Linode Forum
https://forum.linode.com/

Sasl CRAM MD5 Postfix SMTP
https://forum.linode.com/viewtopic.php?f=11&t=3995		 Page 1 of 1
Author:  tofu [ Sun Mar 15, 2009 1:14 pm ]
Post subject:  Sasl CRAM MD5 Postfix SMTP
Hi,

I have setup my postfix config to get a smtp server I can use for sending mails from home.
Got it working with a SSL connection and using PLAIN login.
But now I would like to login with CRAM MD5 authentication.
But when I enable CRAM MD5 in my Apple Mail client, I get a authentication failed, while PLAIN login is working fine.
Which setting do I miss?
Password is stored PLAIN in my database, because I have CRAM MD5 working for my IMAP server already.
Quote:
saslfinger - postfix Cyrus sasl configuration Sun Mar 15 18:14:24 CET 2009
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.5.5
System: Debian GNU/Linux 5.0 \n \l

-- smtpd is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7e35000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes


-- listing of /usr/lib/sasl2 --
total 780
drwxr-xr-x 2 root root 4096 Mar 15 01:56 .
drwxr-xr-x 39 root root 12288 Mar 15 14:54 ..
-rw-r--r-- 1 root root 13468 Sep 1 2008 libanonymous.a
-rw-r--r-- 1 root root 855 Sep 1 2008 libanonymous.la
-rw-r--r-- 1 root root 13016 Sep 1 2008 libanonymous.so
-rw-r--r-- 1 root root 13016 Sep 1 2008 libanonymous.so.2
-rw-r--r-- 1 root root 13016 Sep 1 2008 libanonymous.so.2.0.22
-rw-r--r-- 1 root root 15810 Sep 1 2008 libcrammd5.a
-rw-r--r-- 1 root root 841 Sep 1 2008 libcrammd5.la
-rw-r--r-- 1 root root 15352 Sep 1 2008 libcrammd5.so
-rw-r--r-- 1 root root 15352 Sep 1 2008 libcrammd5.so.2
-rw-r--r-- 1 root root 15352 Sep 1 2008 libcrammd5.so.2.0.22
-rw-r--r-- 1 root root 46412 Sep 1 2008 libdigestmd5.a
-rw-r--r-- 1 root root 864 Sep 1 2008 libdigestmd5.la
-rw-r--r-- 1 root root 43500 Sep 1 2008 libdigestmd5.so
-rw-r--r-- 1 root root 43500 Sep 1 2008 libdigestmd5.so.2
-rw-r--r-- 1 root root 43500 Sep 1 2008 libdigestmd5.so.2.0.22
-rw-r--r-- 1 root root 13646 Sep 1 2008 liblogin.a
-rw-r--r-- 1 root root 835 Sep 1 2008 liblogin.la
-rw-r--r-- 1 root root 13460 Sep 1 2008 liblogin.so
-rw-r--r-- 1 root root 13460 Sep 1 2008 liblogin.so.2
-rw-r--r-- 1 root root 13460 Sep 1 2008 liblogin.so.2.0.22
-rw-r--r-- 1 root root 29068 Sep 1 2008 libntlm.a
-rw-r--r-- 1 root root 829 Sep 1 2008 libntlm.la
-rw-r--r-- 1 root root 28436 Sep 1 2008 libntlm.so
-rw-r--r-- 1 root root 28436 Sep 1 2008 libntlm.so.2
-rw-r--r-- 1 root root 28436 Sep 1 2008 libntlm.so.2.0.22
-rw-r--r-- 1 root root 13966 Sep 1 2008 libplain.a
-rw-r--r-- 1 root root 835 Sep 1 2008 libplain.la
-rw-r--r-- 1 root root 14036 Sep 1 2008 libplain.so
-rw-r--r-- 1 root root 14036 Sep 1 2008 libplain.so.2
-rw-r--r-- 1 root root 14036 Sep 1 2008 libplain.so.2.0.22
-rw-r--r-- 1 root root 21702 Sep 1 2008 libsasldb.a
-rw-r--r-- 1 root root 866 Sep 1 2008 libsasldb.la
-rw-r--r-- 1 root root 18080 Sep 1 2008 libsasldb.so
-rw-r--r-- 1 root root 18080 Sep 1 2008 libsasldb.so.2
-rw-r--r-- 1 root root 18080 Sep 1 2008 libsasldb.so.2.0.22
-rw-r--r-- 1 root root 23796 Sep 1 2008 libsql.a
-rw-r--r-- 1 root root 964 Sep 1 2008 libsql.la
-rw-r--r-- 1 root root 23312 Sep 1 2008 libsql.so
-rw-r--r-- 1 root root 23312 Sep 1 2008 libsql.so.2
-rw-r--r-- 1 root root 23312 Sep 1 2008 libsql.so.2.0.22




-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: saslauthd
mech_list: plain login cram-md5
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: --- replaced ---
sql_passwd: --- replaced ---
sql_database: Mail
sql_select: select Password from Mailboxes where User = '%u'


-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - - - - smtpd
587 inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - - 1000? 1 tlsmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
trace unix - - - - 0 bounce
verify unix - - - - 1 verify
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
-o smtp_fallback_relay=
showq unix n - - - - showq
error unix - - - - - error
retry unix - - - - - error
discard unix - - - - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - - - - lmtp
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
maildrop unix - n n - - pipe
flags=DRu user=vmail argv=/usr/bin/maildrop -w 90 -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}

-- mechanisms on localhost --

-- end of saslfinger output --


Thanks in advantage,
Laurens
Author:  tofu [ Sun Mar 15, 2009 1:20 pm ]
Post subject: 
Extra information:
When setting MD5 auth, I don't even see a query in my MYSQL log, so sasl isn't even passing the query to mysql.

Working PLAIN:
Quote:
Mar 15 18:16:17 lin postfix/smtpd[3116]: connect from 00-22-161-161.access.telenet.be[00.22.161.161]
Mar 15 18:16:18 lin postfix/smtpd[3116]: 8487A4CE4: client=00-22-161-161.access.telenet.be[00.22.161.161], sasl_method=PLAIN, sasl_username=test@domain.be
Mar 15 18:16:18 lin postfix/cleanup[3119]: 8487A4CE4: message-id=<8120F7AC-414A-4086-BBA8-9C40C832D68F@domain.be>


Not working MD5:
Quote:
Mar 15 18:16:38 lin postfix/smtpd[3129]: connect from 00-22-161-161.access.telenet.be[00.22.161.161]
Mar 15 18:16:38 lin postfix/smtpd[3129]: warning: SASL authentication failure: no secret in database
Mar 15 18:16:38 lin postfix/smtpd[3129]: warning: 00-22-161-161.access.telenet.be[00.22.161.161]: SASL CRAM-MD5 authentication failed: authentication failure
Mar 15 18:16:38 lin postfix/smtpd[3129]: lost connection after AUTH from 00-22-161-161.access.telenet.be[00.22.161.161]
Author:  Alucard [ Mon Mar 16, 2009 10:27 am ]
Post subject: 
What distro?

I fought with SASL and Postfix for a while and I got it, but I'm not entirely sure how.

First suggestion: is /etc/sasldb2 available to the chroot? On my Debian, I had to add "etc/sasldb2" to the definition of FILES in /etc/init.d/postfix.
Author:  tofu [ Mon Mar 16, 2009 10:38 am ]
Post subject: 
Alucard wrote:
What distro?

I fought with SASL and Postfix for a while and I got it, but I'm not entirely sure how.

First suggestion: is /etc/sasldb2 available to the chroot? On my Debian, I had to add "etc/sasldb2" to the definition of FILES in /etc/init.d/postfix.


Thanks for your reply.
I'm running Debian Lenny.

I have done nothing with the sasldb2, so thats not in my chroot.
But I think I don't need that file, because I only want to authenticate with users from my MySQL database. I think the sasldb2 file is for local users?

To connect to the database, I have set up a "/etc/pam.d/smtp" file and a smtpd.conf file in the sasl directory under my postfix chroot.
But SASL is working, but with PLAIN auhentication. So my database connection is set up correctly (got this after many hours of tweaking and trying). But only CRAM-MD5 is not.
It's strange, because my password is retreived from my database without encryption, so SALS should be able to make the MD5 from it?
Author:  Alucard [ Tue Mar 17, 2009 3:57 pm ]
Post subject: 
apt-get install libsasl2-modules

?
Author:  tofu [ Tue Mar 17, 2009 4:00 pm ]
Post subject: 
I already have those, because the MySQL module needs that one.
Quote:
libsasl2-modules is already the newest version.
.
That module is working. I just want to send my password as a MD5 string instead of a plain password, as an extra..
Author:  tofu [ Tue Mar 31, 2009 1:55 pm ]
Post subject: 
Any other things I can check to get CRAM MD5 working?
Author:  condate [ Tue Mar 31, 2009 3:54 pm ]
Post subject: 
I had similar headaches with Cyrus SASL and switched to using Dovecot SASL mechanism which saved me a world of trouble - not just CRAM-MD5 but getting it to look up the password from the postfixadmin database.

Of course if you're not using Dovecot this might not be of help, but happy to offer my configs if you're interested.
Author:  jed [ Tue Mar 31, 2009 4:34 pm ]
Post subject: 
Quote:
I had similar headaches with Cyrus SASL and switched to using Dovecot SASL mechanism which saved me a world of trouble - not just CRAM-MD5 but getting it to look up the password from the postfixadmin database.

I second this. I couldn't get Cyrus to work for me at all, and all the Howtos recommended I stay away from Cyrus. Dovecot, however, worked almost immediately out of the box with Postfix. It's a very tight fit, and comes with the recommendation of a lot of sysadmins.

I'd be happy to share my configs as well (but I don't do MySQL, I authenticate against Unix users).
Author:  tofu [ Tue Mar 31, 2009 5:52 pm ]
Post subject: 
As I can see Dovecot is IMAP client. I have already set up Courier for that, and I'm just getting to know Courier. I see Dovecot is a bit smaller in memory footprint, but I have only one client (meself 8)), so thats not worth changing.
I did got the password lookup from my database working, but also after 2/3 days of trying and seeing a lot of tutorials.
Thats just the strange thing, PLAIN login works, so the module HAS the password.
I could use the IMAP authentication, which is I think the way it works with Dovecot? So the SMTP checks if there is an successful IMAP connection for those user/password combo? But then you can't change you query, so you can't specify which users can send mail trough your server or not, or add users who doesn't have a mailbox.

For my next installation I will use Dovecot, thanks for the tip!
But in this installation, I'm not goiing to change it anymore, I have put to many time to get this working :twisted:.
The CRAM MD5 is not that imported, but it would be nice to get it working.

Thanks for your replies, condate and jed.
Author:  condate [ Tue Mar 31, 2009 6:44 pm ]
Post subject: 
Hi tofu, I've been google-fu'ing around and I saw this

Quote:
A better option would be to configure courier-authlib to authenticate
against the SQL database, then have Cyrus-SASL use the courier-authlib
authentication scheme.

While it sounds like hackery, it works very well and is very light
weight.


As to how to do that.. not sure. But I had the identical issue to you, in that the db was being bypassed altogether and the failures were related to its attempt to check the passwd against its own sasldb. I fixed *that* error by copying /etc/sasldb to the /var/spool/postfix/... etc location (so a chroot issue there I guess), but never worked out how to get it to stop being stubborn and just use the db.

This howto has some information on using courier authlib, though the author seems to compile everything (may not be necessary.. hopefully not)

Good luck!
Author:  tofu [ Thu Apr 09, 2009 7:01 pm ]
Post subject: 
Thanks for your input.
I tried with the authdaemond from the tutorial, but got a "socket not found", because the socket of that daemon is outside my postfix chroot (postfix runs chrooted under Debian).

Did some further investigation with my current configuration.
When I add CRAM-MD5 to the mech list, I get a "secret not found" message.
But when I look here, I see this seems to be the error you get if you're missing a module.
When I enable MySQL logging, I see indeed no queries when using CRAM-MD5. While I do see them when using PLAIN login.
So it looks like "secret not found" means something like "no module found for this authentication method". So that the -sql module is only configured for plain and login, and not for md5?
But here it looks like its working with that module.
But now I found here that also authdaemond wouldn't solve my problem, that those module also only supports plain login
EDIT: found another one, also here they say saslauthd only supports plain login. How stupid is that :evil:.
A big disadvantantage with the IMAP authentication method, or the courier authentication is that then I have the same SQL query, so I can't specify who can use the smtp server and who not.
Author:  tofu [ Fri Apr 10, 2009 5:28 am ]
Post subject: 
In that HOWTO they also speak of only PLAIN and LOGIN:
Quote:
From the telnet we can see postfix already support Auth with Login and Plain,

Quote:
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
Author:  tofu [ Fri Apr 10, 2009 6:05 am ]
Post subject: 
YES! Got it working :D.
Just changed some things in my smtpd.conf and it worked :?.

Quote:
pwcheck_method: auxprop
#pwcheck_method: saslauthd
#pwcheck_method: authdaemond
mech_list: plain login cram-md5 digest-md5
#authdaemond_path:/var/run/courier/authdaemon/socket
#allow_plaintext: true
#auxprop_plugin: mysql
sql_engine: mysql
sql_hostnames: 127.0.0.1
sql_user: Postfix
sql_passwd: removed
sql_database: Mail
sql_select: select Password from Mailboxes where User = '%u'


I added the sql_engine and changed the pwcheck_method (was: auxprop_plugin: mysql in combination with pwcheck_method: saslauthd).
Now AUTH MD5 works, and I can specify the users who can use it or not 8)
Thanks all!
Author:  condate [ Fri Apr 10, 2009 7:48 am ]
Post subject: 
Good to hear! :) you should write a howto on the Wiki or something for the courier users :)
Page 1 of 1 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/