none in your config.
The associated Cyrus-SASL Options would be "sql_insert:" or "sql_update:".

> barium# saslpasswd2 -a smtpd jeanndarkadsl.ca
> saslpasswd2: generic failure
>
> If I run "pluginviewer -a" it only lists sasldb. Shouldn't SQL be in here?
>
> barium# pluginviewer -a
> Installed auxprop mechanisms are:
> sasldb
> List of auxprop plugins follows
> Plugin "sasldb" , API version: 4
> supports store: yes
>
>
> barium# pluginviewer -s
> Installed SASL (server side) mechanisms are:
> LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 EXTERNAL
> List of server plugins follows
> Plugin "login" [loaded], API version: 4
> SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
> security flags: NO_ANONYMOUS
> features:
> Plugin "anonymous" [loaded], API version: 4
> SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
> security flags: NO_PLAINTEXT
> features: WANT_CLIENT_FIRST
> Plugin "plain" [loaded], API version: 4
> SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
> security flags: NO_ANONYMOUS
> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "gssapiv2" [loaded], API version: 4
> SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
> security flags:
> NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
> features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
> Plugin "digestmd5" [loaded], API version: 4
> SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
> security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
> features: PROXY_AUTHENTICATION
> Plugin "crammd5" [loaded], API version: 4
> SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
> security flags: NO_ANONYMOUS|NO_PLAINTEXT
> features: SERVER_FIRST
>
>
> Configure line
>
> './configure' --prefix=/usr/local '--sysconfdir=/usr/local/etc'
> '--with-configdir=/usr/local/lib/sasl2:/usr/local/etc/sasl2'
> '--with-plugindir=/usr/local/lib/sasl2'
> '--with-dbpath=/usr/local/etc/sasldb2'
> '--includedir=/usr/local/include' '--enable-static'
> '--enable-auth-sasldb' '--with-rc4=openssl'
> '--with-saslauthd=/var/run/saslauthd' '--with-dblib=berkeley'
> '--with-bdb-libdir=/usr/local/lib'
> '--with-bdb-incdir=/usr/local/include/db41' '--with-bdb=db41'
> '--enable-sql' '--without-mysql' '--with-pgsql=/usr/local'
> '--without-sqlite' '--enable-alwaystrue' '--with-authdaemond=no'
> '--enable-login' '--disable-otp' '--disable-ntlm' '--enable-gssapi'
> '--disable-krb4' '--with-openssl=yes' '--prefix=/usr/local'
> '--mandir=/usr/local/man' '--infodir=/usr/local/info/'
> 'amd64-portbld-freebsd7.0' 'CC=cc' 'CFLAGS=-O -pipe -march=nocona'
> 'CPPFLAGS=-fPIC -I/usr/local/include' 'LDFLAGS=
> -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib'
> 'build_alias=amd64-portbld-freebsd7.0'
> 'host_alias=amd64-portbld-freebsd7.0'
> 'target_alias=amd64-portbld-freebsd7.0'
> --cache-file=.././config.cache --srcdir=.
>
> I don't see any errors related to sql in the configure, all I get is
>
> checking SQL... enabled
>
> And the SQL module seems to get compiled ok.
>
> if /bin/sh /usr/local/bin/libtool --mode=compile cc -DHAVE_CONFIG_H
> -I. -I. -I.. -I../include -I../lib -I../sasldb -I../include -fPIC
> -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL
> -I/usr/local/include -Wall -W -O -pipe -march=nocona -MT sql.lo -MD
> -MP -MF ".deps/sql.Tpo" -c -o sql.lo `test -f 'sql.c' || echo
> './'`sql.c; then mv ".deps/sql.Tpo" ".deps/sql.Plo"; else rm -f
> ".deps/sql.Tpo"; exit 1; fi
> cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
> -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
> -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
> -MT sql.lo -MD -MP -MF .deps/sql.Tpo -c sql.c -fPIC -DPIC -o
> .libs/sql.o
> sql.c: In function 'sql_auxprop_plug_init':
> sql.c:1077: warning: unused parameter 'plugname'
> cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
> -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
> -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
> -MT sql.lo -MD -MP -MF .deps/sql.Tpo -c sql.c -o sql.o >/dev/null 2>&1
> if /bin/sh /usr/local/bin/libtool --mode=compile cc -DHAVE_CONFIG_H
> -I. -I. -I.. -I../include -I../lib -I../sasldb -I../include -fPIC
> -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL
> -I/usr/local/include -Wall -W -O -pipe -march=nocona -MT
> sql_init.lo -MD -MP -MF ".deps/sql_init.Tpo" -c -o sql_init.lo
> `test -f 'sql_init.c' || echo './'`sql_init.c; then mv
> ".deps/sql_init.Tpo" ".deps/sql_init.Plo"; else rm -f
> ".deps/sql_init.Tpo"; exit 1; fi
> cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
> -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
> -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
> -MT sql_init.lo -MD -MP -MF .deps/sql_init.Tpo -c sql_init.c -fPIC
> -DPIC -o .libs/sql_init.o
> cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
> -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
> -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
> -MT sql_init.lo -MD -MP -MF .deps/sql_init.Tpo -c sql_init.c -o
> sql_init.o >/dev/null 2>&1
> /bin/sh /usr/local/bin/libtool --mode=link cc -Wall -W -O -pipe
> -march=nocona -module -export-dynamic -rpath /usr/local/lib/sasl2
> -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -o libsql.la
> -L/usr/local/lib -R/usr/local/lib -lpq -version-info 2:22:0 sql.lo
> sql_init.lo plugin_common.lo
> cc -shared .libs/sql.o .libs/sql_init.o .libs/plugin_common.o
> -Wl,--rpath -Wl,/usr/local/lib -L/usr/local/lib -lpq -march=nocona
> -Wl,-soname -Wl,libsql.so.2 -o .libs/libsql.so.2
> (cd .libs && rm -f libsql.so && ln -s libsql.so.2 libsql.so)
> (cd .libs && rm -f libsql.so && ln -s libsql.so.2 libsql.so)
> ar cru .libs/libsql.a sql.o sql_init.o plugin_common.o
> ranlib .libs/libsql.a
> creating libsql.la
> (cd .libs && rm -f libsql.la && ln -s ../libsql.la libsql.la)
> <snip>
> if cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../plugins
> -I../include -I../sasldb -fPIC -I/usr/local/include
> -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include -Wall
> -W -O -pipe -march=nocona -MT sql.o -MD -MP -MF ".deps/sql.Tpo" -c
> -o sql.o `test -f
>
> '/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.
>c'
>
> || echo
>
>
> './'`/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/
>sql.c; then mv ".deps/sql.Tpo" ".deps/sql.Po"; else rm -f ".deps/sql.Tpo";
> exit 1; fi
>
> /usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c
>: In function 'sql_auxprop_plug_init':
>
> /usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c
>:1077: warning: unused parameter 'plugname'
> adding static plugins and dependencies
> ar cru .libs/libsasl2.a sasldb.o db_berkeley.o allockey.o cram.o
> digestmd5.o gssapi.o plain.o anonymous.o login.o sql.o
>
> And the files are there
>
> barium# ll /usr/local/lib/sasl2/*sql*
> -rw-r--r-- 1 root wheel 28568 May 13 10:27
> /usr/local/lib/sasl2/libsql.a
> -rwxr-xr-x 1 root wheel 826 May 13 10:27
> /usr/local/lib/sasl2/libsql.la
> lrwxr-xr-x 1 root wheel 11 May 13 10:27
> /usr/local/lib/sasl2/libsql.so -> libsql.so.2
> -rwxr-xr-x 1 root wheel 27026 May 13 10:27
> /usr/local/lib/sasl2/libsql.so.2
>
>
> For some reason I get some mysql related errors in the syslog like
> these. I'm using postgresql not mysql. It's compiled --without-mysql and
> mysql isn't even installed in the server.

"mysql" is the default sql_engine if no other is specified. In your case this
means your smtpd.conf is not read. Maybe wrong Directory? Some Distributions
do a lot of Patching.

> May 13 15:05:42 barium pluginviewer: SQL engine 'mysql' not supported
> May 13 15:05:42 barium pluginviewer: auxpropfunc error no mechanism
> available

Check where your Cyrus-SASL expects the Config File. Maybe trace the
saslpasswd Binary.

> May 13 15:05:46 barium pluginviewer: SQL engine 'mysql' not supported
> May 13 15:05:46 barium pluginviewer: auxpropfunc error no mechanism
> available
> May 13 15:05:51 barium pluginviewer: SQL engine 'mysql' not supported
> May 13 15:05:51 barium pluginviewer: auxpropfunc error no mechanism
> available
> May 13 15:17:38 barium server: SQL engine 'mysql' not supported
> May 13 15:17:38 barium server: auxpropfunc error no mechanism available
>
> Other than that, I only get generic errors like
>
> May 13 15:31:07 barium postfix/smtpd[79672]: warning: SASL
> per-process initialization failed: generic failure
> May 13 15:31:07 barium postfix/smtpd[79672]: fatal: SASL per-process
> initialization failed
>
> using the client/server in "sample"
>
> Client
>
> barium# ./client -s smtpd -m LOGIN localhost
> receiving capability list... recv: {48}
> LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
> send: {5}
> LOGIN
> send: {1}
> N
> recv: {9}
> Username:
> please enter an authentication id: jeanndarkadsl.ca
> Password:
> send: {17}
> jeanndarkadsl.ca
> recv: {9}
> Password:
> send: {6}
> asdfgh
> authentication failed
> closing connection
>
> Server
>
> accepted new connection
> send: {48}
> LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
> recv: {5}
> LOGIN
> recv: {1}
> N
> send: {9}
> Username:
> recv: {17}
> jeanndarkadsl.ca
> send: {9}
> Password:
> recv: {6}
> asdfgh
> performing SASL negotiation: user not foundclosing connection

--
Andreas

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]