# [SOLVED] Postfix/SASL auth issue

## Ateo

I am passing authentication off to Courier-Authlib. As such, this command works just fine:

```
$ sasl2 testsaslauthd -s smtpd -u user@domain.com -p _user@domain.com_password_

0: OK "Success."
```

```
Nov 29 16:26:02 mail.domain.com imapd: Connection, ip=[192.168.4.245]

Nov 29 16:26:02 mail.domain.com imapd: LOGIN, user=user@domain.com, ip=[192.168.4.245], protocol=IMAP

Nov 29 16:26:02 mail.domain.com imapd: DISCONNECTED, user=user@domain.com, ip=[192.168.4.245], headers=0, body=0, rcvd=0, sent=24, time=0
```

However, Postfix is complaining:

1. I'm not sure why I'm getting the SASL authentication debug: could not find auxprop plugin, was searching for '[all]' error

2. Postfix is unable to authenticate against SASL..

```
Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: < unknown[192.168.4.20]: AUTH LOGIN

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: xsasl_cyrus_server_first: sasl_method LOGIN

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username:

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: > unknown[192.168.4.20]: 334 VXNlcm5hbWU6

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: < unknown[192.168.4.20]: ZHJhY2NvQHhkcmFjY28ubmV0

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: xsasl_cyrus_server_next: decoded response: user@domain.com

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password:

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: > unknown[192.168.4.20]: 334 UGFzc3dvcmQ6

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: < unknown[192.168.4.20]: TWFyZ280MjA=

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: xsasl_cyrus_server_next: decoded response: _user@domain.com_password_

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: SASL authentication debug: could not find auxprop plugin, was searching for '[all]'

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: SASL authentication debug: could not find auxprop plugin, was searching for '[all]'

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: SASL authentication debug: could not find auxprop plugin, was searching for '[all]'

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: SASL authentication debug: could not find auxprop plugin, was searching for '[all]'

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: warning: unknown[192.168.4.20]: SASL LOGIN authentication failed: authentication failure

Nov 29 16:13:50 mail.domain.com postfix/smtpd[23049]: > unknown[192.168.4.20]: 435 4.7.0 Error: authentication failed: authentication failure
```

My sasl configuration isn't insane:

```
pwcheck_method:         authdaemond

mech_list:              plain login

authdaemond_path:       /var/lib/courier/authdaemon/socket

allowanonymouslogin:    no

allowplaintext:         no

password_format:        crypt

log_level:              10
```

I've enabled sasl in Postfix:

```

broken_sasl_auth_clients = yes

smtp_sasl_auth_enable = $smtpd_sasl_auth_enable

smtp_sasl_security_options = $smtpd_sasl_security_options

smtp_sasl_type = $smtpd_sasl_type

smtpd_sasl_auth_enable = yes

smtpd_sasl_authenticated_header = yes

smtpd_sasl_local_domain = 

smtpd_sasl_path = /etc/sasl2:/usr/lib/sasl2

smtpd_sasl_security_options = noanonymous

smtpd_sasl_type = cyrus
```

Additional info:

```
dev-libs/cyrus-sasl-2.1.22-r2  USE="authdaemond -berkdb -crypt -gdbm -java -kerberos -ldap -mysql -ntlm_unsupported_patch pam -postgres -sample -srp ssl urandom"
```

```

/var/lib/courier/:

total 0

drwxr-xr-x 2 mail mail 120 Nov 29 14:30 authdaemon

/var/lib/courier/authdaemon:

total 0

srwxrwxrwx 1 root root 0 Nov 29 14:30 socket
```

```
mail:x:12:mail,dspam,postfix,vmail,spamd
```

Am I missing something?

Any input appreciated.Last edited by Ateo on Thu Jan 03, 2008 12:03 am; edited 1 time in total

----------

## steveb

Post the content of /etc/courier/authlib/authdaemonrc

// SteveB

----------

## Ateo

Certainly....

FYI, I recompiled courier-authlib just to get the new authdaemonrc.dist file to compare with my current authdaemonrc file. Nothing seemed out of line....

```
authmodulelist="authmysql authpgsql"

daemons=5

authdaemonvar=/var/lib/courier/authdaemon

DEBUG_LOGIN=0

DEFAULTOPTIONS="disablewebmail=1"
```

Why does Postfix hate me?  :Confused: 

----------

## Ateo

I forgot to post conf.d/sasl. Here it is:

```
SASLAUTHD_OPTS=""

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a rimap"

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O mail.mydomain.com"
```

----------

## steveb

What about /etc/courier/authlib/authmysqlrc and /etc/courier/authlib/authpgsqlrc? Could you post them?

```
grep -v "^[\t ]*#\|^[\t ]*$" /etc/courier/authlib/authmysqlrc
```

```
grep -v "^[\t ]*#\|^[\t ]*$" /etc/courier/authlib/authpgsqlrc
```

 *Ateo wrote:*   

> I am passing authentication off to Courier-Authlib. As such, this command works just fine:
> 
> ```
> $ sasl2 testsaslauthd -s smtpd -u user@domain.com -p _user@domain.com_password_
> 
> ...

 This is for SMTP. Can you try with -s imapd? And maybe add -r domain.com to check if that works as well?

 *Ateo wrote:*   

> Why does Postfix hate me?

 It is not Postfix! It is the Courier auth deamon  :Smile: 

// SteveB

----------

## Ateo

```
MYSQL_SERVER            127.0.0.1

MYSQL_USERNAME          _USERNAME_

MYSQL_PASSWORD          _PASSWORD_

MYSQL_SOCKET            /var/run/mysqld/mysqld.sock

MYSQL_PORT              3306

MYSQL_OPT               0

MYSQL_DATABASE          postoffice

MYSQL_USER_TABLE        mailbox

MYSQL_CRYPT_PWFIELD     password

DEFAULT_DOMAIN          mydomain.com

MYSQL_UID_FIELD         uid

MYSQL_GID_FIELD         gid

MYSQL_LOGIN_FIELD       pobox

MYSQL_HOME_FIELD        homedir

MYSQL_NAME_FIELD        name

MYSQL_MAILDIR_FIELD     maildir

MYSQL_QUOTA_FIELD       quota

MYSQL_WHERE_CLAUSE      active = '1' AND postfix = 'y'
```

```
PGSQL_HOST              127.0.0.1

PGSQL_PORT              5432

PGSQL_USERNAME          _USERNAME_

PGSQL_DATABASE          postoffice

PGSQL_USER_TABLE        mailbox

PGSQL_CRYPT_PWFIELD     password

PGSQL_UID_FIELD         uid

PGSQL_GID_FIELD         gid

PGSQL_LOGIN_FIELD       pobox

PGSQL_HOME_FIELD        homedir

PGSQL_NAME_FIELD        name

PGSQL_MAILDIR_FIELD     maildir

PGSQL_QUOTA_FIELD       quota

PGSQL_WHERE_CLAUSE    active = '1' AND postfix = 'y'
```

I am able to authenticate with -s imapd...

```
$ testsaslauthd -s imapd -r domain.com -u user@domain.com -p user_password

0: OK "Success."
```

----------

## steveb

I think I need some stuff to explain.

Courier Authdamond uses:

/etc/courier/authlib/authmysqlrc

/etc/courier/authlib/authpgsqlrc

Cyrus SASL saslauthd uses:

/etc/conf.d/saslauthd

Postfix uses:

/etc/sasl2/smtpd.conf

If Postfix has problems using authdaemond then one of the following conditions is probably true:You run Postfix (smtpd) chrooted and Postfix can not access the authdaemond socketPostfix is not permitted to access the authdaemond socket or the directory containing the authdaemond socketPostfix tries to open the authdaemond socket in the wrong place

I think the following options are not available for pwcheck_method authdaemond:

```
allowanonymouslogin

allowplaintext

password_format
```

Another possible problem could be your SASL library version. What version do you use?

```
/usr/sbin/saslauthd -v
```

BTW: Why don't you go directly into MySQL for authentication? You could use pwcheck_method auxprop with the SQL plugin and from there hop directly into MySQL or Postgres? The big benefit you would have bypassing authdaemond is that you could extend mech_list to use more then just PLAIN and LOGIN.

// SteveB

----------

## Ateo

 *steveb wrote:*   

> If Postfix has problems using authdaemond then one of the following conditions is probably true:You run Postfix (smtpd) chrooted and Postfix can not access the authdaemond socketPostfix is not permitted to access the authdaemond socket or the directory containing the authdaemond socketPostfix tries to open the authdaemond socket in the wrong place

 

Well then I believe Postfix may trying to open authdaemond socket from the wrong place because...

1. I do not run Postfix chrooted.

2. I have very loose permission on the socket

 *steveb wrote:*   

> I think the following options are not available for pwcheck_method authdaemond:
> 
> ```
> allowanonymouslogin
> 
> ...

 

I've removed them...

 *steveb wrote:*   

> Another possible problem could be your SASL library version. What version do you use?
> 
> ```
> /usr/sbin/saslauthd -v
> ```
> ...

 

```
saslauthd 2.1.22

authentication mechanisms: sasldb getpwent pam rimap shadow
```

 *steveb wrote:*   

> BTW: Why don't you go directly into MySQL for authentication? You could use pwcheck_method auxprop with the SQL plugin and from there hop directly into MySQL or Postgres? The big benefit you would have bypassing authdaemond is that you could extend mech_list to use more then just PLAIN and LOGIN.

 

Because I cannot store encrypted passwords using this method without some sort of patch. This is what I understood from endless searching and reading on this...

I don't want to use pam at all (in case anyone wants to go there)...

----------

## steveb

 *Ateo wrote:*   

> Because I cannot store encrypted passwords using this method without some sort of patch. This is what I understood from endless searching and reading on this...

 In Gentoo this patch is already installed with cyrus-sasl. The option password_format allows you to choose the method. Read here for more on how to set up that.

 *Ateo wrote:*   

> I don't want to use pam at all (in case anyone wants to go there)...

 Ach! PAM. It's okay but I don't like to use it for Postfix. I personaly went the auxprop way.

Have you tried to use saslauthd in pwcheck_method? Because I think this is what you want. Postfix -> SASL -> saslauthd -> IMAP connection to mail.mydomain.com for verification -> ...

// SteveB

----------

## Ateo

*** OK. So from this point forward, I am attempting SQL (again... hehe)

 *steveb wrote:*   

>  *Ateo wrote:*   Because I cannot store encrypted passwords using this method without some sort of patch. This is what I understood from endless searching and reading on this... In Gentoo this patch is already installed with cyrus-sasl. The option password_format allows you to choose the method. Read here for more on how to set up that.

 

Oh. I wasn't aware that the ebuild is already patched...

 *steveb wrote:*   

> Have you tried to use saslauthd in pwcheck_method? ...

 

Yes. I have used that method. It's all the same. =) I can auth from terminal (testsaslauthd) but postfix can't....

 *steveb wrote:*   

> Because I think this is what you want. Postfix -> SASL -> saslauthd -> IMAP connection to mail.mydomain.com for verification ->

 

Actually, this is just what I've resorted to.. I don't care which method I use as long as:

1. I can SMTP/S authenticate

2. No clear text passwords in database (ick)

------

Here's my fire. The cyrus documentation is either too confusing for me or it just lacks.

Here is one example:..

Let's say I want to have cyrus query SQL directly. Ok great. Here is my config which is from the site you posted. I have already crossed paths with that site and tried it. And since the current ebuild is patched, this configuration should work:

```
pwcheck_method: auxprop

auxprop_plugin: sql

allowanonymouslogin: no

allowplaintext: yes

mech_list: PLAIN LOGIN

srp_mda: md5

srvtab: /dev/null

opiekeys: /dev/null

password_format: crypt

sql_user: _username_

sql_passwd: _password_

sql_hostnames: 127.0.0.1

sql_database: _database_

sql_select: SELECT password FROM mailbox WHERE pobox = '%u@%r'
```

Where is the confusion you ask? Well, I have no idea what to use in /etc/conf.d/saslauthd (SASLAUTHD_OPTS)? My authentication mechanisms are sasldb getpwent pam rimap shadow. It doesn't matter what auth mech I set it to, cyrus will not auth against SQL directly (or any other method for that matter, except rimap which only auths me from terminal using testsaslauthd)...

I'm stumped. I've tried testsaslauthd with AND without the -r realm option.

FYI: I've rebuilt cyrus with support for everything. I doubt i need the ntlm unsupported patch since I am not implementing that... Or am I wrong? Do I need it for encrypted passwords?:

```
[ebuild   R   ] dev-libs/cyrus-sasl-2.1.22-r2  USE="authdaemond berkdb crypt -gdbm -java -kerberos -ldap mysql -ntlm_unsupported_patch pam postgres -sample srp ssl urandom" 0 kB 
```

----------

## steveb

What output do you get from:

```
postconf -n |grep smtpd_delay_reject
```

What output do you get form:

```
ls -lah /var/lib/sasl2/
```

Please add to your main.cf in smtpd_*_restrictions the option permit_sasl_authenticated.

Please add to your main.cf:

```
smtp_sasl_mechanism_filter = plain, login
```

Could you post the structure of your mailbox table in MySQL?

```
DESCRIBE mailbox;
```

What about the password field? Who does the crypt (I see that you use crypt)? Is it really crypt?

For /etc/sasl2/smtpd.conf I would suggest this (more verbose so you can nail problems quicker down):

```
pwcheck_method: auxprop

auxprop_plugin: sql

mech_list: PLAIN LOGIN

allowanonymouslogin: no

allowplaintext: yes

srp_mda: md5

srvtab: /dev/null

opiekeys: /dev/null

password_format: crypt

log_level: 7

sql_engine: mysql

sql_hostnames: 127.0.0.1

sql_user: _username_

sql_passwd: _password_

sql_database: _database_

sql_select: SELECT password FROM mailbox WHERE pobox='%u@%r' AND active='1' AND postfix='y' LIMIT 1

# sql_update: UPDATE mailbox SET password='%v' WHERE pobox='%u@%r' AND active='1' AND postfix='y' LIMIT 1

# sql_insert: INSERT INTO mailbox (password,pobox,active,postfix) VALUES ('%v','%u@%r',1,'y')

sql_usessl: no

sql_verbose: yes
```

// SteveB

----------

## Ateo

And what about /etc/conf.d/saslauthd? What do I use for SASLOPTIONS? Certainly not pam nor rimap... This is where some of my confusion comes from. 

Thanks

----------

## steveb

 *Ateo wrote:*   

> And what about /etc/conf.d/saslauthd? What do I use for SASLOPTIONS? Certainly not pam nor rimap... This is where some of my confusion comes from.

 What ever you like. It is not used by Postfix anyway if you switch to auxprop since saslauthd does not handle that part:

```
mail ~ # /usr/sbin/saslauthd -v

saslauthd 2.1.22

authentication mechanisms: sasldb getpwent kerberos5 pam rimap shadow

mail ~ #
```

// SteveB

----------

## Ateo

 *steveb wrote:*   

> What output do you get from:
> 
> ```
> postconf -n |grep smtpd_delay_reject
> ```
> ...

 

```
$ postconf -n |grep smtpd_delay_reject

smtpd_delay_reject = yes
```

 *steveb wrote:*   

> What output do you get form:
> 
> ```
> ls -lah /var/lib/sasl2/
> ```
> ...

 

```
$ ls -lah /var/lib/sasl2/

total 4.5K

drwxr-xr-x  2 root root 184 Nov 30 17:50 .

drwxr-xr-x 20 root root 544 Nov 21 08:57 ..

-rw-r--r--  1 root root   0 Nov 30 17:46 .keep_dev-libs_cyrus-sasl-2

srwxrwxrwx  1 root root   0 Nov 30 17:50 mux

-rw-------  1 root root   0 Nov 30 17:50 mux.accept

-rw-------  1 root root   6 Nov 30 17:50 saslauthd.pid
```

 *steveb wrote:*   

> Please add to your main.cf in smtpd_*_restrictions the option permit_sasl_authenticated.

 

I am currently testing permit_sasl_authenticated via smtps. However, I have added permit_sasl_authenticated to smptd_*_restrictions in main.cf which yields the same result. I would like to continue using smtps as this is currently a method of transport not used by my users.... if possible.

 *steveb wrote:*   

> Please add to your main.cf:
> 
> ```
> smtp_sasl_mechanism_filter = plain, login
> ```
> ...

 

Added

 *steveb wrote:*   

> Could you post the structure of your mailbox table in MySQL?
> 
> ```
> DESCRIBE mailbox;
> ```
> ...

 

```
mysql> describe postoffice.mailbox;

+----------------+--------------+------+-----+---------+----------------+

| Field          | Type         | Null | Key | Default | Extra          |

+----------------+--------------+------+-----+---------+----------------+

| user_id        | int(11)      | NO   | PRI | NULL    | auto_increment | 

| precedence     | int(1)       | NO   |     | 0       |                | 

| domain_id      | int(11)      | NO   |     | 0       |                | 

| pobox          | varchar(100) | NO   | UNI | 0       |                | 

| password       | varchar(64)  | NO   |     | 0       |                | 

| name           | varchar(64)  | NO   |     | 0       |                | 

| uid            | int(1)       | NO   |     | 5000    |                | 

| gid            | int(1)       | NO   |     | 5000    |                | 

| homedir        | varchar(100) | NO   |     | 0       |                | 

| maildir        | varchar(100) | NO   |     | 0       |                | 

| quota          | varchar(50)  | NO   |     | 0       |                | 

| postfix        | varchar(5)   | NO   |     | y       |                | 

| user_class     | int(1)       | NO   |     | -1      |                | 

| user_level     | int(1)       | NO   |     | 1       |                | 

| user_lang      | varchar(5)   | YES  |     | en_US   |                | 

| active         | int(1)       | NO   |     | 0       |                | 

| created        | int(11)      | NO   |     | 0       |                | 

| modified       | int(11)      | NO   |     | 0       |                | 

| items_per_page | int(1)       | NO   |     | 10      |                | 

| use_cookies    | int(1)       | NO   |     | 0       |                | 

| forwarding     | int(1)       | NO   |     | 0       |                | 

| style_id       | int(1)       | NO   |     | 0       |                | 

| auto_login_key | varchar(40)  | YES  |     | NULL    |                | 

+----------------+--------------+------+-----+---------+----------------+

23 rows in set (0.00 sec)
```

 *steveb wrote:*   

> What about the password field? Who does the crypt (I see that you use crypt)? Is it really crypt?

 

I use a custom PHP function to create the password. I'm pretty sure it's crypt otherwise Courier-auth wouldn't accept it.. right? I could be wrong.

 *steveb wrote:*   

> For /etc/sasl2/smtpd.conf I would suggest this (more verbose so you can nail problems quicker down):
> 
> ```
> pwcheck_method: auxprop
> 
> ...

 

Thanks for this...

----------

## steveb

 *Ateo wrote:*   

> I am currently testing permit_sasl_authenticated via smtps. However, I have added permit_sasl_authenticated to smptd_*_restrictions in main.cf which yields the same result. I would like to continue using smtps as this is currently a method of transport not used by my users.... if possible.

 I don't understand. What is with smtps? btw: I hope you replaced the * in smtpd_*_restrictions?

 *Ateo wrote:*   

> I use a custom PHP function to create the password. I'm pretty sure it's crypt otherwise Courier-auth wouldn't accept it.. right? I could be wrong.

 If you use PHP for crating the password, then probably you are using standard DES based encryption with two character salt. If this is the case, then please switch in your /etc/sasl2/smtpd.conf from:

```
password_format: crypt
```

To:

```
password_format: crypt_trad
```

The value crypt for password_format is only valid if you use modular crypt hashes like md5 or blowfish crypt. Could you post a snipplet of the code in PHP you use for crypting the password?

 *Ateo wrote:*   

> Thanks for this...

 No problem.

// SteveB

----------

## Ateo

 *steveb wrote:*   

> I don't understand. What is with smtps? btw: I hope you replaced the * in smtpd_*_restrictions?

 

I have this in master.cf:

```
smtps     inet  n       -       n       -       -       smtpd

 -o smtpd_tls_wrappermode=yes

 -o smtpd_sasl_auth_enable=yes

 -o smtpd_client_restrictions=permit_sasl_authenticated,reject
```

During this testing, I am trying to send mail via port 465. If I can send via port 465 without authentication, we should be able to agree that TLS is functioning fine. SASL should should work under this test environment right?

 *steveb wrote:*   

> If you use PHP for crating the password, then probably you are using standard DES based encryption with two character salt. If this is the case, then please switch in your /etc/sasl2/smtpd.conf from:
> 
> ```
> password_format: crypt
> ```
> ...

 

Current passwords are encrypted with  *Quote:*   

> CRYPT_MD5 - MD5 encryption with a twelve character salt starting with$1$

 

I have written a script that can produce passwords in the following encryption formats:

CRYPT_BLOWFISH - Blowfish encryption with a sixteen character salt starting with $2$ or $2a$

CRYPT_MD5 - MD5 encryption with a twelve character salt starting with $1$

CRYPT_EXT_DES - Extended DES-based encryption with a nine character salt

CRYPT_STD_DES - Standard DES-based encryption with a two character salt

Here is a snipplet for CRYPT_MD5:

```

incoming variables -> $password,$db_salt=NULL

$saltprefix   = '$1$';

$saltphrase   = substr(md5(generate_code()),0,12);

$salt      = empty($db_salt) ? $saltprefix.$saltphrase : $db_salt;

$password   = crypt($password,$salt);

returns -> $password

```

The generate_code() function is just a function that returns random characters. The variable $db_salt can be passed when the function is called. In most cases, I send $db_salt = NULL to the function. Instead I create the salt when the function is called (as can be seen).

Now. I've tried passwords in ALL 4 formats. Courier-Authlib logs me in just fine into my web client (roundcube using IMAP).

----------

## steveb

Did you enabled "sql_verbose: yes" in smtpd.conf? If so, could you post the output from the log when you try to login?

BTW: Please add to your smtpd_client_restrictions the option permit_sasl_authenticated. It makes things easier for testing as it eliminates the TLS/SSL layer. It does not harm your installation in any way. Just add it on top as the first value to smtpd_client_restrictions.

// SteveB

----------

## Ateo

 *steveb wrote:*   

> Did you enabled "sql_verbose: yes" in smtpd.conf? If so, could you post the output from the log when you try to login?
> 
> BTW: Please add to your smtpd_client_restrictions the option permit_sasl_authenticated. It makes things easier for testing as it eliminates the TLS/SSL layer. It does not harm your installation in any way. Just add it on top as the first value to smtpd_client_restrictions.
> 
> // SteveB

 

Yes. sql_verbose is set to yes. However, I'm not seeing any SQL verbose in syslog.log nor postfix.log during my login attempt. I have checked mysql logs too... empty. Do I need to turn on debugging for MySQL as well?

I've added the option permit_sasl_authenticated to smtpd_*_restrictions. Now TLS/SSL is out of the picture... I have configured the mail client to send mail using port 25.

----------

## steveb

 *Ateo wrote:*   

> Here is a snipplet for CRYPT_MD5:
> 
> ```
> 
> incoming variables -> $password,$db_salt=NULL
> ...

 If I see that right, then you use for $salt what ever is in $db_salt but you don't check if $db_salt starts with '$1$'. From my viewpoint you should check that $db_salt really starts with '$1$' if you want CRYPT_MD5. If $db_salt does not start with '$1$' and the length of $db_salt is not twelve characters long, then the result is unpredictable. The salt for MD5 crypt can be longer as 12 character because PHP will cut the salt after the 12th character if the salt is starting with $1$. You could save yourself some time for generating the $saltphrase because '$1$' + 8 characters + '$' = CRYPT_MD5 salt. No need to generate 12 characters. 8 are enough. For the applied SASL patch the MD5 salt must be 12 characters long. In PHP you could use less but for the patched SASL library it must be 12 characters long or longer since PHP will cut off after 12 characters.

Would it be a problem for you to create a test user with a test password and export that data and post it here?

// SteveB

----------

## Ateo

 *steveb wrote:*   

> If I see that right, then you use for $salt what ever is in $db_salt but you don't check if $db_salt starts with '$1$'. From my viewpoint you should check that $db_salt really starts with '$1$' if you want CRYPT_MD5. If $db_salt does not start with '$1$' and the length of $db_salt is not twelve characters long, then the result is unpredictable. The salt for MD5 crypt can be longer as 12 character because PHP will cut the salt after the 12th character if the salt is starting with $1$. You could save yourself some time for generating the $saltphrase because '$1$' + 8 characters + '$' = CRYPT_MD5 salt. No need to generate 12 characters. 8 are enough. For the applied SASL patch the MD5 salt must be 12 characters long. In PHP you could use less but for the patched SASL library it must be 12 characters long or longer since PHP will cut off after 12 characters.

 

Thanks for the tip. You just helped me improve it. =)

 *steveb wrote:*   

> Would it be a problem for you to create a test user with a test password and export that data and post it here?

 

How did you want the user to be created? By my usual method or by manually adding a new dataline to the SQL table?

----------

## steveb

 *Ateo wrote:*   

> How did you want the user to be created? By my usual method or by manually adding a new dataline to the SQL table?

 Create it the usual way with your script then dump the data from MySQL and post it here.

// SteveB

----------

## Ateo

Here is the dump:

```
$ mysqldump postoffice mailbox -u root -p

Enter password: 

-- MySQL dump 10.11

--

-- Host: localhost    Database: postoffice

-- ------------------------------------------------------

-- Server version       5.0.44-log

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;

/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;

/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;

/*!40101 SET NAMES latin1 */;

/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;

/*!40103 SET TIME_ZONE='+00:00' */;

/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;

/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;

/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;

/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--

-- Table structure for table `mailbox`

--

DROP TABLE IF EXISTS `mailbox`;

CREATE TABLE `mailbox` (

  `user_id` int(11) NOT NULL auto_increment,

  `precedence` int(1) NOT NULL default '0',

  `domain_id` int(11) NOT NULL default '0',

  `pobox` varchar(100) NOT NULL default '0',

  `password` varchar(64) NOT NULL default '0',

  `name` varchar(64) NOT NULL default '0',

  `uid` int(1) NOT NULL default '5000',

  `gid` int(1) NOT NULL default '5000',

  `homedir` varchar(100) NOT NULL default '0',

  `maildir` varchar(100) NOT NULL default '0',

  `quota` varchar(50) NOT NULL default '0',

  `postfix` varchar(5) NOT NULL default 'y',

  `user_class` int(1) NOT NULL default '-1',

  `user_level` int(1) NOT NULL default '1',

  `user_lang` varchar(5) default 'en_US',

  `active` int(1) NOT NULL default '0',

  `created` int(11) NOT NULL default '0',

  `modified` int(11) NOT NULL default '0',

  `items_per_page` int(1) NOT NULL default '10',

  `use_cookies` int(1) NOT NULL default '0',

  `forwarding` int(1) NOT NULL default '0',

  `style_id` int(1) NOT NULL default '0',

  `auto_login_key` varchar(40) default NULL,

  PRIMARY KEY  (`user_id`),

  UNIQUE KEY `mailbox_idx2` (`pobox`),

  KEY `mailbox_idx1` (`user_id`)

) ENGINE=MyISAM AUTO_INCREMENT=1113 DEFAULT CHARSET=latin1;

--

-- Dumping data for table `mailbox`

--

LOCK TABLES `mailbox` WRITE;

/*!40000 ALTER TABLE `mailbox` DISABLE KEYS */;

INSERT INTO `mailbox` VALUES (1112, 0, 142, 'gobbly@domain.com', '$1$2c98d176$5toPRXefwKI0n.pihJiMa.', 'Gobbly', 5000, 5000, '/home/vmail', 'domain.com/gobbly/.maildir', '0', 'y', -1, 1 ,'' ,1 ,1196547641, 1196547641, 10, 0, 0, 1, NULL);

/*!40000 ALTER TABLE `mailbox` ENABLE KEYS */;

UNLOCK TABLES;

/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;

/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;

/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;

/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;

/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;

/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;

/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2007-12-01 22:26:45
```

Extra info: Used the CRYPT_MD5 method. The auto generated password is: NpTD28Zm

Anything look fishy?

----------

## steveb

 *Ateo wrote:*   

> Anything look fishy?

 No. If I do the crypt in PHP I get the same password.

Could you try to connect to your Postfix with telnet and issue:

```
telnet localhost 25

EHLO localhost.localdomain

AUTH PLAIN AGdvYmJseUBkb21haW4uY29tAE5wVEQyOFpt

RSET

QUIT
```

Then do the same with AUTH LOGIN:

```
telnet localhost 25

EHLO localhost.localdomain

AUTH LOGIN

Z29iYmx5QGRvbWFpbi5jb20=

TnBURDI4Wm0=

RSET

QUIT
```

I just typed what you need to enter. Postfix will respond with different status codes but this is irrelevant for the input. Could you post the output of the above two command blocks?

// SteveB

----------

## Ateo

bleh! both fail...

```
Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mail.mydomain.com ESMTP Mail.Services (Postfix 2.4.6)

EHLO localhost.localdomain

250-mail.mydomain.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM

250-AUTH=CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH PLAIN AGdvYmJseUBkb21haW4uY29tAE5wVEQyOFpt

435 4.7.0 Error: authentication failed: authentication failure

RSET

250 2.0.0 Ok

QUIT

221 2.0.0 Bye

Connection closed by foreign host.
```

```
Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 mail.mydomain.com ESMTP Mail.Services (Postfix 2.4.6)

EHLO localhost.localdomain

250-mail.mydomain.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM

250-AUTH=CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH LOGIN

334 VXNlcm5hbWU6

Z29iYmx5QGRvbWFpbi5jb20=

334 UGFzc3dvcmQ6

TnBURDI4Wm0=

435 4.7.0 Error: authentication failed: authentication failure

RSET

250 2.0.0 Ok

QUIT

221 2.0.0 Bye

Connection closed by foreign host.
```

----------

## steveb

 *Ateo wrote:*   

> bleh! both fail...

 Could you run smtpd in verbose mode and post what Postfix is complaining about?

// SteveB

----------

## steveb

Can you post the output of:

```
ldd /usr/lib/postfix/master
```

Could you remove the following entries from main.cf:

```
smtpd_sasl_path = /etc/sasl2:/usr/lib/sasl2

smtpd_sasl_type = cyrus
```

Now try again. Does it work now?

// SteveB

----------

## Ateo

 *steveb wrote:*   

> Can you post the output of:
> 
> ```
> ldd /usr/lib/postfix/master
> ```
> ...

 

```
        linux-gate.so.1 =>  (0xb7fb0000)

        libpcre.so.0 => /usr/lib/libpcre.so.0 (0xb7f81000)

        libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7f53000)

        libpthread.so.0 => /lib/libpthread.so.0 (0xb7f02000)

        libpam.so.0 => /lib/libpam.so.0 (0xb7ef7000)

        libmysqlclient.so.15 => /usr/lib/libmysqlclient.so.15 (0xb7d9a000)

        libm.so.6 => /lib/libm.so.6 (0xb7d76000)

        libz.so.1 => /lib/libz.so.1 (0xb7d64000)

        libpq.so.5 => /usr/lib/libpq.so.5 (0xb7d49000)

        libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7d08000)

        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7bc9000)

        libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7bb1000)

        libdb-4.5.so => /usr/lib/libdb-4.5.so (0xb7aa0000)

        libnsl.so.1 => /lib/libnsl.so.1 (0xb7a8b000)

        libresolv.so.2 => /lib/libresolv.so.2 (0xb7a79000)

        libc.so.6 => /lib/libc.so.6 (0xb7963000)

        /lib/ld-linux.so.2 (0xb7fb1000)

        libdl.so.2 => /lib/libdl.so.2 (0xb795f000)
```

 *steveb wrote:*   

> Could you remove the following entries from main.cf:
> 
> ```
> smtpd_sasl_path = /etc/sasl2:/usr/lib/sasl2
> 
> ...

 

I commented out those 2 parameters. Still not authenticating. Here is a snippet of the log which also shows the sql_plugin in action which looks a little fishy to me:

```
Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: < unknown[192.168.4.20]: EHLO zeke

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-mail.mydomain.com

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-PIPELINING

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-SIZE 10240000

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-VRFY

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-ETRN

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-STARTTLS

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-AUTH LOGIN PLAIN

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: match_list_match: unknown: no match

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: match_list_match: 192.168.4.20: no match

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-AUTH=LOGIN PLAIN

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-ENHANCEDSTATUSCODES

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250-8BITMIME

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 250 DSN

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: watchdog_pat: 0x80c1d08

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: vstream_fflush_some: fd 12 flush 183

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: vstream_buf_get_ready: fd 12 got 12

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: < unknown[192.168.4.20]: AUTH LOGIN

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: xsasl_cyrus_server_first: sasl_method LOGIN

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username:

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 334 VXNlcm5hbWU6

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: vstream_fflush_some: fd 12 flush 18

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: vstream_buf_get_ready: fd 12 got 26

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: < unknown[192.168.4.20]: ZHJhY2NvQHhkcmFjY28ubmV0

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: xsasl_cyrus_server_next: decoded response: user@mydomain.com

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password:

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 334 UGFzc3dvcmQ6

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: vstream_fflush_some: fd 12 flush 18

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: vstream_buf_get_ready: fd 12 got 14

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: < unknown[192.168.4.20]: TWFyZ280MjA=

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: xsasl_cyrus_server_next: decoded response: ****password****

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin Parse the username user@mydomain.com

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin try and connect to a host

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin trying to open db 'postoffice' on host '127.0.0.1'

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin Parse the username user@mydomain.com

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin try and connect to a host

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin trying to open db 'postoffice' on host '127.0.0.1'

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin Parse the username user@mydomain.com

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin try and connect to a host

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin trying to open db 'postoffice' on host '127.0.0.1'

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: begin transaction

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin create statement from userPassword dracco xdracco.net

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin doing query SELECT password FROM mailbox WHERE pobox = 'user@mydomain.com' AND active = '1' AND postfix = 'y' LIMIT 1;

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin create statement from cmusaslsecretPLAIN dracco xdracco.net

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin doing query SELECT password FROM mailbox WHERE pobox = 'user@mydomain.com' AND active = '1' AND postfix = 'y' LIMIT 1;

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: commit transaction

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin Parse the username user@mydomain.com

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin try and connect to a host

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: sql plugin trying to open db 'postoffice' on host '127.0.0.1'

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: warning: unknown[192.168.4.20]: SASL LOGIN authentication failed: authentication failure

Dec  2 10:38:45 mail.mydomain.com postfix/smtpd[14886]: > unknown[192.168.4.20]: 435 4.7.0 Error: authentication failed: authentication failure
```

----------

## steveb

 *Ateo wrote:*   

> Additional info:
> 
> ```
> dev-libs/cyrus-sasl-2.1.22-r2  USE="authdaemond -berkdb -crypt -gdbm -java -kerberos -ldap -mysql -ntlm_unsupported_patch pam -postgres -sample -srp ssl urandom"
> ```
> ...

 Ahhh... you know what? I am an IDIOT! BIG BIG TIME! The reason for all your problems is that I did not helped you they way I should! Yes! It is me! Please enable the "crypt" USE flag and then remerge cyrus-sasl and then restart saslauthd and then check again and all your problems will be gone. Sorry for that.

// SteveB

----------

## Ateo

 *steveb wrote:*   

> Ahhh... you know what? I am an IDIOT! BIG BIG TIME! The reason for all your problems is that I did not helped you they way I should! Yes! It is me! Please enable the "crypt" USE flag and then remerge cyrus-sasl and then restart saslauthd and then check again and all your problems will be gone. Sorry for that.
> 
> // SteveB

 

No no. That was from a previous compile. I disabled it to test use of clear text passwords (didn't work either)....

I've since rebuilt the package with crypt enabled. That log is from cryus *with* crypt enabled...

These are my current flags:

```
[ebuild   R   ] dev-libs/cyrus-sasl-2.1.22-r2  USE="-authdaemond berkdb crypt -gdbm -java -kerberos -ldap mysql -ntlm_unsupported_patch pam postgres -sample -srp ssl urandom" 0 kB
```

----------

## Ateo

Ok. I'm not quite sure what I did but I opted for *not* using authdaemond. I opted for:

```
[ebuild   R   ] dev-libs/cyrus-sasl-2.1.22-r2  USE="-authdaemond berkdb crypt -gdbm -java -kerberos -ldap mysql -ntlm_unsupported_patch pam -postgres -sample -srp ssl urandom"
```

I verified it successful sasl auth:

```
Jan  2 15:52:23 mail.mydomain.com postfix/smtpd[26970]: generic_checks: name=permit_sasl_authenticated

Jan  2 15:52:23 mail.mydomain.com postfix/smtpd[26970]: generic_checks: name=permit_sasl_authenticated status=1
```

I do think I was using the wrong password_type. I changed to crypt. However, this was about a week ago right before I was about to dive into solving this when I was distracted with something else. So, in a nut shell, I can't verify the change is what made the magic happen.

I do have one question about Postfix and the 'permit_sasl_authenticated' parameter.

Assuming I had this set in main.cf:

```
smtpd_recipient_restrictions =

 permit_sasl_authenticated,

 permit_inet_interfaces,

 permit_mynetworks,

 reject_non_fqdn_recipient,

 reject_unknown_recipient_domain,

 reject_unauth_destination,

 check_policy_service inet:127.0.0.1:10025,

 check_recipient_access pcre:$config_directory/inc/filter_dspam,

 permit
```

Do you know, off hand, that if the sending client sends empty values for user name and password, does it skip the 'permit_sasl_authenticated' challenge? Or does it still query SQL?

Steve, thanks again for superb help.

----------

## steveb

 *Ateo wrote:*   

> I do have one question about Postfix and the 'permit_sasl_authenticated' parameter.
> 
> Assuming I had this set in main.cf:
> 
> ```
> ...

 If empty values do authenticate him/her, then it is not skipped. But I doubt that empty values do authenticate him/her.

 *Ateo wrote:*   

> Steve, thanks again for superb help.

 No problem

// Steve

----------

## Ateo

 *steveb wrote:*   

>  *Ateo wrote:*   Do you know, off hand, that if the sending client sends empty values for user name and password, does it skip the 'permit_sasl_authenticated' challenge? Or does it still query SQL? If empty values do authenticate him/her, then it is not skipped. But I doubt that empty values do authenticate him/her.
> 
> // Steve

 

Actually, what I meant was this...

I think I didn't convey my question well...

What I mean is... is 'permit_sasl_authenticated' skipped when there is no user name and password being sent in the request? Such as from a user on 'my_networks' who will not need to enter any SMTP authentication information, thus those values are empty.

----------

## steveb

 *Ateo wrote:*   

> What I mean is... is 'permit_sasl_authenticated' skipped when there is no user name and password being sent in the request? Such as from a user on 'my_networks' who will not need to enter any SMTP authentication information, thus those values are empty.

 Aha. Now I understand. Yes. It is skipped in that case.

// SteveB

----------

## Ateo

Thanks for confirming that.

----------

