[HELP] Postfix v2 + SASL2 + MySQL

To: debian-isp@lists.debian.org
Subject: [HELP] Postfix v2 + SASL2 + MySQL
From: Bob Billson <reb@nodot.org>
Date: Sat, 29 Jan 2005 21:06:31 -0500
Message-id: <[🔎] 20050130020631.GA30235@elbnet.com>
He's baaack! :-)

Now that I [finally] have Courier-IMAP and Postfix playing nice, I'm a
glutton for more abuse. :-) I am continuing in my quest of setting up
the server for "Road Warrior" type of email access.

The server will host a few virtual domains. The info is kept in a
MySQL database. The users email address is their login name plus an
assigned password. The same login pair will be used so the "road warriors"
can send email through the server using SMTP AUTH + TLS. I'm nearly there
but for some reason, I can not get SMTP AUTH working.

This is all on an up-to-date Sarge/testing box. I am using Martin
List-Petersen's "ISP Mailserver Solutions Howto"
(http://www.marlow.dk/postfix/) as a guide.

What happens is SASL is not authenticating the users. I googled for
some clues. Best I can learn is Postfix v2 + SASL2 + MySQL requires
a bit of black magic to work. There seems to be lots of conflicting
advice on what works. Postfix + SASL2 apparently no longer requires
PAM to authenticate. (For laughs I did try configuring it to use PAM,
but that didn't work either.)

I have attached a snippet from /var/log/debug showing the what happens.
NOTE: I set up a dummy user with a virtual domain on the server
"example.com". The user login and password were "test@example.com"
and "testpass". But SASL apparently mungs it and feeds it to MySQl as
user "test@example.com@smtp.theshed.dhs.org", which of course, fails
to authenticate. I can't find where the "@smtp.theshed.dhs.org" coming from.

I telnet'ed to the server port 25 to test it. I converted the string
'test@example.com\0test@example.com\0testpass' to Base64 and sent it to
the server, i.e. auth plain <base64_string>. Whereupon the server barfed
with a authentication failed error.

I've been at this all day and not making any progress. Can anyone get me
pointed in right direction? I would really appreciate it! :-) If you
need more info to help out, let me know.

     Thanks very much!
         bob
	 
----------------------
Debian sarge packages installed (plus any of their dependencies): 
postfix-mysql
postfix-tls
libsasl2-modules
libsasl2-modules-sql

The config files:

/etc/postfix/sasl/smtp.conf contains:

pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: sql plain login
sql_hostnames: 127.0.0.1
sql_user: service
sql_passwd: ******
sql_database: provider
sql_statement: SELECT clearpw FROM postfix_user WHERE email = '%u@%r'
sql_verbose: yes
log_level: 5 (for now)


/etc/default/saslauthd (NOTE: Searching Google brings up conflicting
instructions on what this file should have. Some comments seem to
believe that saslauthd doesn't need to be automagically started for
Postfix v2 + SASL2. Others disagree. It's confusing.):

# This needs to be uncommented before saslauthd will be run automatically
START=yes

# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" to PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"

#MECHANISMS="pam"
MECHANISMS="sasldb"


And finally, /etc/postfix/main.cf:

myhostname = smtp.theshed.dhs.org
myorigin = /etc/mailname
mydomain = theshed.dhs.org
mydestination = $mydomain, $myhostname, localhost, $transport_maps
smtpd_banner = smtp.theshed.dhs.org ESMTP $mail_name (Debian/GNU). We block/report all spam
biff = no

mynetworks =
	127.0.0.0/8,
	192.168.183.1/32

append_dot_mydomain = no

# virtual domain mappings in MySQL database
#
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
relocated_maps = mysql:/etc/postfix/mysql-relocated.cf
transport_maps = mysql:/etc/postfix/mysql-transport.cf
virtual_maps   = mysql:/etc/postfix/mysql-virtual.cf
local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname

virtual_mailbox_base = /home/vmail
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_uid_maps = mysql:/etc/postfix/mysql-virtual-uid.cf
virtual_gid_maps = mysql:/etc/postfix/mysql-virtual-gid.cf

recipient_delimiter = +
relayhost = 
delay_warning_time = 4h

# deal with spammers and other cretins
disable_vrfy_command = yes
strict_rfc821_envelopes = yes

# spambots tarpit
smtpd_error_sleep_time = 60
smtpd_soft_error_limit = 60
smtpd_hard_error_limit = 10
default_process_limit = 3

# SASL support
#
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
unknown_local_recipient_reject_code = 550
inet_interfaces = all
smtpd_sasl_application_name = smtpd

# TLS support
#
# no TLS until SASL is working, one problem at a time :-)
smtpd_use_tls = no
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/postfix-key.pem
smtpd_tls_cert_file = /etc/postfix/postfix-cert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 5
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_helo_required = yes

smtpd_helo_restrictions =
	permit_mynetworks,
	reject_invalid_hostname,
	reject_unknown_hostname

relay_domains =

smtpd_recipient_restrictions =
	permit_sasl_authenticated,
	permit_mynetworks,
	check_recipient_access mysql:/etc/postfix/mysql-recipient.cf,
	reject_rbl_client sbl.spamhaus.org,
	check_relay_domains

# Postfix v2 logs complains "check_relay_domains" (above) will be remove
# removed from Postfix and to use "reject_unauth_destination" instead.
# However, searches on Google indicate this breaks SMTP AUTH and folks
# get "relay access denied" errors.

smptd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-sender.cf

smptd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-client.cf

smtpd_data_restrictions =
	reject_unauth_pipelining,
	permit

notify_classes = protocol,
	resource,
	software

# block attachments with bad filenames
header_checks = regexp:/etc/postfix/header_checks

# block body pattern to stop a specific HTML browser vulnerability exploit
body_checks = regexp:/etc/postfix/body_checks

### -- end /etc/postfix/main.cf -- ###


The result logged to /var/log/debug:

Jan 29 20:18:37 pigpen postfix/postfix-script: starting the Postfix mail system
Jan 29 20:18:37 pigpen postfix/master[22499]: daemon started -- version 2.1.5
Jan 29 20:18:53 pigpen postfix/smtpd[22508]: sql auxprop plugin using mysql engine 
Jan 29 20:18:53 pigpen postfix/smtpd[22508]: connect from web1.elbnet.com[65.209.12.165]
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin Parse the username test@example.com@smtp.theshed.dhs.org 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin try and connect to a host 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin trying to open db 'provider' on host '127.0.0.1' 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin Parse the username test@example.com@smtp.theshed.dhs.org 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin try and connect to a host 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin trying to open db 'provider' on host '127.0.0.1' 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: begin transaction
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin create statement from userPassword test.example.com smtp.theshed.dhs.org 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin doing query SELECT clearpw FROM postfix_users where email = 'test@example.com@smtp.theshed.dhs.org'; 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin: no result found
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin create statement from cmusaslsecretPLAIN test.example.com smtp.theshed.dhs.org 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin doing query SELECT clearpw FROM postfix_users where email = 'test@example.com@smtp.theshed.dhs.org'; 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin: no result found
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: commit transaction
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin Parse the username test@smtp.theshed.dhs.org 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin try and connect to a host 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: sql plugin trying to open db 'provider' on host '127.0.0.1' 
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: warning: SASL authentication failure: Password verification failed
Jan 29 20:20:18 pigpen postfix/smtpd[22508]: warning: web1.elbnet.com[65.209.12.165]: SASL plain authentication failed

-- 
  bob billson        email: reb@nodot.org              ham: kc2wz   /)
                            reb@elbnet.com             beekeeper -8|||}
                    registered Linux user #61900       Linux geek   \)
  Nollaig Beannaithe agus Athbhliain faoi mhaise duit!
Reply to:
Follow-Ups:
- Re: [HELP] Postfix v2 + SASL2 + MySQL
  - From: Roman Pertl <debian@pertl.org>
Prev by Date: Re: [HELP] courier-authdaemon frustration
Next by Date: Restricting IP Addresses to MAC addresses
Previous by thread: Re: [HELP] courier-authdaemon frustration
Next by thread: Re: [HELP] Postfix v2 + SASL2 + MySQL
Index(es):
- Date
- Thread