# Trouble with cyrus-sasl-2.1.25-r3

## hanj

I just upgraded to cyrus-sasl-2.1.25-r3 from 2.1.23-r6. Ran revdep-rebuild, restarted postfix and saslauthd, and I'm running into errors authenticating for SMTP.

Here is a snip from my mail.log:

```
Dec  6 09:35:06 mail.comp.com postfix/smtpd[5652]: connect from nat.comp.com[xxx.xxx.xxx.xxx]

Dec  6 09:35:07 mail.comp.com postfix/smtpd[5652]: Anonymous TLS connection established from nat.comp.com[xxx.xxx.xxx.xxx]: TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)

Dec  6 09:35:08 mail.comp.com postfix/smtpd[5652]: warning: nat.comp.com[xxx.xxx.xxx.xxx]: SASL LOGIN authentication failed: authentication failure

Dec  6 09:35:08 mail.comp.com postfix/smtpd[5652]: lost connection after AUTH from nat.comp.com[xxx.xxx.xxx.xxx]

Dec  6 09:35:08 mail.comp.com postfix/smtpd[5652]: disconnect from nat.comp.com[xxx.xxx.xxx.xxx]
```

Here is a snip from my auth.log:

```
Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin Parse the username admin@comp.com

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin try and connect to a host

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin trying to open db 'postfix' on host 'xxx.xxx.xxx.xxx'

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: begin transaction

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin create statement from userPassword admin comp.com

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin doing query SELECT password FROM mailbox WHERE username='admin@comp.com';

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: commit transaction

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin Parse the username admin@comp.com

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin try and connect to a host

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin trying to open db 'postfix' on host 'xxx.xxx.xxx.xxx'

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin Parse the username admin@comp.com

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin try and connect to a host

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin trying to open db 'postfix' on host 'xxx.xxx.xxx.xxx'

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: begin transaction

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin create statement from userPassword admin comp.com

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin doing query SELECT password FROM mailbox WHERE username='admin@comp.com';

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin create statement from cmusaslsecretPLAIN admin comp.com

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin doing query SELECT password FROM mailbox WHERE username='admin@comp.com';

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: commit transaction

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin Parse the username admin@comp.com

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin try and connect to a host

Dec  6 09:36:47 mail.comp.com postfix/smtpd[5652]: sql plugin trying to open db 'postfix' on host 'xxx.xxx.xxx.xxx'
```

As you can see, not much info. Looking at USE flags for cyrus-sasl-2.1.25-r3, I see that crypt is no longer an option. I'm thinking that might be an issue. Currently, passwords are stored in MySQL, I'm hoping that this might be a simple smtpd.conf misconfiguration. dispatch-conf did not show any updates to that config though?

Here is my smtpd.conf:

```
pwcheck_method: auxprop

auxprop_plugin: sql

mech_list: PLAIN LOGIN

password_format: crypt

sql_engine: mysql

sql_hostnames: xxx.xxx.xxx.xxxx

sql_database: postfix

sql_user: postfix

sql_passwd: xxxxxxxx

sql_select: SELECT password FROM mailbox WHERE username='%u@%r'

sql_usessl: no
```

Also, here are my emerge outputs for cyrus-sasl and postfix:

```
[ebuild     U  ] dev-libs/cyrus-sasl-2.1.25-r3:2 [2.1.23-r6:2] USE="gdbm mysql pam ssl urandom -authdaemond (-berkdb) -java -kerberos -ldapdb% -openldap -postgres -sample -sqlite% -srp -static-libs% (-crypt%*) (-ntlm_unsupported_patch%)" 0 kB

[ebuild   R    ] mail-mta/postfix-2.9.4  USE="berkdb mysql pam sasl ssl vda -cdb -doc -dovecot-sasl -hardened -ldap -ldap-bind -mbox -memcached -nis -postgres (-selinux) -sqlite" 0 kB
```

Any ideas as to what the problem could be?

Thanks in advance!

hanji

----------

## cach0rr0

 *hanj wrote:*   

> Looking at USE flags for cyrus-sasl-2.1.25-r3, I see that crypt is no longer an option. I'm thinking that might be an issue. 

 

yip, bingo. 

USE="crypt" does

```

use crypt && epatch "${FILESDIR}"/${PN}-2.1.19-checkpw.c.patch

```

which provides for password_format

----------

## hanj

 *cach0rr0 wrote:*   

>  *hanj wrote:*   Looking at USE flags for cyrus-sasl-2.1.25-r3, I see that crypt is no longer an option. I'm thinking that might be an issue.  
> 
> yip, bingo. 
> 
> USE="crypt" does
> ...

 

Thanks for the reply. I'm a little confused. 2.1.25-r3 doesn't have crypt. Your code looks like it might be from cyrus-sasl-2.1.23-r6.ebuild, which is what I have currently installed. The system wants to update to cyrus-sasl-2.1.25-r3 and that's where the problem is.

Thanks!

hanji

----------

## cach0rr0

 *hanj wrote:*   

> Your code looks like it might be from cyrus-sasl-2.1.23-r6.ebuild, which is what I have currently installed. The system wants to update to cyrus-sasl-2.1.25-r3 and that's where the problem is.

 

correct. that code is from the 2.1.23 ebuild

that line applies this patch

which is what allows you to use encrypted passwords

this does not exist for the 2.1.25 ebuild. I am assuming the package maintainer intentionally removed this - maybe the patch does not apply cleanly on 2.1.25, i dont know. 

but certainly without this patch applied, your setup will not work as configured. 

I suppose you *could* edit the 2.1.25 ebuild, and tell it to apply the patch - if it patches cleanly, might be worth logging a bug, might be worth logging one anyway. 

I'm just confirming that no, without that patch applied (which gets applied conditionally based on the 'crypt' USE flag) your encrypted passwords will not work as configured. 

I also dont know if cyrus-sasl maybe added their own functionality without that patch, that makes the patch superfluous - but if they did, it would take different configuration parameters most likely. Either way, yes, that is the problem.

----------

## hanj

I found this bug report that shows the problem as well:

https://bugs.gentoo.org/show_bug.cgi?id=445568

Tomorrow I'll try -r4 tomorrow.

Thanks!

hanji

----------

