# Postfix + SASL + MySQL

## mocsokmike

I have a working virtual mailserver installation (Postfix, Cyrus-SASL, MySQL, etc.). After a recent update, I have strange error messages in my syslog.

They seem to be hacking attempts, only the sql plugin message (sql plugin could not connect to host 127.0.0.1) concerns me. Needless to say, all e-mail traffic is OK.

Here is the error:

```
auth-debug   2007-01-16 11:03:08   postfix/smtpd[4722]: sql auxprop plugin using mysql engine

mail-info   2007-01-16 11:03:08   postfix/smtpd[4722]: initializing the server-side TLS engine

mail-info   2007-01-16 11:03:08   postfix/smtpd[4722]: connect from 61-217-224-67.dynamic.hinet.net[61.217.224.67]

mail-info   2007-01-16 11:03:14   postfix/smtpd[4722]: lost connection after EHLO from 61-217-224-67.dynamic.hinet.net[61.217.224.67]

mail-info   2007-01-16 11:03:14   postfix/smtpd[4722]: disconnect from 61-217-224-67.dynamic.hinet.net[61.217.224.67]

mail-info   2007-01-16 11:03:19   postfix/smtpd[4722]: connect from 61-217-224-67.dynamic.hinet.net[61.217.224.67]

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin Parse the username webmaster@mydomain.com

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin try and connect to a host

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin trying to open db 'postfix' on host '127.0.0.1'

auth-err   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin could not connect to host 127.0.0.1

auth-err   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin couldn't connect to any host

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin Parse the username webmaster@mydomain.com

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin try and connect to a host

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin trying to open db 'postfix' on host '127.0.0.1'

auth-err   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin could not connect to host 127.0.0.1

auth-err   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin couldn't connect to any host

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin Parse the username webmaster@mydomain.com

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin try and connect to a host

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin trying to open db 'postfix' on host '127.0.0.1'

auth-err   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin could not connect to host 127.0.0.1

auth-err   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin couldn't connect to any host

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin Parse the username webmaster@mydomain.com

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin try and connect to a host

auth-debug   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin trying to open db 'postfix' on host '127.0.0.1'

auth-err   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin could not connect to host 127.0.0.1

auth-err   2007-01-16 11:03:21   postfix/smtpd[4722]: sql plugin couldn't connect to any host

mail-warning   2007-01-16 11:03:21   postfix/smtpd[4722]: warning: 61-217-224-67.dynamic.hinet.net[61.217.224.67]: SASL LOGIN authentication failed

mail-info   2007-01-16 11:03:22   postfix/smtpd[4722]: lost connection after AUTH from 61-217-224-67.dynamic.hinet.net[61.217.224.67]

mail-info   2007-01-16 11:03:22   postfix/smtpd[4722]: disconnect from 61-217-224-67.dynamic.hinet.net[61.217.224.67]
```

There is no 'webmaster' user in the database. Normally, postfix should reply this way:

```
postfix/smtpd[11730]: NOQUEUE: reject: RCPT from mail.senderdomain.com[1.2.3.4]: 550 <webmaster@mydomain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<sender@senderdomain.com> to=<webmaster@mydomain.com> proto=ESMTP helo=<senderdomain.com>
```

Any ideas what can cause this message?

----------

## magic919

Just seems Postfix is failing to connect to your database.

----------

## kashani

I'd verify that your database is indeed running on localhost. A netstat -ptln should do that.

kashani

----------

## mocsokmike

Yes, the database is working and postfix can use it. I am able to log in to the given sql database using postfix's user and pass.

MySQL is also listening on 127.0.0.1:

```
netstat -ptln

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      4073/mysqld
```

When I send an e-mail from another mailserver to webmaster, this will appear in the syslog:

```
auth-debug   2007-01-16 14:58:34   postfix/smtpd[11730]: sql auxprop plugin using mysql engine

mail-info   2007-01-16 14:58:34   postfix/smtpd[11730]: initializing the server-side TLS engine

mail-info   2007-01-16 14:58:34   postfix/smtpd[11730]: connect from mail.senderdomain.com[1.2.3.4]

mail-info   2007-01-16 14:58:34   postfix/smtpd[11730]: NOQUEUE: reject: RCPT from mail.senderdomain.com[1.2.3.4]: 550 <webmaster@mydomain.com>: Recipient address rejected: User unknown in virtual mailbox table; from=<sender@senderdomain.com> to=<webmaster@mydomain.com> proto=ESMTP helo=<senderdomain.com>

mail-info   2007-01-16 14:58:34   postfix/smtpd[11730]: disconnect from mail.senderdomain.com[1.2.3.4]
```

And the mail is bounced immediately. So Postfix is using the database correctly, and all e-mail traffic is normal.

I have the following versions:

mail-mta/postfix 2.2.10

dev-db/mysql 5.0.26-r1

dev-libs/cyrus-sasl 2.1.22-r1

----------

## mocsokmike

One more detail.

These 'login failures' (I suspect) come from one PC with a dynamic address. Somewhere in the US, I believe.

Here is its 'history' in my syslog:

```
mail-warning   2007-01-16 11:03:21   postfix/smtpd[4722]: warning: 61-217-224-67.dynamic.hinet.net[61.217.224.67]: SASL LOGIN authentication failed

mail-warning   2007-01-15 10:08:04   postfix/smtpd[30148]: warning: 125-225-97-248.dynamic.hinet.net[125.225.97.248]: SASL LOGIN authentication failed

mail-warning   2007-01-15 09:06:04   postfix/smtpd[28594]: warning: 125-225-97-248.dynamic.hinet.net[125.225.97.248]: SASL LOGIN authentication failed

mail-warning   2007-01-15 03:31:52   postfix/smtpd[22183]: warning: 61-217-225-99.dynamic.hinet.net[61.217.225.99]: SASL LOGIN authentication failed

mail-warning   2007-01-14 10:37:57   postfix/smtpd[6679]: warning: 220-132-182-251.HINET-IP.hinet.net[220.132.182.251]: SASL LOGIN authentication failed

mail-warning   2007-01-12 21:45:38   postfix/smtpd[5091]: warning: 61-217-226-39.dynamic.hinet.net[61.217.226.39]: SASL LOGIN authentication failed

mail-warning   2007-01-12 15:56:38   postfix/smtpd[31304]: warning: 220-133-139-134.HINET-IP.hinet.net[220.133.139.134]: SASL LOGIN authentication failed

mail-warning   2007-01-12 04:39:35   postfix/smtpd[8334]: warning: 220-133-139-133.HINET-IP.hinet.net[220.133.139.133]: SASL LOGIN authentication failed

mail-warning   2007-01-11 21:09:34   postfix/smtpd[846]: warning: 220-133-139-137.HINET-IP.hinet.net[220.133.139.137]: SASL LOGIN authentication failed

mail-warning   2007-01-11 14:48:13   postfix/smtpd[22116]: warning: 220-133-139-135.HINET-IP.hinet.net[220.133.139.135]: SASL LOGIN authentication failed

mail-warning   2007-01-11 07:32:08   postfix/smtpd[7197]: warning: 59-117-108-98.dynamic.hinet.net[59.117.108.98]: SASL LOGIN authentication failed

mail-warning   2006-12-10 16:40:16   postfix/smtpd[4240]: warning: 59-117-103-202.dynamic.hinet.net[59.117.103.202]: SASL LOGIN authentication failed
```

Normally I don't care about these messages, only the sql plugin connection error concerns me. Does anyone know a security bug in the sql plugin of cyrus-sasl?

#EDITED#

Now I see they began before I updated my system.

----------

## mocsokmike

I still have the problem. Any ideas?

They try usernames like 'root', 'postfix' and 'webmaster':

Here is a short sample from syslog (mydomain.com is my domain, just replaced it):

```

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin Parse the username webmaster@mydomain.com

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin try and connect to a host

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin trying to open db 'postfix' on host '127.0.0.1'

auth-err   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin could not connect to host 127.0.0.1

auth-err   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin couldn't connect to any host

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin Parse the username webmaster@mydomain.com

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin try and connect to a host

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin trying to open db 'postfix' on host '127.0.0.1'

auth-err   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin could not connect to host 127.0.0.1

auth-err   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin couldn't connect to any host

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin Parse the username webmaster@mydomain.com

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin try and connect to a host

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin trying to open db 'postfix' on host '127.0.0.1'

auth-err   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin could not connect to host 127.0.0.1

auth-err   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin couldn't connect to any host

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin Parse the username webmaster@mydomain.com

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin try and connect to a host

auth-debug   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin trying to open db 'postfix' on host '127.0.0.1'

auth-err   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin could not connect to host 127.0.0.1

auth-err   2007-05-11 19:28:27   postfix/smtpd[12214]: sql plugin couldn't connect to any host

mail-warning   2007-05-11 19:28:27   postfix/smtpd[12214]: warning: unknown[59.35.5.62]: SASL LOGIN authentication failed

```

And once more, this mailserver is up and running correctly since almost a year. Mysql is accessible from 127.0.0.1, there is a db called 'postfix' and the sasl plugin has the correct login settings. It is behind a firewall, so it is only possible to do this via prepared smtp commands maybe.

----------

