# [Problem] SASL Auth / Virtual Mailhosting

## blacksheep2

Hi!

I've followed the documentation for a virtual maihosting on http://www.gentoo.org/doc/de/virt-mail-howto.xml

The installation's worked fine, but now I can't authentificate me (the MySQL tables seems ok)!

```
 Jun 13 01:29:11 waterfall postfix/smtpd[7869]: < adsl-202-163-fixip.tiscali.ch[212.254.202.163]: AUTH LOGIN

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: smtpd_sasl_authenticate: sasl_method LOGIN

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: smtpd_sasl_authenticate: uncoded challenge: Username:

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: > adsl-202-163-fixip.tiscali.ch[212.254.202.163]: 334 VXNlcm5hbWU6

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: < adsl-202-163-fixip.tiscali.ch[212.254.202.163]: bWljaGFlbEB6YWsubGk=

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: smtpd_sasl_authenticate: decoded response: me@domain.com

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: smtpd_sasl_authenticate: uncoded challenge: Password:

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: > adsl-202-163-fixip.tiscali.ch[212.254.202.163]: 334 UGFzc3dvcmQ6

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: < adsl-202-163-fixip.tiscali.ch[212.254.202.163]: dGVzdDEyMw==

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: smtpd_sasl_authenticate: decoded response: test123

Jun 13 01:29:11 waterfall saslauthd[7757]: pam_mysql: select returned more than one result

Jun 13 01:29:11 waterfall saslauthd[7757]: DEBUG: auth_pam: pam_authenticate failed: Permission denied

Jun 13 01:29:11 waterfall saslauthd[7757]: do_auth         : auth failure: [user=me] [service=smtp] [realm=domain.com] [mech=pam

] [reason=PAM auth error]

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: warning: adsl-202-163-fixip.tiscali.ch[212.254.202.163]: SASL LOGIN authentication

 failed

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: > adsl-202-163-fixip.tiscali.ch[212.254.202.163]: 535 Error: authentication failed
```

anyone an idea? 

greezzz

ps. sorry for my englisch..

----------

## kashani

```

Jun 13 01:29:11 waterfall postfix/smtpd[7869]: smtpd_sasl_authenticate: decoded response: test123

Jun 13 01:29:11 waterfall saslauthd[7757]: pam_mysql: select returned more than one result

Jun 13 01:29:11 waterfall saslauthd[7757]: DEBUG: auth_pam: pam_authenticate failed: Permission denied 

```

I'm going to guess it's that MySQL line. Doublecheck you users table to make sure you only have one instance of your username.

kashani

----------

## blacksheep2

yes.. I'm sure. In my MySQL table is only this testuser, noone more.

----------

## blacksheep2

hmm, I tried something and now it works, but not correctly...

so, when I change the username in the mysql table (local) to a username without the AT and the domain (me@domain.com -> me), it works fine! is this a mail client problem? I use thunderbird..

but I think, it won't work when I want in future to log-in with a virtual domain mail, right? So, where's my mistake?

----------

## kashani

strange. I'm curious about your setup. What's the current user table look like? Also when using the virtual stuff all pop accounts need to be the entire email address so make sure that's how you've configured Thunderbird.

kashani

----------

## blacksheep2

```
 id      email      clear      name      uid      gid      homedir      maildir      quota      postfix

1     me@domain.com    test123    first local user    1000    100    /home/me /home/me/.maildir/         y
```

But i reconfigured Thunderbird and now it works also with the right username. But the smtp username must be set to me@domain.com@domain.com, cause the PAM (?) or Thunderbird cut the domain from the username off. strange ha?

----------

## henri

Hi folks,

this is a real problem and I think the virtual-mail-howto won't work any more.

The reason doesn't seem to be pam_mysql, but cyrus-sasl, which seems at least in versions 2.1.17-18 to shorten the username now.

I upgraded last night without knowing about this and now I am fighting the whole day now with this problem.

I know there's another (much more flexible sql-) way to setup sasl for smtp, but still trying...

If someone doesn't has this problem when using cyrus-sasl 2.1.17 or ...-2.1.18, or has a clue for a workaround where the clientside username stays 'user@domain.suff' please drop us a line.

I only found one entry in the newsgroups about this problem, but no solution yet.

Even if you only have a slight idea...

...please drop us a line.

Many thanks in advance,

    yours Henri

----------

## henri

Hi folks,

all right, I got it:

I think, the tutorial should be extended.

Maybe I'll provide some hints to use group-quota for every single domain, too.

Re-emerge cyrus-sasl but do NOT exclude mysql from the use flags, which means, do NOT type "export USE='-mysql'" before "emerge cyrus-sasl". If you don't have mysql in your use flags, even do 

"export USE='mysql'; emerge cyrus-sasl" and then edit your /usr/lib/sasl2/smtp.conf, so it looks like this:

8<--------8<--------8<--------8<--------8<--------8<--------

pwcheck_method: auxprop

auxprop_plugin: sql

mech_list: PLAIN LOGIN

# ... and if you provide it ... CRAM-MD5 DIGEST-MD5

log_level: 3 # decide yourself, but good for debugging

sql_engine: mysql

sql_hostnames: localhost

sql_database: serveradmin

sql_user: serveradmin

sql_passwd: _your_mysql_password_

sql_select: SELECT clearpass FROM mailbox WHERE username='%u@%r'

sql_usessl: no

8<--------8<--------8<--------8<--------8<--------

If you want the possibility to also disable sending emails for some user/s, you may enhance it with an AND statement like 

" AND allowed_to_send_mail=1" which implies that you also have a column named "allowed_to_send_mail".

so long...

    yours Henri

----------

## blacksheep2

cool!

I'll try it tomorrow after my last examinations.. but it sounds nice. thank you!

----------

## blacksheep2

@henri

Wow thank you, it works really fine! I just setted up without any troubles...

cya

----------

## davobe

 *henri wrote:*   

> 
> 
> Even if you only have a slight idea...
> 
> ...please drop us a line.
> ...

 

A slight idea, maybe! I followed the English version of the virt-mail-howto.xml. I skipped the Apache, PHP, SquirrelMail, and mailman components. To get SMTP Auth working for me I needed the following tweaks:

smtpd.conf

```

pwcheck_method: saslauthd

mech_list: LOGIN PLAIN

```

```
ln -s /etc/sasl2/smtpd.conf /usr/lib/sasl2/smtpd.conf

postfix reload
```

/etc/conf.d/saslauthd made use of deprecated option switches -H and -T. Using -O /path/to/config/file in /etc/conf.d/sasauthd may negate the need for the symbolic link above.

David

# Edit below

OK - Second reading, more experience, a patch for cyrus-sasl-2.1.18.

My informtion above related to efforts with with cyrus-sasl-2.1.14 on an x86 box. Cyrus-sasl-2.1.14 happend by default with the recent x86 ebuild install. I attempted the same install on a sparc 64 and experienced the problem Henri identifed above with cyrus-sasl-2.1.18. Cyrus drops the realm component off the user ID which inhibits success when using the auth plain mechanism. Cyrus-sasl-2.1.14 and others are masked and would not compile on the sparc.

I was able to patch cyrus-sasl-2.1.18 to allow use of

```

pwcheck_method: saslauthd

mech_list: LOGIN PLAIN 

```

thanks to this post and patch by Igor Brezac:

http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=patch&msg=4669

I was not successful editing the ebuild to install the patch. I resorted to a manual workaround. I unzipped the tar.gz, edited pam_auth.c file using vim, rebuilt the tar.gz, created a new digest and emerged using the original ebuild.

It may not be pretty but it worked for me. I can now authenticate SMTP over TLS using saslauthd and MySQL.Last edited by davobe on Wed Jun 23, 2004 10:45 pm; edited 2 times in total

----------

## bfrackie

@henri

your solution do not work for me, is your file  /usr/lib/sasl2/smtp.conf a typo (mine is smtpd.conf)

Bart

----------

## henri

Oh yes, sorry, it is a typo!

I wrote it without copy/paste.

Yes, it has to be /usr/lib/sasl2/smtpd.conf and /etc/sasl2/smtpd.conf

These two will help you debugging:

    tail -f /var/log/auth.log

    tail -f /var/log/mysql/mysql.log

yours Henri

----------

## Wi1d

 *Quote:*   

> These two will help you debugging:
> 
> tail -f /var/log/auth.log
> 
> tail -f /var/log/mysql/mysql.log 

 

What do I need to edit to get a /var/log/auth.log. I don't seem to have one.

Thanks.

----------

## bfrackie

hey folks,

in the meanwhile i found another solution which works good for me:

i added a column login, which contain a real user name. if the format of this logins is something like 'open-medium.com/bart', sasl do not remove the domain from the login. of course, you have to modify your imap, courier, postfix and sasl configuration files.

Bart

p.s. sorry wi1d, i have no idea how where you can switch this on.

----------

## thumper

Incase this is of any value to someone;

I created /etc/portage/package.use

added:

```
dev-libs/cyrus-sasl -mysql pam-mysql
```

Reemerged cyrus-sasl

and the stuff in smtpd.conf 

```
pwcheck_method: saslauthd 

mech_list: LOGIN PLAIN
```

it started working again after the update to cyrus-sasl-2.1.18-r2

[edit] BAH! it worked for an hour or so and then quit... whats with that!

Reemerged 2.1.14 for now, to tired for this atm.  :Crying or Very sad: [/edit]

George

----------

## ktorn

I just had the same problem, after doing an emerge --update world.

When doing the etc-update I stupidly chose option -5 and all my files were replaced with the defaults. I followed the postfix guide again, but still couldn't send stuff.

 *henri wrote:*   

> 
> 
> sql_engine: mysql
> 
> sql_hostnames: localhost
> ...

 

That basically worked! Except I had to adapt it to my settings, which were more similar to the original guide. Here's that bit from my /etc/sasl2/smtpd.conf:

```

sql_engine: mysql

sql_hostnames: localhost

sql_database: mailsql

sql_user: mailsql

sql_passwd: _your_password_

sql_select: SELECT clear FROM users WHERE email='%u@%r'

sql_usessl: no

```

It seems good so far. I can now send emails, as well as receive. Lets see if it stays that way   :Wink: 

----------

## AlterX

This is only real and fast solution!

Same problem with sasl 2.1.18 on my mail server.

Reinstalling sasl 2.1.14 and now working fine!

----------

## robrpn

Thanks very much Henri, your solution worked perfectly for me.

----------

