# [SOLVED] Postfix/Dovecot/Postfixadmin/MySQL/SASL

## Sakkath

What's the best way of getting SASL to work for smtp-auth?  Should I use the SASL Dovecot provides or should I use cyrus-sasl?

If I get it working, I'll update the HOWTO on gentoo-wiki.com that I've used (http://gentoo-wiki.com/HOWTO_Secure_Mail_Server_using_Dovecot).

Any help is thanked for in advance  :Smile: .

----------

## elgato319

I'm using postfix/dovecot/mysql/postfixadmin/... 

 *Quote:*   

> 
> 
> smtpd_sasl_type = dovecot
> 
> smtpd_sasl_path = private/auth_dovecot
> ...

 

SMTP Auth against mySQL Database.

Works flawlessly, no more courier-authlib needed  :Very Happy: 

I highly recommend it if you are using dovecot.

BTW: I use Roundcube as webmailer instead of squirrelmail.

----------

## Sakkath

Thanks for the reply, I'll set that up in one moment.

I have another problem now.  If I send mail from the same server the Dovecot system is on, with smtpd or `sendmail`, it works fine.  If I try to send mail from another host, it's never received.  This is the smtpd's response from that other host.

```
This message was created automatically by mail delivery software.

A message that you sent has not yet been delivered to one or more of its

recipients after more than 32 hours on the queue on tiresias.site5.com.

The message identifier is:     1HF09b-0002IX-Pw

The date of the message is:    Wed, 07 Feb 2007 22:41:06 -0500

The subject of the message is: Test

The address to which the message has not yet been delivered is:

  sakkath@somedomain.com

No action is required on your part. Delivery attempts will continue for

some time, and this warning may be repeated at intervals if the message

remains undelivered. Eventually the mail delivery software will give up,

and when that happens, the message will be returned to you.
```

I can try another smtp too for maybe a more verbose output.

----------

## Sakkath

Apparently I didn't understand how SMTP works.  I opened port 25 and things *should* work now.

A question about SASL again, to have SASL work that guy up there said, do I need to have sasl useflag for postfix?  Also, do I need to set anything in dovecot.conf?

----------

## shing6326

In postfix-2.2.* you need to install cyrus-sasl to have the smtp sasl authentication.....

but in postfix-2.3.*, it supports dovecot-sasl which means you do not need to install cyrus-sasl again.

you can disable sasl and enable dovecot-sasl use flag in postfix-2.3

 *Quote:*   

> sasl? (  >=dev-libs/cyrus-sasl-2 )

 

 *Quote:*   

> Postfix 2.3 has Dovecot
> 
> SASL support built into the SMTP server.  As before, support for
> 
> Cyrus SASL is available as add-on feature for the Postfix SMTP
> ...

 

----------

## Sakkath

Oh, well postfix-2.3 is keyworded (at least on amd64).  I guess I must use cyrus-sasl then!

Okay.  I'm confused whether to use pwcheck_method = auxprop (then specify mysql for that) or to use pwcheck_method = saslauthd.

http://gentoo-wiki.com/HOWTO_Email:_A_Complete_Virtual_System_-_SMTP_Authentication used auxprop to specify the pgsql database and such, and this howto: http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap4 uses saslauthd.

I'm not exactly sure what saslauthd is.

----------

## shing6326

 *Sakkath wrote:*   

> Oh, well postfix-2.3 is keyworded (at least on amd64).  I guess I must use cyrus-sasl then!
> 
> Okay.  I'm confused whether to use pwcheck_method = auxprop (then specify mysql for that) or to use pwcheck_method = saslauthd.
> 
> http://gentoo-wiki.com/HOWTO_Email:_A_Complete_Virtual_System_-_SMTP_Authentication used auxprop to specify the pgsql database and such, and this howto: http://www.gentoo.org/doc/en/virt-mail-howto.xml#doc_chap4 uses saslauthd.
> ...

 

both are ok, but pwcheck_method saslauthd is better as it passed the auth variables to your imap auth module (may be courier-authd or dovecot), even you changed the auth method in imap, you do not need to change anything in your saslauthd again........

----------

## magic919

Postfix 2.3 is only marked unstable isn't is?  Postfix 2.3 is a stable version for the rest of the world so you only need to set the system to use ~ branch for Postfix.  Many of us have 2.3 running on production systems, don't write it off yet.

I got fed up with all that Cyrus-sasl and only implemented smtp-auth successfully with Dovecot 1.x and Postfix 2.3.

----------

## ticho

 *magic919 wrote:*   

> Postfix 2.3 is only marked unstable isn't is?  Postfix 2.3 is a stable version for the rest of the world so you only need to set the system to use ~ branch for Postfix.  Many of us have 2.3 running on production systems, don't write it off yet.

 

There's a stabilization bug open for postfix-2.3.6. Few arches have already caught on, so Postfix 2.3 is slowly making its way into stable Gentoo.

----------

## Sakkath

Well if you guys say it's safe I'll go ahead and check it out  :Smile: .  I'll unmask postfix-2.3.6  :Smile: .

----------

## Sakkath

I'm not exactly sure as to what to put into dovecot.conf.  I currently have this:

```
auth default {

        mechanisms = plain login

        userdb sql {

                args = /etc/dovecot/dovecot-mysql.conf

        }

        passdb sql {

                args = /etc/dovecot/dovecot-mysql.conf

        }

        user = root

        count = 2

        socket listen {

                client {

                path = /var/run/dovecot/auth-client

                mode = 0660

                user = postfix

                group = postfix

                }

        }

}

```

When I got to start dovecot up, this is in my mail.log:

```
dovecot: Feb 10 09:04:16 Info: Dovecot v1.0.rc15 starting up

dovecot: Feb 10 09:04:17 Error: child 1724 (auth) returned error 89

dovecot: Feb 10 09:04:17 Error: Auth process died too early - shutting down

dovecot: Feb 10 09:04:17 Error: auth(default): Socket already exists: /var/run/dovecot/auth-client

dovecot: Feb 10 09:04:17 Error: Temporary failure in creating login processes, slowing down for now

```

It's worked with MySQL flawlessly before, it was when I tried ota dd the socket listen block (to try to get SASL working for postfix!) things went wrong.

----------

## ticho

 *Sakkath wrote:*   

> 
> 
> When I got to start dovecot up, this is in my mail.log:
> 
> ```
> ...

 

You either already have one auth process running, or need to remove /var/run/dovecot/auth-client socket, which is left from some previous run.

----------

## Sakkath

 *ticho wrote:*   

> You either already have one auth process running, or need to remove /var/run/dovecot/auth-client socket, which is left from some previous run.

 

Well I rm'ed that socket and it's giving me the same error  :Sad: .  Is that the right settings for dovecot.conf?

----------

## Sakkath

http://www.dovecot.org/list/dovecot/2006-December/017904.html

I found that and it saved me!  Apparently dovecot auth sockets won't work if the count is > 1!

That makes sense, now that I've read the original conf, I see this

```
# Number of authentication processes to create
```

That makes sense, it was running to run more than once and that's why it was dying  :Smile: .

----------

## Sakkath

```
Feb 10 10:41:04 eclipse postfix/smtpd[8936]: warning: SASL: Connect to private/auth_dovecot failed: No such file or directory

Feb 10 10:41:04 eclipse postfix/smtpd[8936]: fatal: no SASL authentication mechanisms

```

Now that's my error, I set up postfix's main.cf like this for SASL:

```

smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =

        permit_mynetworks,

        permit_sasl_authenticated,

        check_relay_domains

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth_dovecot

```

----------

## magic919

This should be the path for Dovecot socket

```

        path = /var/spool/postfix/private/auth_dovecot

```

in order to match your Postfix conf.

----------

## Sakkath

 *magic919 wrote:*   

> This should be the path for Dovecot socket
> 
> ```
> 
> path = /var/spool/postfix/private/auth_dovecot
> ...

 

Thanks, I'll try it out.

What should my SASL options be exactly?  Should I enable sasl[2]?

This is what I'm about to try:

```

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

smtpd_recipient_restrictions =

        permit_mynetworks,

        permit_sasl_authenticated,

        check_relay_domains

smtpd_sasl_authenticated_header = yes

broken_sasl_auth_clients = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth_dovecot

```

----------

## Sakkath

Okay!  I tried that and look!

```
250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

```

Woot!!!  Now to actually test it...

UPDATE:  It worked!!!!!!!  Thank you all so very much!

----------

