# Followed the Virtual mail hosting HOWTO; have some questions

## Souperman

Hi

I've followed the virtual mail hosting howto and everything is running quite allright as far as I can tell.  I just have these questions:

1. Several files contain plaintext passwords, most notably /etc/postfix/mysql-*.cf.  These are world-readable which seems rather bad to me.  Would it be safe to 'chown root.mail <filename>' all these files and then 'chmod 750' them, or would this break something?

2. After setting up the alias table in the MySQL db, postfix seems to ignore /etc/mail/aliases.  Is this correct?  If so, does this mean that I should recreate all the default aliases in /etc/mail/aliases in the MySQL db's alias table?

3. When I sent myself a test message (using Mutt, if it makes any difference), the "From" address appeared as "root@myboxname.mydomainname.tld".  Is there any way to make that just "root@mydomainname.tld"?

That's all I can think of for now.  I'll post more questions as they crop up.

Graeme

----------

## Souperman

Nobody?   :Confused: 

*bump*

----------

## kashani

1. If you're allowing logins by users yes, you should change permissions. I'd try setting /etc/postfix to 700. This depends on how Postfix is reading the files so you might need to mess with this and the ownership a bit to get it to work correctly.

2. yes, you're correct.

3. It's a setting in mutt. Had the same problem with Pine.

kashani

----------

## Souperman

At the moment nobody else has access, but eventually I will probably give accounts to a handful of friends, that's why the permissions bothered me.  I will mess around with it as you suggest.

Thanks for the info.

Graeme

----------

## bcressey

Postfix reads its configuration files with the master daemon, which runs as root.

So basically if you chown the files to root and chmod them 700, only root will be able to read them -- which is what you want.

Note that postfix will log warnings if a user other than root owns the files, but   it will be able to read them regardless.

----------

## Souperman

Thanks for clearing that up.   :Wink: 

----------

## squealie

A question for you.

How did you deal with the Apache-php install?

I followed the How-To to the letter, and can't get php to render.

I'm stuck, and after trying solutions from this forum, and failing, have do something.

I may have to go back to RH   :Sad:   if nothing gets me going.

----------

## Redeeman

dont go to RH, /etc/conf.d/apache2 

remember to have -D PHP4 in it

in the file you can see how to

----------

## Souperman

OK, after much fiddling, I currently have this:

```

chown -R root.postfix /etc/postfix

chmod -R 750 /etc/postfix

chmod 755 /etc/postfix/main.cf

```

Postfix cannot read the files if they are chmod 700 and owned by root.root.

The exception for /etc/postfix/main.cf being world readable is needed because the "sendmail" program used to do local delivery does not run as root or the postfix owner but rather as whatever user the mail is destined for.  This isn't an issue as no plain-text passwords are stored in main.cf

Note that if you are using mailman, you need to change the group ownership on /etc/postfix to root.mail and add user mailman to the mail group by editing /etc/group.

Hope this helps someone.

----------

## harsha

for (3):

https://forums.gentoo.org/viewtopic.php?t=95555

harsha

----------

## Souperman

Hmmmm ... delivery to virtual users fails unless I set /etc/postfix/mysql-*.cf world readable.  :Sad: 

Does anyone have any further insights?

----------

## Souperman

Does anyone know what permissions Postfix's "virtual" program runs with?  I'm getting 

```
Oct 29 15:25:01 wizard postfix/virtual[16180]: fatal: open /etc/postfix/mysql-virtual-maps.cf: Permission denied
```

 in my syslog.   :Confused: 

----------

## squealie

I hope you don't resent me hijacking your thread...

I'm working on this thing too, and perplexed on adding virtual users.

I add user to the users table but delivery to the user fails with 'status=bounced (unknown user "testuser")"

Have you experienced/solved this?

Thanks.

----------

## g_os

Hello,

Somebody have progressed on this issue ? I want to protect my config too and more precisely my mysql password ...

Some input ?

Thanks

G_os

----------

## Souperman

OK, still no solution, so I figured I can live without virtual mailboxes and stripped the MySQL parts of the mail setup.  It didn't even break.   :Cool: 

If anyone ever finds a solution to the problem please let me know.

----------

## g_os

Grrr,

Bad news. I need it  :Smile: 

I will check this ine details this hollidays if I have time ...

G_os

----------

## Stefan de Groot

 *squealie wrote:*   

> I add user to the users table but delivery to the user fails with 'status=bounced (unknown user "testuser")"
> 
> 

 

I had this same problem, but after some tryings...

The solution of this "problem"  is to make use of the virtual table of the database. And then it will work. But, it is all not very logical.

----------

## Souperman

For those who had a problem with permissions on the /etc/postfix/mysql-*.cf files:

```

# chown root.postfix /etc/postfix/mysql-*

# chmod 640 /etc/postfix/mysql-*

```

Now your MySQL password cannot be seen by normal users and virtual mailbox delivery should work just fine.   :Cool: 

----------

## g_os

 *Souperman wrote:*   

> 
> 
> Now your MySQL password cannot be seen by normal users and virtual mailbox delivery should work just fine.  

 

If everybody can read your postfix-mysql password just set for this user the right to SELECT only in mysql. And so all local users can have this password but can only see the database content, and it is not a big issue  :Very Happy: 

G_os

----------

## Souperman

Of course it's a big issue!  Every e-mail account's login id and plaintext password is stored in a table in the database.

----------

## Souperman

Double-posted   :Embarassed: 

----------

## g_os

 *Souperman wrote:*   

> Of course it's a big issue!  Every e-mail account's login id and plaintext password is stored in a table in the database.

 

Nop   :Cool:  I remember now, that I do not use plain text password  ... Sorry for thus who use it. I can check how I do that if somebody is interested.

G_os

----------

## g_os

 *g_os wrote:*   

> I can check how I do that if somebody is interested.
> 
> 

 

Not too hard   :Razz: 

I use sasl for authentification (smtp/imap/pop3/tls/...) and sals is configured to use PAM for password checking. So it is PAM job's to do that. I have just used the following line for configuring pam:

```

account  sufficient       pam_mysql.so server=localhost db=XXXXX user=XXXXXXXX passwd=XXXXXXXXXXXXX table=users usercolumn=email passwdcolumn=crypt crypt=1 sqllog=0

```

That's all.

G_os

----------

## Souperman

Sweet.  Are you running the same sort of setup as the virtual mailhosting howto?  If so, I assume your /etc/pam.d/(imap|pop) files also say crypt=1?  I wonder why the folks who wrote that howto used plaintext.   :Confused: 

----------

## g_os

 *Souperman wrote:*   

> Sweet.  Are you running the same sort of setup as the virtual mailhosting howto?

 

Yes, I start from the Virtual Mailhosting Howto. But some things are strange to my point of view so I change it. I can not rember which. All was not working fine, so I take my courage and read all the postfix documentation. I want to have:

- Mysql conf

- Virtual domain

- Virtual users

- Real /etc/password users (not supported in the howto, but easy: only PAM stuff).

- Crypted password.

- Transparent migration for my users, who are running on a postfix without virtual domain.

- Squirrelmail compatible and https.

- courier imap and not cyrus which is great but too risky.

- SASL auth.

- SMTP TLS.

And all is working great since october 2003  :Cool: 

I recently add minimalist a 50kB mailing list manager and submitted the ebuild to bugs.gentoo.org. And the MUST, spamassassin  :Laughing: 

I am a happy man, except (the previous issue) which is corrected by SELECT only or yours chmod (not tested yet).

 *Souperman wrote:*   

>  If so, I assume your /etc/pam.d/(imap|pop) files also say crypt=1?  I wonder why the folks who wrote that howto used plaintext.  

 

Yes exaclty.

G_os

----------

## Souperman

Hmmm ... are you sure we're talking about the same document?  Most of the stuff you mentioned is already part of the setup.  http://www.gentoo.org/doc/en/virt-mail-howto.xml

----------

## g_os

Yes we speak of the same document. But some things was not in. I wrote the list of feature I want and succeed. 

In fact, I did not remember the differences of the "official" config and mine after tweaks :p)

Surely, I have add:

- Real /etc/password users and virtual users at the same time. 

- Crypted password.

- Transparent migration for my users, who are running on a postfix without virtual domain (perl script to migrate account (mbox -> maildir) through imap).

G_os

----------

## Souperman

I guess by "real /etc/passwd users" you mean that you don't need to add them in mysql?  How do you do that?

Also, do you know if it's possible to add a virtual mailbox with an e-mail address in my "main" domain?

E.g. my box's domain is mydomain.com and I have virtual domains vdomain1.com and vdomain2.com.  I want to be able to create a virtual mailbox for joesoap@mydomain.com but currently I can't get it to work unless I add "joesoap" as a user (in /etc/passwd).  Any idea?

----------

## g_os

 *Souperman wrote:*   

> E.g. my box's domain is mydomain.com and I have virtual domains vdomain1.com and vdomain2.com.  I want to be able to create a virtual mailbox for joesoap@mydomain.com but currently I can't get it to work unless I add "joesoap" as a user (in /etc/passwd).  Any idea?

 

It was exactly what I want to do  :Wink:  (and succeed) Sorry, but I can not answer fully now. I will post later.

In fact, I have no real domain. All are virtual, but for all virtual domains my real users (/etc/passwd) have a working email (the same mailbox).

Details, later.

G_os

----------

## g_os

 *Souperman wrote:*   

> I guess by "real /etc/passwd users" you mean that you don't need to add them in mysql?  How do you do that?
> 
> 

 

PAM is your friends:

/etc/pam.d/smtp (pop/imap/...)

Use the following config:

```

auth     sufficient       pam_mysql.so server=localhost db=xxx user=xxxx passwd=xxxx table=users usercolumn=email passwdcolumn=crypt crypt=1 sqllog=0

account  sufficient       pam_mysql.so server=localhost db=xxx user=xxxx passwd=xxxxx table=users usercolumn=email passwdcolumn=crypt crypt=1 sqllog=0

auth    sufficient      /lib/security/pam_pwdb.so nullok shadow

account sufficient      /lib/security/pam_pwdb.so

```

G_os

----------

## Souperman

Hmmm ... what do you use to encrypt passwords?   :Confused: 

----------

## g_os

I take encrypted password from /etc/password  :Smile:  Its not the same crypt func that use mysql to crypt.

See the source file of pam_mysql (search for crypt).

crypt=0: plain

crypt=1: unix pass

crypt=2: make_scrambled_password (mysql function).

crypt=3: MD5, but activated ?

See bellow to better understood:

```

switch (options.crypt) {

                /* PLAIN */

                case 0: strcpy(encryptedPass, passwd);

                        break;

                /* ENCRYPT */

                case 1: if (strlen(row[0]) < 12) {

                                /* strlen < 12 isn't a valid encrypted password. */

                                syslog(LOG_ERR, "%s", "pam_mysql: select returned an invalid encrypted password");

                                break;

                        }

                        salt = malloc(sizeof(char) * strlen(row[0]) + 1);

                        if (salt == NULL) {

                                syslog(LOG_ERR, "%s", "pam_mysql: Insufficient memory to allocate salt");

                                return PAM_BUF_ERR;

                        }

                        if (strncmp("$1$", row[0], 3) == 0) {

                                /* A MD5 salt starts with "$1$" and is 12 bytes long */

                                strncpy(salt, row[0], 12);

                                salt[12] = '\0';

                        } else {

                                /* If it's not MD5, assume DES and a 2 byte salt.  */

                                strncpy(salt, row[0], 2);

                                salt[2] = '\0';

                        }

                        strcpy(encryptedPass, crypt(passwd, salt));

                        free(salt);

                        break;

                /* PASSWORD */

                case 2: make_scrambled_password(encryptedPass, passwd);

                        break;

#ifdef HAVE_MD5DATA

                /* MD5 hash (not MD5 crypt()) */

                case 3: strcpy(encryptedPass, MD5Data(passwd, strlen(passwd), md5buf));

                        if (md5buf != NULL)

                                free(md5buf);

                        break;

#endif /* HAVE_MD5DATA */

        }

```

G_os

----------

## olgaAr

hmm... I just followed your instructions using your pam configuration files for my pop3d, imap, smtp files. Unfortunately, using crypt=1 does not work for me. Using crypt=0 and storing the password in plain text, everything is fine. If, however, I switch to crypt=1 and use a hash from my /etc/shadow file, I only get login failed errors. 

Being kind of a newbie on this subject, I have to admin I don't know how to enable farther debugging to get a clue where the problem might be.

Any hints on that?

----------

## Souperman

 *g_os wrote:*   

> I take encrypted password from /etc/password  Its not the same crypt func that use mysql to crypt.
> 
> See the source file of pam_mysql (search for crypt).
> 
> crypt=0: plain
> ...

 

Thanks, this works nicely.

Does anyone know a PHP function to encrypt user input in the same way that 'passwd' does?  In other words, I don't want to have to add a dummy user, set the password using 'passwd', find the encrypted version of it in /etc/shadow and enter that into the MySQL table.  User should go to the php page, enter their plain-text password and PHP should give them the encrypted version which they can copy/paste to me or whatever.

----------

## g_os

 *Souperman wrote:*   

> 
> 
> Does anyone know a PHP function to encrypt user input in the same way that 'passwd' does? 

 

Check this URL:

http://www.php.net/posix_getpwnam

Go to the commentary from : darryl at pointclark dot net

17-Oct-2001 10:43

It exec an external binary and retrieve data from it. Maybe passwd can output to you the generated pass.

Another solution is to use the crypt func of php:

http://www.php.net/manual/fr/ref.mcrypt.php and then crypt yourself. As done in the pam_mysql code I copied in my previous post

```
strcpy(encryptedPass, crypt(passwd, salt));
```

Let me know your result !

G_os

----------

## Souperman

Nope, 'passwd' doesn't provide an option to output the passord on stdout and I can't use crypt() if I don't know what salf my system uses.   :Confused: 

I'll have to add a fake user each time I need to add a virtual mailbox.

----------

## g_os

 *Souperman wrote:*   

> Nope, 'passwd' doesn't provide an option to output the passord on stdout and I can't use crypt() if I don't know what salf my system uses.  
> 
> I'll have to add a fake user each time I need to add a virtual mailbox.

 

If I read the code of pam_mysql the salt is extracted from the password itself. See bellow:

```
                         if (strncmp("$1$", row[0], 3) == 0) { 

                                 /* A MD5 salt starts with "$1$" and is 12 bytes long */ 

                                 strncpy(salt, row[0], 12); 

                                 salt[12] = '\0'; 

                         } else { 

                                 /* If it's not MD5, assume DES and a 2 byte salt.  */ 

                                 strncpy(salt, row[0], 2); 

                                 salt[2] = '\0'; 

                         } 

 

```

So you can decide what is your salt. I think the salt is defined for EACH password. I'am not an expert in password  :Cool: 

G_os

----------

## MoonWalker

Hi guys,

what versions of postfix and cyrus-sasl are you using? I just updated to postfix 2.0.18 and sasl 2.1.17 and it broke my working virtual mail setup done after the guide some time ago.

I get a 

```
Jan 26 18:28:56 merc postfix/smtpd[27420]: warning: localhost[127.0.0.1]: SASL LOGIN authentication failed

Jan 26 18:28:57 merc postfix/smtpd[27420]: lost connection after AUTH from localhost[127.0.0.1]

Jan 26 18:28:57 merc postfix/smtpd[27420]: disconnect from localhost[127.0.0.1]

```

when trying to send from squerellmail, but when trying to send from Outlook I get:

```
Jan 26 18:31:11 merc postfix/smtpd[27444]: TLS connection established from ip-213-226-226-190.ji.cz[213.226.226.190]: TLSv1 with cipher RC4-MD5 (128/128 bits)

Jan 26 18:31:11 merc postfix/smtpd[27444]: warning: ip-213-226-226-190.ji.cz[213.226.226.190]: SASL LOGIN authentication failed

Jan 26 18:31:12 merc postfix/smtpd[27444]: warning: Read failed in network_biopair_interop with errno=0: num_read=0, want_read=5

Jan 26 18:31:12 merc postfix/smtpd[27444]: lost connection after AUTH from ip-213-226-226-190.ji.cz[213.226.226.190]

```

 just giving me Outloks password dialog back not accepting my pass, and the error say my server doesn't provid SSL... and I'm sure I have compiled with those flags. Receiving is ok btw.

I also get this in the auth.log

```
Jan 26 18:31:11 merc saslauthd[27289]: pam_mysql: select returned more than one result

Jan 26 18:31:11 merc saslauthd[27289]: DEBUG: auth_pam: pam_authenticate failed: Permission denied

Jan 26 18:31:11 merc saslauthd[27289]: do_auth         : auth failure: [user=xxx] [service=smtp] [realm=mydomain.com] [mech=pam] [reason=PAM auth error]
```

 Which make me declined to belive it's pam related and more specific pam_mysql... this is my /etc/pam.d/smtp

```
# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtp.pam,v 1.2 2002/05/04 03:55:29 woodchip Exp $

#auth   required        /lib/security/pam_pwdb.so nullok shadow

#account        required        /lib/security/pam_pwdb.so

auth     optional       pam_mysql.so server=localhost db=xxx user=xxx passwd=xxx table=users usercolumn=email p

asswdcolumn=clear crypt=0

account  required       pam_mysql.so server=localhost db=xxx user=xxx passwd=xxx table=users usercolumn=email p

asswdcolumn=clear crypt=0

```

 Any ideas?

EDIT: A thing I noticed is the user=xxx in the logged pam auth error onlu shows the part before @ of the full user name, so somehow, somewere the @domain.com part is "cut off" and this is probably the source of the error. I just cannot figure out where?

EDIT2:

An other notice, before update I used to get the sqllog "error" all the time, but now it doesn't show up anymore, and I have not added the sqllog=0 flag to pam.d/smtp

----------

## MoonWalker

Well I rolled back to sasl 2.1.15 and everything started to work again, so obvious there is something in 2.1.17 breaking things. I will file a bugrep.

----------

## g_os

Hi,

Sorry, I can not help you. I work only with the stable version: postfix 2.0.16 and cyrus-sasl-2.1.14 !

G_os

----------

## Souperman

This thread has gone slightly off-topic.  The original problem with the permissions has been solved: https://bugs.gentoo.org/show_bug.cgi?id=36356

----------

## devi0s

I am having problems with my imap server - ERROR : Connection dropped by imap-server - this happens right after I try to login to imap with any imap client, including GUI and netcat.

I get this error message in my /var/log/mail.log file:

imapd: chdir "/my_virtual_domain.com/user": No such file or directory

I am trying to login as a virtual user whose mailbox is at

/home/vmail/my_virtual_domain.com/user

Shouldn't imap pull the uid and gid for the user:group that /home/vmail/my_virtual_domain.com/user is owned by? I found out that this IS happening correctly using strace.

Use 'ps aux | grep imapd' to find the process number for courier, then use 'strace -f -v -p <pid>' to see what's going on as you try to log into imap with an imap client.

How can I tell what the directory "/my_virtual_domain.com/user" in that error message is relative to (to make sure that imap is actually trying to chdir to /home/vmail/my_virtual_domain.com/user)?

Also, how can I tell what user:group imap is trying to change into that directory with?

Strace output pretty much suggests that courier is trying to chdir to "/my_virt_domain.com/user". Nothing in the strace output suggests that that is NOT an absolute path. That could be the problem, but I don't know how to verify this or fix it. It should be chdir'ing into "/home/vmail/my_virt_domain.com/user".

I can see that in the mysql query made by courier includes the homedir and maildir. The fields returned from mysql that I CAN see data for (in the strace output) all look correct

I see NOTHING in the strace output that shows what the returned values of homedir and maildir are.

I don't know how to test this further and could really use some input here.

Postfix will send and recieve mail for the virtual users I have set up.  This was verified with mutt.

Thanks

Devi0s

devios AT comcast DOT net

----------

## devi0s

I fixed my own problem with the help of iggy in the #courier channel on freenode.

In my postfix main.cf file, I had the following:

virtual_mailbox_base = /home/vmail

and in my mysql database, for virtual users, I had

homedir = /my_domain.com/devios

and

maildir = /my_domain.com/devios/.maildir/

The above allowed postfix to work correctly, but courier was unaware of the virtual_mailbox_base = /home/vmail, so courier was not working.

I had to change main.cf to reflect

virtual_mailbox_base = /

and in my mysql database, for virtual users, I set

homedir = /home/vmail/my_domain.com/devios

and

maildir = /home/vmail/my_domain.com/devios/.maildir/

----------

## Unleashed

 *Quote:*   

> 
> 
> I also get this in the auth.log
> 
> Code:
> ...

 

It's actually saslauthd's fault. Try stopping emerge after source is unpacked, applying this patch (https://bugs.gentoo.org/attachment.cgi?id=25832&action=view) and resuming the build process.

It should make virtual mailhost howto configs using saslauthd+pam happy again. It's the only thing I use sasl for right now and have no idea if it's going to break anything else, so if you successfully use saslauthd 2.1.17+pam for any other thing it may just stop working.

----------

## devi0s

Though the information is appreciated, I don't understand how your post is relevant...  What are you trying to tell me (I am a n00b).

- Devi0s

----------

## Unleashed

Sorry, it's actually a reply to MoonWalker, so that he can now try sasl-2.1.17, but I didn't include his name in the post.

It doesn't have anything to do with your problem.   :Confused: 

----------

## MoonWalker

Thanks Unleashed,

I reverted back to 2.1.15 and is pretty happy with that as there isn't anything speacial in 2.1.17 I'm in need of, so I'm happy with this at the moment.

----------

## cayenne

 *Unleashed wrote:*   

>  *Quote:*   
> 
> I also get this in the auth.log
> 
> Code:
> ...

 

I think this may help my problem...but, I don't know how you apply this patch?? I have cyrus-sasl 2.1.8 for sparc64. I'm getting the mysql_pam error of select returning more than one result...

Can you explain a little more in depth what I need to do to apply this 'patch'? I can download it...the source is already on my box...just don't know what to do next...

Thank you,

cayenne

----------

## alfmatos

 *Stefan de Groot wrote:*   

>  *squealie wrote:*   I add user to the users table but delivery to the user fails with 'status=bounced (unknown user "testuser")"
> 
>  
> 
> I had this same problem, but after some tryings...
> ...

 

I tried everything and still getting bounced:

```
Jul 22 02:38:14 orion postfix/local[2378]: 2209AD604F: to=<alf_matos@digitalself.org>, relay=local, delay=0, status=bounced (unknown user: "alf_matos")
```

My domain is digitalself.org .

The machine is orion.digitalself.org .

How do i set up things correctly for getting virtual users something like theman@digitalself.org .

I followed the Virtual mail howto as u might of guesses. I can authenticate with mail clients, even squirrelmail works fine. And sending mail is also fine.

What do i do ?

----------

## MoonWalker

If you havent noticed, there is a new version of cyrus-sasl-2.18-r2 that have the above mentioned patch, but to get it right you have to add 'pam_mysql' to you USE flags. I havent tested it yet (still running 2.15) as I also have to update postfix 2.0.18 -> 2.1.3 and don't have time for potential hazzle right now.

But if you still have problems I suggest you try the above ebuild.

----------

## alfmatos

I am already using that cyrus-sasl version. But im with postfix 2.0.19.

----------

## MoonWalker

And you have set the 'pam_mysql' USE flag in /etc/make.conf? easiest was is to use 'ufed' (#emerge ufed) to check if it's set and do if not.

w/o the flag the new sasl version wont help you.

----------

## alfmatos

it's not set. Just re-emerge cyrus-sasl with pam_mysql ?

But if i can authenticate and login to squirrelmail and send email's is the problem really with cyrus-sasl ?

----------

## MoonWalker

Well if I understand it correct the problem is in the interaction between postfix and sasl so it might possible squirrelmail works as I guess it uses the imap server and not postfix.

Yes, re-emerge cyrus-sasl, after you have set the flag.  I don't remember exactly but I think there was some fuzz with emerge it without mysql support as well, or if it was Cram-MD5 support, according to the guide. But it was quite some time since I set it up so it might not be relevant anymore.

----------

## MoonWalker

Just for your notice, cyrus-sasl-2.1.19 is now in portage and have an other approach to deal with the pam-mysql and realm problem. You may like to try it. Read the ebuild file or emerge it alone to get the einfo about how to set it up to work the "old way".

----------

## Shazam

i know, it's a kind of old topic, and i actually don't wanna steal anybody's thread, but i think i got the same problem.

i don't want to have my passwords plaintext in the mysql db. so i followed the steps you mentioned above. my imap&pop3 are now working with the crypted pw, however postfix doesn't.

i tried it with crypt=1,2,3 in /etc/pam.d/smtp however it won't work. I have crypt=1 in the /etc/pam.d/imap and /etc/pam.d/pop3.

is there anything else i need to change in order to have it work ?

something similar i did to the authmysqlrc ? (changed from 

MYSQL_CLEAR_PWFIELD     clear

to

MYSQL_CRYPT_PWFIELD    crypt)

maybe in the /etc/postifx/main.cf ?

well i simply post my smtp and smtpd.conf

smtp:

```

auth       required     pam_nologin.so

auth       required     pam_stack.so service=system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

auth     optional       pam_mysql.so host=localhost db=mail user=mail passwd=xxxx table=users usercolumn=email passwdcolumn=crypt crypt=1

account  required       pam_mysql.so host=localhost db=mail user=mail passwd=xxxx table=users usercolumn=email passwdcolumn=crypt crypt=1

```

smtpd.conf

```

pwcheck_method: auxprop

auxprop_plugin: sql

sql_engine: mysql

sql_hostnames: localhost

sql_user: mail

sql_passwd: xxxx

sql_database: mail

sql_select: select crypt from users where email = '%u@%r'

pwcheck_method: saslauthd

mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5 

```

----------

## g_os

Hello,

You want to do the following thing:

postfix->sasl->saslauthd->pam->mysql 

Now, it is no more necessary to pass through pam to do this. I am not an expert and moreover, my virtual users does not need to authent (very little domain). My understanding is that cyrus-sasl can access directly mysql.

Search about pam-mysql and cyrus-sasl in bugzilla their is a lot of things about. 

After 5 sec search in google 

http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=6487

If you are completly stuck, repost a message here after the NewYear :-p

Bye

G_os

----------

## Shazam

well, i searched google over and over, however i didn't really find what i needed and bugzilla i wasn't able to find anything either. (me <- noob)

either i find people having a problem with cyrus and courier, or postfix authenticating against plain text passwords. i found a couple howto on the internet that "claim" to use the crypted passwords for postfix, but i tried their way and i ended up the same way before, my authentication gets rejected.

well tried the following howto

http://high5.net/howto/

http://brunny.com/content/view/12/50/

http://archives.neohapsis.com/archives/postfix/2004-07/0483.html

http://lists.freebsd.org/pipermail/freebsd-questions/2004-November/066242.html

http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam

most of the howto add a

password_format: crypt

to their /etc/sasl2/smtpd.conf, however when i tried to use it turned out not to be working.

the last howto i listed uses pam w/ pgsql, but i can't find anything like it for the pam i get with gentoo, nor something something i could use w/ mysql.

so my guess is, that i use the wrong encryption method for the passwords, since most guides tell pretty much the same, but don't tell how really encrypt them. i tried it with the ENCRYPT command mysql uses, the md5 and crypt command from php an the md5 command from the postfixadmin, all turned out to be working with my courier-imap (even the the strings were completely different (but   it still authenticated against the right password, not some bogus or arbitrary one)), however it didn't work with postfix. i found an option 

srp_mda set to md5 for the /etc/sasl2/smtpd.conf, but this still didn't make it to work.

did anyone of you achieved it ? getting postfix to auth against a mysql table w/ a crypted password column ?

i would be glad if you could help me, and thanx in advance.

----------

## g_os

I just remenber that after searching I put the password from my /etc/passwd file.

G_os

----------

## Shazam

well, i found the error, however couldn't really solve, i just found a workaround. the saslauthd didn't authenticate against the database, neither w/ plaintext passwords, nor w/ crypted. well all the time i thought it did, postfix actually authenticated against the plaintext password, just postfix couldn't really handle encryptet. well so much for MY theory.

what i did now is, having the sasl authenticate via an imap server, in my case localhost. my courier-imap server authenticates against the crypted passwords in my mysql table, thus, sasl does it now too, so get crypted passwords running for postfix.

well i just post the confs now, in case anybody else might want to use it:

file:/etc/conf.d/saslauthd

```
SASL_AUTHMECH=rimap

SASL_RIMAP_HOSTNAME=""

SASL_TIME_OF_DAY_LOGIN_RESTRICTION=YES

SASLAUTHD_OPTS="-a ${SASL_AUTHMECH} -r -O localhost"

```

the AUTHMECH=rimap means against a remote imap server

the -O flag for the opts is the mandatory option for it (specifies host)

file:/etc/conf.d/saslauthd

file:/etc/pam.d/smtp

```
auth       required     pam_nologin.so

auth       required     pam_stack.so service=system-auth

account    required     pam_stack.so service=system-auth

session    required     pam_stack.so service=system-auth

```

file:/etc/sasl2/smtpd.conf

```
pwcheck_method: saslauthd

mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5

```

well it's working now as i said, but i'm not fully satisfied w/ it, just because does the work around. does anybody know what could be wrong w/ my sasl ? i emerged with mysql,pam and authdaemond USE flags on.

----------

