# [SOLVED]Postfix problem with SASL and MySQL

## linuxpyro

I am having problems getting Postfix and SASL to do SMTP auth against a MySQL database.  Right now I'm following a howto on the wiki using postfixadmin: http://gentoo-wiki.com/HOWTO_Setup_a_Virtual_Postfix/Courier_Mail_System_with_PostfixAdmin  My problem is that I can't get my user in the database to authenticate.  I get errors like the following:

```

Jan  7 21:18:00 clamato postfix/smtpd[7191]: warning: SASL authentication failure: could not verify password

Jan  7 21:18:00 clamato postfix/smtpd[7191]: warning: client.host.name[x.x.x.x]: SASL LOGIN authentication failed: generic failure

Jan  7 21:18:03 clamato postfix/smtpd[7191]: warning: SASL authentication failure: could not verify password

Jan  7 21:18:03 clamato postfix/smtpd[7191]: warning: SASL authentication failure: Password verification failed

```

(Note that the client.host.name and x.x.x.x parts correspond to the machine I was using a mail client on.)

Right now I'm trying to get SASL to authenticate to authdaemond.  Here is my /etc/conf.d/saslauthd:

```

SASLAUTH_MECH=shadow

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a rimap -r"

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

```

Here is my /etc/courier/authlib/authmysqlrc:

```

#DEFAULT_DOMAIN         domain.tld

#MYSQL_CRYPT_PWFIELD     password

MYSQL_CLEAR_PWFIELD     clear

MYSQL_DATABASE          postfix

MYSQL_GID_FIELD         '207'

MYSQL_HOME_FIELD        '/var/vmail'

MYSQL_LOGIN_FIELD       username

MYSQL_MAILDIR_FIELD     maildir

MYSQL_NAME_FIELD        name

MYSQL_OPT               0

MYSQL_PASSWORD          mydbpass

# Uncomment below if you want quota support.

#MYSQL_QUOTA_FIELD      quota

MYSQL_SERVER            localhost

MYSQL_UID_FIELD         '207'

MYSQL_USERNAME          postfix

MYSQL_USER_TABLE        mailbox

#MYSQL_WHERE_CLAUSE     server='example.domain.com'

```

And here is my /usr/lib/sasl2/smtpd.conf:

```

pwcheck_method: authdaemond

mech_list: PLAIN LOGIN

authdaemond_path:/var/lib/courier/authdaemon/socket

```

(/etc/sasl2/smtpd.conf is identicle)

I've been restarting postfix, courier-authlib, and saslauthd after editing these files, so they all should be running.  Anyone have any ideas?  I've searched the forums a lot but to no avail...Last edited by linuxpyro on Fri Jan 11, 2008 8:34 pm; edited 1 time in total

----------

## Ateo

I just recently had the same fight. I won.

Perhaps this thread might assist you: https://forums.gentoo.org/viewtopic-t-623999.html

If you need/want my sasl configs, let me know. I'll post them.

----------

## linuxpyro

 *Ateo wrote:*   

> If you need/want my sasl configs, let me know. I'll post them.

 

That would be helpful.    :Very Happy: 

----------

## Ateo

Rebuild Cyrus with the following flags:

```
dev-libs/cyrus-sasl-2.1.22-r2  USE="-authdaemond berkdb crypt -gdbm -java -kerberos -ldap mysql -ntlm_unsupported_patch pam -postgres -sample -srp ssl urandom"
```

Next, set your init options to only pam.

```
# Initial (empty) options.

SASLAUTHD_OPTS=""

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam"
```

Edit your service making sure you implement the correct password type:

```
log_level: 1

pwcheck_method: auxprop

auxprop_plugin: sql

mech_list: PLAIN LOGIN

allowanonymouslogin: no

allowplaintext: yes

srp_mda: md5

srvtab: /dev/null

opiekeys: /dev/null

# Clear text passowords

#password_format: clear

# md5 or blowfish crypt

password_format: crypt

# standard or extended DES

#password_format: crypt_trad

sql_engine: mysql

sql_hostnames: 127.0.0.1

sql_user: _DB_USER_

sql_passwd: _DB_PASSWORD_

sql_database: _DB_

sql_select: SELECT password FROM _TABLE_ WHERE pobox = '%u@%r' LIMIT 1

sql_usessl: no

sql_verbose: no
```

If you are using Postfix, you need to edit main.cf and add your SASL mech:

```
# 

# SASL support (authentication)

#

smtpd_sasl_path = smtpd

smtpd_sasl_auth_enable = yes

smtpd_sasl_authenticated_header = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

smtp_sasl_mechanism_filter = plain, login
```

Also add permit_sasl_authenticated to your smtpd_x_restrictions (5 of them). It should be added as the first check under each restriction method.

That should do it.

Good luck and let me know if you need anything else.... =)

----------

## linuxpyro

OK, I made the changes, but I'm still not able to authenticate.  I found this, which I think is the problem, from the logs:

```

Jan  8 13:05:09 clamato postfix/smtpd[995]: sql plugin doing query SELECT password FROM mailbox WHERE username = 'jsmith@mail.myrealdomain.com' LIMIT 1;

Jan  8 13:05:09 clamato postfix/smtpd[995]: sql plugin: no result found

Jan  8 13:05:09 clamato postfix/smtpd[995]: sql plugin create statement from cmusaslsecretPLAIN jsmith mail.whatsmykarma.com

```

Note that myrealdomain.com is the actual domain name I have set up Postfix for (mail is just the hostname I'm using here).  I'm using a virtual domain, virtualdomain.com with which the user jsmith has an account.  In my mailbox table in the database, the username is listed as jsmith@virtualdomain.com, but it would seem for some reason that Postfix thinks the domain is mail.mydomain.com.  I think that the smtpd_sasl_local_domain =  line is supposed to take care of this, but it doesn't seem to be though I have it in main.cf.

----------

## Ateo

I notice you're using ssl/tls.. Can you try to authenticate using plain ol smtp on 25? That probably won't help but you eliminate one point of failure that isn't needed during sasl testing...

What is your output of 'postconf -n |grep sasl'?

----------

## kashani

Doing you have your mail client properly configured to send your email address as the username for sasl? It might be set to use the first part and somethign is adding in the hostname along the way.

kashani

----------

## linuxpyro

OK, I think I've had partial success here.  Turns out all I had to do was add the @virtualdomain.com to the end of the virtual username when configuring Thunderbird for the account.  

But I seem to have another issue.  I've got a user for the machine's real domain (ie, a non-virtual user) which now won't authenticate at all, whether I stick the domain name in or not.  It would seem that Postfix is only checking MySQL for authentication now:

```

Jan 10 17:18:50 clamato postfix/smtpd[15402]: sql plugin Parse the username ben

Jan 10 17:18:50 clamato postfix/smtpd[15402]: sql plugin try and connect to a host

Jan 10 17:18:50 clamato postfix/smtpd[15402]: sql plugin trying to open db 'postfix' on host '127.0.0.1'

Jan 10 17:18:50 clamato postfix/smtpd[15402]: warning: SASL authentication failure: Password verification failed

Jan 10 17:18:50 clamato postfix/smtpd[15402]: warning: remotehost.domain.tld[x.x.x.x]: SASL PLAIN authentication failed: authentication failure

```

I tried connecting both with and without TLS, but the result is the same: the system user can't authenticate, while the virtual user can.  Can I get postfix to check pam also?

----------

## kashani

I'm not sure how to do it the way you're got it setup, but going back to the original how-to it's easy.

Recompile sasl to use authdaemon and revert the config files. However this time follow the how-to and set MYSQL_CRYPT_PWFIELD instead of clear and everything should work correctly. PostfixAdmin always uses crypted passwords and that is why moving to the other config worked as well.

Also make sure that this file /etc/courier/authlib/authdaemonrc has this line in it or it won't check pam after Mysql fails. authmodulelist="authmysql authpam"

kashani

----------

## linuxpyro

Okay, I think I have everything working; I can now auth from both MySQL and PAM.  So that perhaps someone else can avoid the crap I've gone through, here are some of the changes:

For /etc/conf.d/saslauthd, I have this:

```

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a rimap -r"

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

```

In /etc/sasl2/smtpd.conf:

```

pwcheck_method: authdaemond

```

From then on I just followed the Postfixadmin how to.  

Thanks guys for helping, it was greatly appreciated!    :Very Happy: 

----------

