# SASL Working, but Postfix Won't AUTH.

## bpatteson

In setting up Postfix Postfix 2.1 with Cyrus SASL 2.1.19 authenticating against a MySQL 4.0 Database, I am unable to get SASL authentication working properly, for authenticating mail accounts which are stored in the MySQL database "mailsql" and whose mail is stored at:"/home/$username/.maildir." 

I am using the guide on the Gentoo website: 

http://www.gentoo.org/doc/en/virt-mail-howto.xml

Courier-IMAP is working properly with MySQL. 

Unfortunately I cannot get Postfix working with Cyrus SASL to send mail through postfix from a remote location that is not inside $mynetworks. 

Cyrus SASL is working with my MySQL database because I can do a:

```

testsasldb -u <username> -p <password>

Ok: Authenicated

```

So I know Cyrus SASL is working.  However Postfix will not authenticate no matter which email client I use.

My /etc/postfix/main.cf is: 

```

myhostname = mail.collegefirstlook.com 

mydomain = collegefirstlook.com 

inet_interfaces = all 

mydestination = $myhostname, localhost.$mydomain $mydomain 

mynetworks = 192.168.1.0/24, 127.0.0.0/8, 67.0.0.0/8 

home_mailbox = .maildir/ 

local_destination_concurrency_limit = 2 

default_destination_concurrency_limit = 10 

#SASL Authentication 

smtpd_sasl_auth_enable = yes 

smtpd_sasl2_auth_enable = yes 

smtpd_sasl_security_options = noanonymous 

broken_sasl_auth_clients = yes 

smtpd_sasl_local_domain = 

#Authorization Allowed 

smtpd_recipient_restrictions = 

        permit_sasl_authenticated, 

        permit_mynetworks, 

        reject_unauth_destination 

#SSL/TLS Activation Using Generic SSL Key 

smtpd_use_tls = yes 

smtpd_tls_key_file = /etc/ssl/postfix/server.key 

smtpd_tls_cert_file = /etc/ssl/postfix/server.crt 

smtpd_tls_CAfile = /etc/ssl/postfix/server.pem 

smtpd_tls_loglevel = 3 

smtpd_tls_received_header = yes 

smtpd_tls_session_cache_timeout = 3600s 

tls_random_source = dev:/dev/urandom 

alias_maps = mysql:/etc/postfix/mysql-aliases.cf 

relocated_maps = mysql:/etc/postfix/mysql-relocated.cf 

local_transport = local 

local_recipient_maps = $alias_maps $virtual_mailbox_maps unix:passwd.byname 

virtual_transport = virtual 

virtual_mailbox_domains = 

        collegefirstlook.com 

virtual_minimum_uid = 1000 

virtual_gid_maps = static:$vmail-gid 

virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf 

virtual_alias_maps = mysql:/etc/postfix/mysql-virtual.cf 

virtual_uid_maps = static:$vmail-uid 

virtual_mailbox_base = / 

#virtual_mailbox_limit = 

 
```

My /etc/sasl2/smtp.conf 

```

Code:

#MYSQL Setup 

pwcheck_method: auxprop 

auxprop_plugin: sql 

sql_engine: mysql 

sql_hostnames: localhost 

sql_user: mailsql 

sql_passwd: <my password is here> 

sql_database: mailsql 

sql_select: select clear from users where email = '%u@%r' 

mech_list: plain login 

pwcheck_method: saslauthd 

mech_list: LOGIN PLAIN 

 
```

My /etc/conf.d/saslauthd 

```

Code:

SASLAUTHD_OPTS="-a pam" 

 
```

My /etc/pam.d/smtp 

```

auth     optional       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=<my password> table=users usercolumn=email passwdcolumn=clear crypt=0 

account  required       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=<my password> table=users usercolumn=email passwdcolumn=clear crypt=0 

 
```

My /etc/pam.d/imap 

```

auth     optional       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=<my password> table=users usercolumn=email passwdcolumn=clear crypt=0 

account  required       pam_mysql.so host=localhost db=mailsql user=mailsql passwd=<my password> table=users usercolumn=email passwdcolumn=clear crypt=0 

 
```

My /etc/postfix/mysql-aliases.cf 

```

Code:

user            = mailsql 

password        = <my password> 

dbname          = mailsql 

table           = alias 

select_field    = destination 

where_field     = alias 

hosts           = unix:/var/run/mysqld/mysqld.sock 

 
```

My /etc/postfix/mysql-relocated.cf 

```

user            = mailsql 

password        = <my password> 

dbname          = mailsql 

table           = relocated 

select_field    = destination 

where_field     = email 

hosts           = unix:/var/run/mysqld/mysqld.sock 

 
```

My /etc/postfix/mysql-virtual-maps.cf 

```

#myql-virtual-maps.cf 

user            = mailsql 

password        = <my password> 

dbname          = mailsql 

table           = users 

select_field    = maildir 

where_field     = email 

additional_conditions = and postfix = 'y' 

hosts           = unix:/var/run/mysqld/mysqld.sock 

 
```

My /etc/postfix/virtual.cf 

```

# mysql-virtual.cf 

user            = mailsql 

password        = <my password> 

dbname          = mailsql 

table           = virtual 

select_field    = destination 

where_field     = email 

hosts           = unix:/var/run/mysqld/mysqld.sock 

 
```

MySQL is setup properly with the right users and information in a database called mailsql with the tables: alias, relocated, transport, users, virtual. Courier IMAP is reading user name and passwords and authenticating properly with the instruction in the guide. 

Postfix on the other hand will not authenticate with or without TLS/SSL. 

Telneting in on Port 26 (Set to Port 26 cause my ISP has blocked 25 - both server and client can send email on this port when not using SASL) 

I get this when I try to auth: 

```

220 mail.collegefirstlook.com ESMTP Postfix 

EHLO mail.collegefirstlook.com 

250-mail.collegefirstlook.com 

250-PIPELINING 

250-SIZE 10240000 

250-VRFY 

250-ETRN 

250-STARTTLS 

250-AUTH LOGIN PLAIN 

250-AUTH=LOGIN PLAIN 

250 8BITMIME 

 
```

So I know Postfix is offer authentication. I just have no idea how to trouble shoot from here. I do not know how to see where Cyrus SASL is failing in connecting with MySQL and how Pam.d plays any roll in the authentication. I think what happens is Postfix goes to Cyrus SASL which goes to Pam.d which goes to MySQL, but I don't really understand the whole process. 

My /var/log/mail/current reads this as the problem: 

```

Nov  5 16:02:39 [postfix/smtpd] timeout after EHLO from unknown[68.106.111.177] 

Nov  5 16:02:39 [postfix/smtpd] disconnect from unknown[68.106.111.177] 

Nov  5 16:03:29 [postfix/smtpd] connect from unknown[68.106.111.177] 

Nov  5 16:03:40 [postfix/smtpd] warning: SASL authentication failure: Couldn't find mech asdfasdfjsdksdflss 

Nov  5 16:03:40 [postfix/smtpd] warning: unknown[68.106.111.177]: SASL asdfasdfjsdksdflss authentication failed 

 
```

So it looks to me like SASL is not able to find the password authentication mechanism whether it be MySQl or PAM.d (I don't know). Any help would be appreciated. I have been working along time on this. 

```

```

----------

## bpatteson

Anyone have any ideas?

----------

## Lore84

You are not alone, I have same problem. Anyone know?

----------

## dashnu

It may be this....

/etc/conf.d/saslauthd

```
# Authentications mechanism (for list see saslauthd -v)

SASL_AUTHMECH=pam

# Specify the authentications mechanism.

# *NOTE* For list see: saslauthd -v

# From 2.1.19, add "-r" to options for old behavior

# ie. reassemble user and realm to user@realm form.

SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam -r"

#SASLAUTHD_OPTS="${SASLAUTH_MECH} -a pam"

```

And using that how-to you need to use uname@domain.tdl for you username NOT just uname..

Hope this helps if not post back because I have this setup running in two different places with no issues..

----------

## Lore84

No function still. There is my log if I am trying send email from KMail with TLS and  PLAIN authentiication.

```

Nov 11 23:46:00 defiant postfix/smtpd[5767]: SSL_accept:SSLv3 flush data

Nov 11 23:46:00 defiant postfix/smtpd[5767]: TLS connection established from unknown[192.168.0.16]: TLSv1 with cipher RC4-MD5 (128/128 bits)

Nov 11 23:46:00 defiant postfix/smtpd[5767]: name_mask: noanonymous

Nov 11 23:46:00 defiant postfix/smtpd[5767]: watchdog_pat: 0x80b1058

Nov 11 23:46:00 defiant postfix/smtpd[5767]: < unknown[192.168.0.16]: EHLO [192.168.0.16]

Nov 11 23:46:00 defiant postfix/smtpd[5767]: > unknown[192.168.0.16]: 250-defiant.zapto.org

Nov 11 23:46:00 defiant postfix/smtpd[5767]: > unknown[192.168.0.16]: 250-PIPELINING

Nov 11 23:46:00 defiant postfix/smtpd[5767]: > unknown[192.168.0.16]: 250-SIZE 10240000

Nov 11 23:46:00 defiant postfix/smtpd[5767]: > unknown[192.168.0.16]: 250-VRFY

Nov 11 23:46:00 defiant postfix/smtpd[5767]: > unknown[192.168.0.16]: 250-ETRN

Nov 11 23:46:00 defiant postfix/smtpd[5767]: > unknown[192.168.0.16]: 250-AUTH LOGIN PLAIN

Nov 11 23:46:00 defiant postfix/smtpd[5767]: > unknown[192.168.0.16]: 250-AUTH=LOGIN PLAIN

Nov 11 23:46:00 defiant postfix/smtpd[5767]: match_list_match: unknown: no match

Nov 11 23:46:00 defiant postfix/smtpd[5767]: match_list_match: 192.168.0.16: no match

Nov 11 23:46:00 defiant postfix/smtpd[5767]: > unknown[192.168.0.16]: 250 8BITMIME

Nov 11 23:46:00 defiant postfix/smtpd[5767]: watchdog_pat: 0x80b1058

Nov 11 23:46:00 defiant postfix/smtpd[5767]: < unknown[192.168.0.16]: AUTH PLAIN dW5rbm93bkBkZWZpYW50LnphcHRvLm9yZwB1bmtub3duQGRlZmlhbnQuemFwdG8ub3JnAGhlc2xv

Nov 11 23:46:00 defiant postfix/smtpd[5767]: smtpd_sasl_authenticate: sasl_method PLAIN, init_response dW5rbm93bkBkZWZpYW50LnphcHRvLm9yZwB1bmtub3duQGRlZmlhbnQuemFwdG8ub3JnAGhlc2xv

Nov 11 23:46:00 defiant postfix/smtpd[5767]: smtpd_sasl_authenticate: decoded initial response unknown@defiant.zapto.org

Nov 11 23:46:00 defiant postfix/smtpd[5767]: warning: SASL authentication failure: Password verification failed

Nov 11 23:46:00 defiant postfix/smtpd[5767]: warning: unknown[192.168.0.16]: SASL PLAIN authentication failed

Nov 11 23:46:00 defiant postfix/smtpd[5767]: > unknown[192.168.0.16]: 535 Error: authentication failed

Nov 11 23:46:00 defiant postfix/smtpd[5767]: watchdog_pat: 0x80b1058

Nov 11 23:46:00 defiant postfix/smtpd[5767]: smtp_get: EOF

Nov 11 23:46:00 defiant postfix/smtpd[5767]: lost connection after AUTH from unknown[192.168.0.16]

Nov 11 23:46:00 defiant postfix/smtpd[5767]: disconnect from unknown[192.168.0.16]

Nov 11 23:46:00 defiant postfix/smtpd[5767]: master_notify: status 1

Nov 11 23:46:00 defiant postfix/smtpd[5767]: connection closed

Nov 11 23:46:00 defiant postfix/smtpd[5767]: watchdog_stop: 0x80b1058

Nov 11 23:46:00 defiant postfix/smtpd[5767]: watchdog_start: 0x80b1058

```

----------

## dashnu

I will look closer at work tomorrow for you but your log looks like you are trying to auth against saslpasswd.. You want to auth against your sql db..

----------

## Lore84

Now It is working. I re-emerge cyrus-sasl. It seems that was compiled without mysql support.

But I have diferent problem, if I connect from intenral network I can use tsl connection but from localhost or internet I cannot use it.

----------

