# Postfix + SASL + MySQL - saslauthd not authenticating

## charlesread

Hi everybody,

I'm trying to set up an SMTP server on my Gentoo box that uses SASL for authentication that sits on top of a MySQL database - right now I'm just working on the authentication part - and I just can't get it to work - I've read maybe 10 howtos and done quite a bit of research, but everything I try still has authentication failing.  I select simple authentication in my mail client and it just won't go - interestingly I can send to system users with no password at all.

Would you mind taking a look and seeing if there is anything obvious that I am doing wrong?  As usual, I would be very appreciative.  I've been going crazy over here - any help?

Thanks!

 :Smile: 

/etc/postfix/main.cf:

```

soft_bounce = yes

queue_directory = /var/spool/postfix

command_directory = /usr/sbin

daemon_directory = /usr/libexec/postfix

data_directory = /var/lib/postfix

mail_owner = postfix

myhostname = gentoo.charlesread.com

mydomain = charlesread.com

myorigin = $myhostname

inet_interfaces = all

mydestination = $myhostname, localhost.$mydomain, localhost

unknown_local_recipient_reject_code = 550

mynetworks_style = host

#mynetworks =  127.0.0.0/8

#mynetworks = $config_directory/mynetworks

#mynetworks = hash:/etc/postfix/network_table

debug_peer_level = 2

sendmail_path = /usr/sbin/sendmail

mailq_path = /usr/bin/mailq

setgid_group = postdrop

html_directory = no

manpage_directory = /usr/share/man

sample_directory = /etc/postfix

readme_directory = no

inet_protocols = ipv4

home_mailbox = .maildir/

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_path = /etc/sasl2/smtpd

smtpd_sasl_type = cyrus

smtpd_sasl_authenticated_header = yes

#smtpd_sasl_local_domain =

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

```

/etc/sasl2/smtpd.conf

```

log_level: 7

mech_list: PLAIN LOGIN

pwcheck_method: saslauthd

```

/etc/conf.d/saslauthd:

```

SASLAUTHD_OPTS=" -a pam -n 5" 

MECH=pam

```

/etc/pam.d/smtp:  [I happen to be using the same DB that I use for vsFTPd]

```

auth required pam_mysql.so user=vsftpd passwd=XXXXXXXXXX host=localhost db=web table=accounts usercolumn=username passwdcolumn=pass crypt=2 log=7

account required pam_mysql.so user=vsftpd passwd=XXXXXXXXXX host=localhost db=web table=accounts usercolumn=username passwdcolumn=pass crypt=2 log=7

```

Attempting to connect:

```

gentoo charles # perl -MMIME::Base64 -e 'print encode_base64("UUU")'

XXX

gentoo charles # perl -MMIME::Base64 -e 'print encode_base64("PPP")'

YYY

gentoo charles # telnet localhost 25

Trying ::1...

telnet: connect to address ::1: Connection refused

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

220 gentoo.charlesread.com ESMTP Postfix

ehlo charlesread.com

250-gentoo.charlesread.com

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH SCRAM-SHA-1 DIGEST-MD5 OTP NTLM CRAM-MD5 LOGIN PLAIN

250-AUTH=SCRAM-SHA-1 DIGEST-MD5 OTP NTLM CRAM-MD5 LOGIN PLAIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

auth login

334 VXNlcm5hbWU6

XXX

334 UGFzc3dvcmQ6

YYY

435 4.7.8 Error: authentication failed: authentication failure

quit

221 2.0.0 Bye

Connection closed by foreign host.

gentoo charles # testsaslauthd -u UUU -p PPP -s smtp

0: OK "Success."

```

/var/log/mail.log: (after restarting everything and attempting a connection)

```

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: connection established

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: master_notify: status 0

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: name_mask: resource

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: name_mask: software

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: connect from gentoo.charlesread.com[127.0.0.1]

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_list_match: gentoo.charlesread.com: no match

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_list_match: 127.0.0.1: no match

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_list_match: gentoo.charlesread.com: no match

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_list_match: 127.0.0.1: no match

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: smtp_stream_setup: maxtime=300 enable_deadline=0

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_hostname: gentoo.charlesread.com ~? 127.0.0.1/32

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: match_hostaddr: 127.0.0.1 ~? 127.0.0.1/32

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 220 gentoo.charlesread.com ESMTP Postfix

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_create: SASL service=smtp, realm=(null)

Feb  6 20:07:06 gentoo postfix/smtpd[9859]: name_mask: noanonymous

Feb  6 20:07:12 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: helo gentoo.charlesread.com

Feb  6 20:07:12 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 250 gentoo.charlesread.com

Feb  6 20:07:16 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: auth login

Feb  6 20:07:16 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_first: sasl_method login

Feb  6 20:07:16 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username:

Feb  6 20:07:16 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 334 VXNlcm5hbWU6

Feb  6 20:07:20 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: XXX

Feb  6 20:07:20 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_next: decoded response: UUU

Feb  6 20:07:20 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password:

Feb  6 20:07:20 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 334 UGFzc3dvcmQ6

Feb  6 20:07:23 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: YYY

Feb  6 20:07:23 gentoo postfix/smtpd[9859]: xsasl_cyrus_server_next: decoded response: PPP

Feb  6 20:07:23 gentoo postfix/smtpd[9859]: warning: gentoo.charlesread.com[127.0.0.1]: SASL login authentication failed: authentication failure

Feb  6 20:07:23 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 435 4.7.8 Error: authentication failed: authentication failure

Feb  6 20:07:25 gentoo postfix/smtpd[9859]: < gentoo.charlesread.com[127.0.0.1]: quit

Feb  6 20:07:25 gentoo postfix/smtpd[9859]: > gentoo.charlesread.com[127.0.0.1]: 221 2.0.0 Bye

Feb  6 20:07:25 gentoo postfix/smtpd[9859]: match_hostname: gentoo.charlesread.com ~? 127.0.0.1/32

Feb  6 20:07:25 gentoo postfix/smtpd[9859]: match_hostaddr: 127.0.0.1 ~? 127.0.0.1/32

Feb  6 20:07:25 gentoo postfix/smtpd[9859]: disconnect from gentoo.charlesread.com[127.0.0.1]

Feb  6 20:07:25 gentoo postfix/smtpd[9859]: master_notify: status 1

Feb  6 20:07:25 gentoo postfix/smtpd[9859]: connection closed

```

But, testsaslauthd works fine!

```

gentoo charles # testsaslauthd -u UUU -p PPP -s smtp

0: OK "Success."

```

----------

## cach0rr0

any reason to have saslauthd using pam (which then uses mysql) instead of having it go to mysql directly?

better still, set up the mysql query directly in /etc/sasl2/smtpd.conf

```

pwcheck_method: auxprop

auxprop_plugin: sql

mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

sql_engine: mysql

sql_hostnames: 127.0.0.1

sql_user: web

sql_passwd: yourmysqlpassword

sql_database: web

sql_select: SELECT pass FROM accounts WHERE username = '%u@%r'

```

(note that '%u@%r' is localpart @ domain.tld; if your sasl username is just stored as 'localpart', just use '%u')

That won't work with crypt'd passwords as of a somewhat recent version of cyrus-sasl, which doesnt yet support this patchset. If that applies to you, disregard the entirety of my post!

What you've done *seems* like it should work, and may well be your only option if your passwords are encrypted and you're on a later cyrus-sasl. 

Only other thing that seems off is that the AUTH mechlist showing up includes far more than just PLAIN and LOGIN. I worry that, as per the postfix doc, your client may be trying one of these other mechs first. They shouldnt even be showing up if youve restarted/reloaded postfix since you made that smtpd.conf change. 

Try doing your same tests over an encrypted channel?

```

openssl s_client -connect x.x.x.x:25 -starttls smtp

```

Maybe plain/login are disallowed over unencrypted connections.

----------

