5

I am building a mail server using Postfix, and set up the authentication to check against a database set-up using Postfixadmin.

I can authenticate via Courier IMAP okay, as it can authenticate against the hashed password properly, but I am suspecting that my SASL + PAM-MySQL SMTP authentication mechanism cannot.

I am getting these errors in /var/log/mail.log:

pam_unix(smtp:auth): check pass; user unknown
Aug 22 03:23:08 omitted saslauthd[26402]: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= 
Aug 22 03:23:10 omitted saslauthd[26402]: DEBUG: auth_pam: pam_authenticate failed: Authentication failure
Aug 22 03:23:10 omitted saslauthd[26402]: do_auth         : auth failure: [user=user@domain.com] [service=smtp] [realm=domain.com] [mech=pam] [reason=PAM auth error]

Here are the contents of /etc/pam.d/smtp:

auth required pam_mysql.so user=postfixadmin passwd=omitted host=127.0.0.1 db=postfixadmin table=mailbox usercolumn=username passwdcolumn=password crypt=2
account sufficient pam_mysql.so user=postfixadmin passwd=omitted host=127.0.0.1 db=postfixadmin table=mailbox usercolumn=username passwdcolumn=password crypt=2

Here is the relevant snippet for password encryption from /etc/postfixadmin/config.inc.php:

// Encrypt
// In what way do you want the passwords to be crypted?
// md5crypt = internal postfix admin md5
// md5 = md5 sum of the password
// system = whatever you have set as your PHP system default
// cleartext = clear text passwords (ouch!)
// mysql_encrypt = useful for PAM integration
// authlib = support for courier-authlib style passwords
// dovecot:CRYPT-METHOD = use dovecotpw -s 'CRYPT-METHOD'. Example: dovecot:CRAM-MD5
$CONF['encrypt'] = 'mysql_encrypt';

And here is the content of my /etc/postfix/sasl/smtp.conf:

pwcheck_method: saslauthd
mech_list: plain login
log_level: 7
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: postfixadmin
sql_passwd: omitted
sql_database: postfixadmin
sql_select: select password from mailbox where username='%u@%r'

I tried using MD5 hash but Courier would fail. So thats out of the window...

Bez Hermoso
  • 171
  • 1
  • 6
  • I use these scripts to [check the authentication methods imap, pop and smtp](https://github.com/gabrielperezs/Authentications-tools-for-mail-servers). maybe helps you find the problem. – Gabriel Pérez S. May 04 '14 at 12:12

1 Answers1

4

I have exactly the same config as you (Postfix + Cyrus SASL using saslauthd + PAM), and I also spent hours to configure it. But know it works perfectly.

In my case, I have the same settings as you in /etc/pam.d/smtp but not in /etc/postfix/sasl/smtp.conf.

It seems you are mixing use of SQL Cyrus plugin (auxprop_plugin: sql) with saslauthd and PAM mysql.

Postfix documentation says that if you want to store encrypted passwords (which seem to be the case since you set up "crypt=2" in PAM configuration), then you CANNOT use Cyrus SASL sql plugin.

You can try using PAM only. For this, you only need following in /etc/postfix/sasl/smtp.conf

pwcheck_method: saslauthd
mech_list: login plain
log_level: 4

You don't need any database / password configuration in this file, since PAM already knows everything!

Also check /etc/default/saslautd, I have following:

START=yes
DESC="SASL Authentication Daemon"
NAME="saslauthd"
MECHANISMS="pam"
MECH_OPTIONS=""
THREADS=1
OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"

Check you chose pam in MECHANISMS variable, and check the flags in the OPTIONS variable. Normally, you should have more than 1 in the THREADS variable. You can let it like this. You don't need to set "1" like me.

EDIT: it seems I answered to a very old question! It doesn't matter, this will be referenced by Google and may be useful to anyone setting up SASL with PAM.

Fox
  • 952
  • 2
  • 12
  • 21