# Cyrus-Sasl not authenticating with crypted password(solved?)

## hanj

Originally this thread began here and I decided to create a new one specific to cyrus-sasl:

https://forums.gentoo.org/viewtopic-t-262183.html

Currently I'm using the following ebuild for cyrus-sasl:

```
dev-libs/cyrus-sasl-2.1.20-r2  -authdaemond +berkdb +crypt -debug +gdbm -java -kerberos -ldap +mysql -ntlm_unsupported_patch +pam -postgres -sample -srp +ssl -static -urandom
```

This includes the checkpw.c patch which is suppose to give sasl the ability to verify crypted passwords in mysql db. I'm still running into problems with this. 

Here are relevant snips of configs:

/etc/sasl2/smtpd.conf

```
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

pwcheck_method: auxprop

auxprop_plugin: sql

mech_list: PLAIN LOGIN

#pwcheck_method: saslauthd 

# http://frost.ath.cx/software/cyrus-sasl-patches/

## password_format: [plaintext|crypt|crypt_trad]

password_format: crypt 

# http://www.asyd.net/docs/cyrus-options.html

sql_engine: mysql

sql_hostnames: 127.0.0.1

sql_database: mailsql

sql_user: mailsql

sql_passwd: xxxxxxxxxx

sql_select: SELECT crypt FROM users WHERE email='%u@%r'

sql_usessl: no 

sql_verbose: yes

log_level: 6 # decide yourself, but good for debugging

#define SASL_LOG_NONE  0        /* don't log anything */

#define SASL_LOG_ERR   1        /* log unusual errors (default) */

#define SASL_LOG_FAIL  2        /* log all authentication failures */

#define SASL_LOG_WARN  3        /* log non-fatal warnings */

#define SASL_LOG_NOTE  4        /* more verbose than LOG_WARN */

#define SASL_LOG_DEBUG 5        /* more verbose than LOG_NOTE */

#define SASL_LOG_TRACE 6        /* traces of internal protocols */

#define SASL_LOG_PASS  7        /* traces of internal protocols, including
```

 /etc/pam.d/smtp 

```
# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.pam,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

#auth    required        /lib/security/pam_stack.so service=system-auth

#account required        /lib/security/pam_stack.so service=system-auth

auth     optional       pam_mysql.so host=localhost db=mailsql user=mailsql \

  passwd=xxxxxxx table=users usercolumn=email passwdcolumn=crypt crypt=1 sqllog=1

account  required       pam_mysql.so host=localhost db=mailsql user=mailsql \

  passwd=xxxxxxx table=users usercolumn=email passwdcolumn=crypt crypt=1 sqllog=1
```

/etc/conf.d/saslauthd

```
SASLAUTHD_OPTS=""

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -n 5" 

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -c -s 128 -t 30"

```

/etc/postfix/main.cf

```
##############################################

# SASL AUTH                                  #

##############################################

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_local_domain =

broken_sasl_auth_clients = yes

##############################################

# SSL                                        #

##############################################

smtpd_use_tls = yes

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

smtpd_tls_key_file = /etc/postfix/newreq_mail.pem

smtpd_tls_cert_file = /etc/postfix/newcert_mail.pem

smtpd_tls_CAfile = /etc/postfix/cacert_mail.pem

smtpd_tls_loglevel = 1

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom
```

/var/log/mail.log during auth process

```
Mar  2 08:39:22 hanji postfix/smtpd[14371]: connect from unknown[10.0.0.40]

Mar  2 08:39:22 hanji postfix/smtpd[14371]: warning: unknown[10.0.0.40]: SASL LOGIN authentication failed

Mar  2 08:39:40 hanji postfix/smtpd[14371]: lost connection after AUTH from unknown[10.0.0.40]

Mar  2 08:39:40 hanji postfix/smtpd[14371]: disconnect from unknown[10.0.0.40]
```

I cannot get any more logging.. even with setting sql_verbose or log_level.. which seems wrong. I can verify my that I'm entering correct crypted password, because I can POP with it.. no errors. My password is simply 'test'. I've tried telnet'ing and performing auth login, and have used my client (sylpheed-claws).. always returns SASL LOGIN authentication failed. After all smtpd.conf changes I've restarted saslauthd services.

Thanks for your help

hanjiLast edited by hanj on Wed Mar 02, 2005 11:50 pm; edited 1 time in total

----------

## langthang

start with something basic first such *clear* password in your database. Make sure your sasl setting good, then tweak.

----------

## UberLord

 *hanj wrote:*   

> 
> 
> I've tried telnet'ing and performing auth login, and have used my client (sylpheed-claws).. always returns SASL LOGIN authentication failed.

 

Why are you using the LOGIN mech? Have you tried the PLAIN mech? (You may need to remove the LOGIN mech to test)

----------

## hanj

Hello

Thanks for the responses.. I've made further discoveries. Using cyrus-sasl-2.1.20-r2 I'm unable to auth.. even when trying to auth using clear passwords. I rolled back to cyrus-sasl-2.1.20, and now I can send, but only using 'clear' passwords. Looks like i may need to patch it by hand with the checkpw.c.

Anyone else having troubles with cyrus-sasl-2.1.20-r2??

thanks

hanji

----------

## langthang

 *Quote:*   

> Anyone else having troubles with cyrus-sasl-2.1.20-r2??

 

no.

```
# emerge cyrus-sasl -vp

[ebuild   R   ] dev-libs/cyrus-sasl-2.1.20-r2  -authdaemond +berkdb +crypt -debug -gdbm -java -kerberos -ldap +mysql -ntlm_unsupported_patch +pam -postgres -sample -srp +ssl -static -urandom 0 kB

# /etc/sasl2/smtpd.conf

...

sql_select: select password from accountuser where username = '%u@%r'

password_format: crypt

# /etc/init.d/postfix restart

$ mysql -u mail_db_user -p mail_databse

....

mysql> UPDATE `accountuser` SET `password` = ENCRYPT( 'sekrit' ) WHERE `username` = 'user@mydomain.com';

$ telnet localhost 25

blah

blah

235 Authentication successful

# tail /var/log/message

Mar  2 12:21:27 localhost postfix/smtpd[8606]: begin transaction

Mar  2 12:21:27 localhost postfix/smtpd[8606]: sql plugin create statement from userPassword user mydomain.com

Mar  2 12:21:27 localhost postfix/smtpd[8606]: sql plugin doing query select password from accountuser where username = 'user@mydomain.com';

Mar  2 12:21:27 localhost postfix/smtpd[8606]: sql plugin create statement from cmusaslsecretPLAIN user mydomain.com

Mar  2 12:21:27 localhost postfix/smtpd[8606]: sql plugin doing query select password from accountuser where username = 'user@mydomain.com';

Mar  2 12:21:27 localhost postfix/smtpd[8606]: commit transaction

Mar  2 12:21:27 localhost postfix/smtpd[8606]: sql plugin Parse the username user@mydomain.com

Mar  2 12:21:27 localhost postfix/smtpd[8606]: sql plugin try and connect to a host

Mar  2 12:21:27 localhost postfix/smtpd[8606]: sql plugin trying to open db 'mail_databse' on host 'localhost'

Mar  2 12:21:27 localhost postfix/smtpd[8606]: > unknown[192.168.0.4]: 235 Authentication successful
```

----------

## hanj

Ok.. now I'm confused.. and upset.

I re-emerge'd  cyrus-sasl-2.1.20-r2 to see if I could get clear passwords to work, and without touching any confs, it did??? So I added the configurations to check the crypt field... and it worked?? I have no idea what I did. I guess I'll mark this as 'solved' but I have no idea how I did it. I know I've restarted the services sasl and postfix many times during my initial testing after each configuration change. 

Thanks for everyone's help.

On another note... langthang, how do you get these verbose logs??? I've tried in /etc/sasl2/smtpd.conf to add (sql_verbose = yes and log_level 1-7) but nothing more appears in my logs? I've added the '-v' in /etc/postfix/master.cf but that did not give me the sql plugin stuff. Any ideas??

 *Quote:*   

> 
> 
> # tail /var/log/message
> 
> Mar  2 12:21:27 localhost postfix/smtpd[8606]: begin transaction
> ...

 

thanks again everyone

hanji

----------

## steveb

cool  :Very Happy:  it works

----------

## msalerno

Did you ever figure out why this issue was solved?  I am currently battling the same beast.

Is the output of emerge -pv cyrus-sasl the same as your earlier post?

Any help would be greatly appreciated.

Thanks,

Matt

BTW, all of my configs are here for review: https://forums.gentoo.org/viewtopic-t-317403-highlight-.html

----------

## hanj

Hello

Not sure what was wrong.. I just re-emerged it.. and it started working correctly.

Currently this is my version:

```
[ebuild   R   ] dev-libs/cyrus-sasl-2.1.20-r2  -authdaemond +berkdb +crypt -debug +gdbm -java -kerberos -ldap +mysql -ntlm_unsupported_patch +pam -postgres -sample -srp +ssl -static -urandom 1,733 kB 
```

I'm still unable to receive the desired logging though.

hanji

----------

## msalerno

Thanks for the reply.  It has been pointed out to me that the problem is that I am not including the crypt support.  I do have crypt in my use flags, but it does not get displayed as a used USE flag.  All I keep getting is:

dev-libs/cyrus-sasl-2.1.20  -authdaemond +berkdb -debug -gdbm -java -kerberos -ldap +mysql +pam -postgres +ssl -static 0 kB

I am going to be using my original post here to prevent duplicate posting.

Thanks again.

Matt

----------

## Wilhelm

I had it working on a patched version of 2.19

Now i'm trying 2.20-r2

The previous problems imo can be solved using the following in /etc/portage/packages.keywords

Since it is not yet labeled stable

```

dev-libs/cyrus-sasl     ~x86

```

Edit: Works!!! Yehaw no more manual patching  :Razz: 

----------

