SASL postgresql backend doesn't work. Please help.

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

SASL postgresql backend doesn't work. Please help.

Chris St Denis-4
I am trying to get SASL to work authenticated to a postgresql database for SMTP auth with postfix. But it sasl is being very uncooperative.

basic system info
barium# uname -mrs
FreeBSD 7.0-RELEASE-p1 amd64

cyrus-sasl version: 2.1.22
postfix version: 2.5.1

One of my biggest problems is I can't find any documentation of the smtpd.conf file, but form what I've pieced together from tutorials and such I've got this.
pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: pgsql
allowanonymouslogin: no
allowplaintext: yes
mech_list: LOGIN PLAIN
password_format: plaintext
sql_user: mail
sql_passwd:
sql_hostnames: localhost
sql_database: mail
sql_select: SELECT pass FROM emails_view WHERE email = '%u@%r'
log_level: 7
sql_verbose: true

If I use saslpasswd2 on an account I get "generic failure". Does saslpasswd2 even work on sql or is it sasldb only?
barium# saslpasswd2 -a smtpd [hidden email]
saslpasswd2: generic failure

If I run "pluginviewer -a" it only lists sasldb. Shouldn't SQL be in here?
barium# pluginviewer -a
Installed auxprop mechanisms are:
sasldb
List of auxprop plugins follows
Plugin "sasldb" ,       API version: 4
        supports store: yes

barium# pluginviewer -s
Installed SASL (server side) mechanisms are:
LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 EXTERNAL
List of server plugins follows
Plugin "login" [loaded],        API version: 4
        SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS
        features:
Plugin "anonymous" [loaded],    API version: 4
        SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
        security flags: NO_PLAINTEXT
        features: WANT_CLIENT_FIRST
Plugin "plain" [loaded],        API version: 4
        SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "gssapiv2" [loaded],     API version: 4
        SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
        features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
Plugin "digestmd5" [loaded],    API version: 4
        SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
        features: PROXY_AUTHENTICATION
Plugin "crammd5" [loaded],      API version: 4
        SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
        security flags: NO_ANONYMOUS|NO_PLAINTEXT
        features: SERVER_FIRST

Configure line
'./configure' --prefix=/usr/local  '--sysconfdir=/usr/local/etc' '--with-configdir=/usr/local/lib/sasl2:/usr/local/etc/sasl2' '--with-plugindir=/usr/local/lib/sasl2' '--with-dbpath=/usr/local/etc/sasldb2' '--includedir=/usr/local/include' '--enable-static' '--enable-auth-sasldb' '--with-rc4=openssl' '--with-saslauthd=/var/run/saslauthd' '--with-dblib=berkeley' '--with-bdb-libdir=/usr/local/lib' '--with-bdb-incdir=/usr/local/include/db41' '--with-bdb=db41' '--enable-sql' '--without-mysql' '--with-pgsql=/usr/local' '--without-sqlite' '--enable-alwaystrue' '--with-authdaemond=no' '--enable-login' '--disable-otp' '--disable-ntlm' '--enable-gssapi' '--disable-krb4' '--with-openssl=yes' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' 'amd64-portbld-freebsd7.0' 'CC=cc' 'CFLAGS=-O -pipe -march=nocona' 'CPPFLAGS=-fPIC -I/usr/local/include' 'LDFLAGS= -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib' 'build_alias=amd64-portbld-freebsd7.0' 'host_alias=amd64-portbld-freebsd7.0' 'target_alias=amd64-portbld-freebsd7.0' --cache-file=.././config.cache --srcdir=.
I don't see any errors related to sql in the configure, all I get is
checking SQL... enabled

And the SQL module seems to get compiled ok.
if /bin/sh /usr/local/bin/libtool --mode=compile cc -DHAVE_CONFIG_H -I. -I. -I..  -I../include -I../lib -I../sasldb -I../include  -fPIC -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include  -Wall -W -O -pipe -march=nocona -MT sql.lo -MD -MP -MF ".deps/sql.Tpo"  -c -o sql.lo `test -f 'sql.c' || echo './'`sql.c;  then mv ".deps/sql.Tpo" ".deps/sql.Plo";  else rm -f ".deps/sql.Tpo"; exit 1;  fi
 cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona -MT sql.lo -MD -MP -MF .deps/sql.Tpo -c sql.c  -fPIC -DPIC -o .libs/sql.o
sql.c: In function 'sql_auxprop_plug_init':
sql.c:1077: warning: unused parameter 'plugname'
 cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona -MT sql.lo -MD -MP -MF .deps/sql.Tpo -c sql.c -o sql.o >/dev/null 2>&1
if /bin/sh /usr/local/bin/libtool --mode=compile cc -DHAVE_CONFIG_H -I. -I. -I..  -I../include -I../lib -I../sasldb -I../include  -fPIC -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include  -Wall -W -O -pipe -march=nocona -MT sql_init.lo -MD -MP -MF ".deps/sql_init.Tpo"  -c -o sql_init.lo `test -f 'sql_init.c' || echo './'`sql_init.c;  then mv ".deps/sql_init.Tpo" ".deps/sql_init.Plo";  else rm -f ".deps/sql_init.Tpo"; exit 1;  fi
 cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona -MT sql_init.lo -MD -MP -MF .deps/sql_init.Tpo -c sql_init.c  -fPIC -DPIC -o .libs/sql_init.o
 cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona -MT sql_init.lo -MD -MP -MF .deps/sql_init.Tpo -c sql_init.c -o sql_init.o >/dev/null 2>&1
/bin/sh /usr/local/bin/libtool --mode=link cc  -Wall -W -O -pipe -march=nocona  -module -export-dynamic -rpath /usr/local/lib/sasl2 -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -o libsql.la   -L/usr/local/lib  -R/usr/local/lib -lpq  -version-info 2:22:0 sql.lo sql_init.lo plugin_common.lo
cc -shared  .libs/sql.o .libs/sql_init.o .libs/plugin_common.o  -Wl,--rpath -Wl,/usr/local/lib -L/usr/local/lib -lpq  -march=nocona -Wl,-soname -Wl,libsql.so.2 -o .libs/libsql.so.2
(cd .libs && rm -f libsql.so && ln -s libsql.so.2 libsql.so)
(cd .libs && rm -f libsql.so && ln -s libsql.so.2 libsql.so)
ar cru .libs/libsql.a  sql.o sql_init.o plugin_common.o
ranlib .libs/libsql.a
creating libsql.la
(cd .libs && rm -f libsql.la && ln -s ../libsql.la libsql.la)
<snip>
if cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../plugins -I../include -I../sasldb   -fPIC -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include  -Wall -W -O -pipe -march=nocona -MT sql.o -MD -MP -MF ".deps/sql.Tpo"  -c -o sql.o `test -f '/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c' || echo './'`/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c;  then mv ".deps/sql.Tpo" ".deps/sql.Po";  else rm -f ".deps/sql.Tpo"; exit 1;  fi
/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c: In function 'sql_auxprop_plug_init':
/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c:1077: warning: unused parameter 'plugname'
adding static plugins and dependencies
ar cru .libs/libsasl2.a sasldb.o db_berkeley.o allockey.o cram.o digestmd5.o gssapi.o plain.o anonymous.o login.o sql.o

And the files are there
barium# ll /usr/local/lib/sasl2/*sql*
-rw-r--r--  1 root  wheel  28568 May 13 10:27 /usr/local/lib/sasl2/libsql.a
-rwxr-xr-x  1 root  wheel    826 May 13 10:27 /usr/local/lib/sasl2/libsql.la
lrwxr-xr-x  1 root  wheel     11 May 13 10:27 /usr/local/lib/sasl2/libsql.so -> libsql.so.2
-rwxr-xr-x  1 root  wheel  27026 May 13 10:27 /usr/local/lib/sasl2/libsql.so.2

For some reason I get some mysql related errors in the syslog like these. I'm using postgresql not mysql. It's compiled --without-mysql and mysql isn't even installed in the server.
May 13 15:05:42 barium pluginviewer: SQL engine 'mysql' not supported
May 13 15:05:42 barium pluginviewer: auxpropfunc error no mechanism available
May 13 15:05:46 barium pluginviewer: SQL engine 'mysql' not supported
May 13 15:05:46 barium pluginviewer: auxpropfunc error no mechanism available
May 13 15:05:51 barium pluginviewer: SQL engine 'mysql' not supported
May 13 15:05:51 barium pluginviewer: auxpropfunc error no mechanism available
May 13 15:17:38 barium server: SQL engine 'mysql' not supported
May 13 15:17:38 barium server: auxpropfunc error no mechanism available
Other than that, I only get generic errors like
May 13 15:31:07 barium postfix/smtpd[79672]: warning: SASL per-process initialization failed: generic failure
May 13 15:31:07 barium postfix/smtpd[79672]: fatal: SASL per-process initialization failed

using the client/server in "sample"

Client
barium# ./client -s smtpd -m LOGIN localhost
receiving capability list... recv: {48}
LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
send: {5}
LOGIN
send: {1}
N
recv: {9}
Username:
please enter an authentication id: [hidden email]
Password:
send: {17}
[hidden email]
recv: {9}
Password:
send: {6}
asdfgh
authentication failed
closing connection
Server
accepted new connection
send: {48}
LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
recv: {5}
LOGIN
recv: {1}
N
send: {9}
Username:
recv: {17}
[hidden email]
send: {9}
Password:
recv: {6}
asdfgh
performing SASL negotiation: user not foundclosing connection
Reply | Threaded
Open this post in threaded view
|

Re: SASL postgresql backend doesn't work. Please help.

Patrick Ben Koetter
* Chris St Denis <[hidden email]>:

> I am trying to get SASL to work authenticated to a postgresql database for
> SMTP auth with postfix. But it sasl is being very uncooperative.
>
> basic system info
>
>    barium# uname -mrs
>    FreeBSD 7.0-RELEASE-p1 amd64
>
>    cyrus-sasl version: 2.1.22
>    postfix version: 2.5.1
>
> One of my biggest problems is I can't find any documentation of the
> smtpd.conf file, but form what I've pieced together from tutorials and such
> I've got this.
>
>    pwcheck_method: auxprop
>    auxprop_plugin: sql
>    sql_engine: pgsql
>    allowanonymouslogin: no
>    allowplaintext: yes
>    mech_list: LOGIN PLAIN
>    password_format: plaintext
>    sql_user: mail
>    sql_passwd:
>    sql_hostnames: localhost
>    sql_database: mail
>    sql_select: SELECT pass FROM emails_view WHERE email = '%u@%r'
>    log_level: 7
>    sql_verbose: true

Reduce it to this:

pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: pgsql
mech_list: LOGIN PLAIN
sql_user: mail
sql_passwd:
sql_hostnames: localhost
sql_database: mail
sql_select: SELECT pass FROM emails_view WHERE email = '%u@%r'


> If I use saslpasswd2 on an account I get "generic failure". Does
> saslpasswd2 even work on sql or is it sasldb only?

It's sasldb only (it is said to be others too, but that's hearsay).


> And the files are there
>
>    barium# ll /usr/local/lib/sasl2/*sql*
>    -rw-r--r--  1 root  wheel  28568 May 13 10:27
>    /usr/local/lib/sasl2/libsql.a
>    -rwxr-xr-x  1 root  wheel    826 May 13 10:27
>    /usr/local/lib/sasl2/libsql.la
>    lrwxr-xr-x  1 root  wheel     11 May 13 10:27
>    /usr/local/lib/sasl2/libsql.so -> libsql.so.2
>    -rwxr-xr-x  1 root  wheel  27026 May 13 10:27
>    /usr/local/lib/sasl2/libsql.so.2

Did you create the required, symbolic link from /usr/local/lib/sasl2/ to
/usr/lib/sasl2/?


> For some reason I get some mysql related errors in the syslog like these.
> I'm using postgresql not mysql. It's compiled --without-mysql and mysql
> isn't even installed in the server.
>
>    May 13 15:05:42 barium pluginviewer: SQL engine 'mysql' not supported
>    May 13 15:05:42 barium pluginviewer: auxpropfunc error no mechanism
>    available
>    May 13 15:05:46 barium pluginviewer: SQL engine 'mysql' not supported
>    May 13 15:05:46 barium pluginviewer: auxpropfunc error no mechanism
>    available
>    May 13 15:05:51 barium pluginviewer: SQL engine 'mysql' not supported
>    May 13 15:05:51 barium pluginviewer: auxpropfunc error no mechanism
>    available
>    May 13 15:17:38 barium server: SQL engine 'mysql' not supported
>    May 13 15:17:38 barium server: auxpropfunc error no mechanism available

It can't find any mechanisms such as PLAIN and LOGIN.


> Other than that, I only get generic errors like
>
>    May 13 15:31:07 barium postfix/smtpd[79672]: warning: SASL
>    per-process initialization failed: generic failure
>    May 13 15:31:07 barium postfix/smtpd[79672]: fatal: SASL per-process
>    initialization failed
>
> using the client/server in "sample"
>
> Client
>
>    barium# ./client -s smtpd -m LOGIN localhost
>    receiving capability list... recv: {48}
>    LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
>    LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5

The mechanisms are there.

Are the passwords in your database crypted? They must not. They must be
plaintext.

Have you checked the access permissions to the database? Can your "mail" user
connect and SELECT FROM as you need it?

p@rick

--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: SASL postgresql backend doesn't work. Please help.

Andreas Winkelmann
In reply to this post by Chris St Denis-4
On Donnerstag, 15. Mai 2008, Chris St Denis wrote:

> I am trying to get SASL to work authenticated to a postgresql database
> for SMTP auth with postfix. But it sasl is being very uncooperative.
>
> basic system info
>
>     barium# uname -mrs
>     FreeBSD 7.0-RELEASE-p1 amd64
>
>     cyrus-sasl version: 2.1.22
>     postfix version: 2.5.1
>
> One of my biggest problems is I can't find any documentation of the
> smtpd.conf file, but form what I've pieced together from tutorials and
> such I've got this.
>
>     pwcheck_method: auxprop
>     auxprop_plugin: sql
>     sql_engine: pgsql

>     allowanonymouslogin: no

Not a Cyrus-SASL Option

>     allowplaintext: yes

Not a Cyrus-SASL Option

>     mech_list: LOGIN PLAIN

>     password_format: plaintext

Not a Cyrus-SASL Option. Maybe implemented with a Patch?

>     sql_user: mail
>     sql_passwd:
>     sql_hostnames: localhost
>     sql_database: mail
>     sql_select: SELECT pass FROM emails_view WHERE email = '%u@%r'
>     log_level: 7
>     sql_verbose: true
>
> If I use saslpasswd2 on an account I get "generic failure". Does
> saslpasswd2 even work on sql or is it sasldb only?

It works generally with MySQL or PostgreSQL, too. But not with your
Config-File above. To add or change Data to/in a SQL Database, normally
someone would expect UPDATE- or INSERT-Commands. I see none in your config.
The associated Cyrus-SASL Options would be "sql_insert:" or "sql_update:".

>     barium# saslpasswd2 -a smtpd [hidden email]
>     saslpasswd2: generic failure
>
> If I run "pluginviewer -a" it only lists sasldb. Shouldn't SQL be in here?
>
>     barium# pluginviewer -a
>     Installed auxprop mechanisms are:
>     sasldb
>     List of auxprop plugins follows
>     Plugin "sasldb" ,       API version: 4
>             supports store: yes
>
>
>     barium# pluginviewer -s
>     Installed SASL (server side) mechanisms are:
>     LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 EXTERNAL
>     List of server plugins follows
>     Plugin "login" [loaded],        API version: 4
>             SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>             security flags: NO_ANONYMOUS
>             features:
>     Plugin "anonymous" [loaded],    API version: 4
>             SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>             security flags: NO_PLAINTEXT
>             features: WANT_CLIENT_FIRST
>     Plugin "plain" [loaded],        API version: 4
>             SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>             security flags: NO_ANONYMOUS
>             features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>     Plugin "gssapiv2" [loaded],     API version: 4
>             SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>             security flags:
>     NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
>             features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>     Plugin "digestmd5" [loaded],    API version: 4
>             SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>             security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>             features: PROXY_AUTHENTICATION
>     Plugin "crammd5" [loaded],      API version: 4
>             SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>             security flags: NO_ANONYMOUS|NO_PLAINTEXT
>             features: SERVER_FIRST
>
>
> Configure line
>
>     './configure' --prefix=/usr/local  '--sysconfdir=/usr/local/etc'
>     '--with-configdir=/usr/local/lib/sasl2:/usr/local/etc/sasl2'
>     '--with-plugindir=/usr/local/lib/sasl2'
>     '--with-dbpath=/usr/local/etc/sasldb2'
>     '--includedir=/usr/local/include' '--enable-static'
>     '--enable-auth-sasldb' '--with-rc4=openssl'
>     '--with-saslauthd=/var/run/saslauthd' '--with-dblib=berkeley'
>     '--with-bdb-libdir=/usr/local/lib'
>     '--with-bdb-incdir=/usr/local/include/db41' '--with-bdb=db41'
>     '--enable-sql' '--without-mysql' '--with-pgsql=/usr/local'
>     '--without-sqlite' '--enable-alwaystrue' '--with-authdaemond=no'
>     '--enable-login' '--disable-otp' '--disable-ntlm' '--enable-gssapi'
>     '--disable-krb4' '--with-openssl=yes' '--prefix=/usr/local'
>     '--mandir=/usr/local/man' '--infodir=/usr/local/info/'
>     'amd64-portbld-freebsd7.0' 'CC=cc' 'CFLAGS=-O -pipe -march=nocona'
>     'CPPFLAGS=-fPIC -I/usr/local/include' 'LDFLAGS=
>     -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib'
>     'build_alias=amd64-portbld-freebsd7.0'
>     'host_alias=amd64-portbld-freebsd7.0'
>     'target_alias=amd64-portbld-freebsd7.0'
>     --cache-file=.././config.cache --srcdir=.
>
> I don't see any errors related to sql in the configure, all I get is
>
>     checking SQL... enabled
>
> And the SQL module seems to get compiled ok.
>
>     if /bin/sh /usr/local/bin/libtool --mode=compile cc -DHAVE_CONFIG_H
>     -I. -I. -I..  -I../include -I../lib -I../sasldb -I../include  -fPIC
>     -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL
>     -I/usr/local/include  -Wall -W -O -pipe -march=nocona -MT sql.lo -MD
>     -MP -MF ".deps/sql.Tpo"  -c -o sql.lo `test -f 'sql.c' || echo
>     './'`sql.c;  then mv ".deps/sql.Tpo" ".deps/sql.Plo";  else rm -f
>     ".deps/sql.Tpo"; exit 1;  fi
>      cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
>     -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
>     -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
>     -MT sql.lo -MD -MP -MF .deps/sql.Tpo -c sql.c  -fPIC -DPIC -o
>     .libs/sql.o
>     sql.c: In function 'sql_auxprop_plug_init':
>     sql.c:1077: warning: unused parameter 'plugname'
>      cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
>     -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
>     -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
>     -MT sql.lo -MD -MP -MF .deps/sql.Tpo -c sql.c -o sql.o >/dev/null 2>&1
>     if /bin/sh /usr/local/bin/libtool --mode=compile cc -DHAVE_CONFIG_H
>     -I. -I. -I..  -I../include -I../lib -I../sasldb -I../include  -fPIC
>     -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL
>     -I/usr/local/include  -Wall -W -O -pipe -march=nocona -MT
>     sql_init.lo -MD -MP -MF ".deps/sql_init.Tpo"  -c -o sql_init.lo
>     `test -f 'sql_init.c' || echo './'`sql_init.c;  then mv
>     ".deps/sql_init.Tpo" ".deps/sql_init.Plo";  else rm -f
>     ".deps/sql_init.Tpo"; exit 1;  fi
>      cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
>     -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
>     -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
>     -MT sql_init.lo -MD -MP -MF .deps/sql_init.Tpo -c sql_init.c  -fPIC
>     -DPIC -o .libs/sql_init.o
>      cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
>     -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
>     -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
>     -MT sql_init.lo -MD -MP -MF .deps/sql_init.Tpo -c sql_init.c -o
>     sql_init.o >/dev/null 2>&1
>     /bin/sh /usr/local/bin/libtool --mode=link cc  -Wall -W -O -pipe
>     -march=nocona  -module -export-dynamic -rpath /usr/local/lib/sasl2
>     -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -o libsql.la
>     -L/usr/local/lib  -R/usr/local/lib -lpq  -version-info 2:22:0 sql.lo
>     sql_init.lo plugin_common.lo
>     cc -shared  .libs/sql.o .libs/sql_init.o .libs/plugin_common.o
>     -Wl,--rpath -Wl,/usr/local/lib -L/usr/local/lib -lpq  -march=nocona
>     -Wl,-soname -Wl,libsql.so.2 -o .libs/libsql.so.2
>     (cd .libs && rm -f libsql.so && ln -s libsql.so.2 libsql.so)
>     (cd .libs && rm -f libsql.so && ln -s libsql.so.2 libsql.so)
>     ar cru .libs/libsql.a  sql.o sql_init.o plugin_common.o
>     ranlib .libs/libsql.a
>     creating libsql.la
>     (cd .libs && rm -f libsql.la && ln -s ../libsql.la libsql.la)
>     <snip>
>     if cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../plugins
>     -I../include -I../sasldb   -fPIC -I/usr/local/include
>     -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include  -Wall
>     -W -O -pipe -march=nocona -MT sql.o -MD -MP -MF ".deps/sql.Tpo"  -c
>     -o sql.o `test -f
>    
> '/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.
>c'
>
>     || echo
>
>    
> './'`/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/
>sql.c; then mv ".deps/sql.Tpo" ".deps/sql.Po";  else rm -f ".deps/sql.Tpo";
> exit 1;  fi
>    
> /usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c
>: In function 'sql_auxprop_plug_init':
>    
> /usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c
>:1077: warning: unused parameter 'plugname'
>     adding static plugins and dependencies
>     ar cru .libs/libsasl2.a sasldb.o db_berkeley.o allockey.o cram.o
>     digestmd5.o gssapi.o plain.o anonymous.o login.o sql.o
>
> And the files are there
>
>     barium# ll /usr/local/lib/sasl2/*sql*
>     -rw-r--r--  1 root  wheel  28568 May 13 10:27
>     /usr/local/lib/sasl2/libsql.a
>     -rwxr-xr-x  1 root  wheel    826 May 13 10:27
>     /usr/local/lib/sasl2/libsql.la
>     lrwxr-xr-x  1 root  wheel     11 May 13 10:27
>     /usr/local/lib/sasl2/libsql.so -> libsql.so.2
>     -rwxr-xr-x  1 root  wheel  27026 May 13 10:27
>     /usr/local/lib/sasl2/libsql.so.2
>
>
> For some reason I get some mysql related errors in the syslog like
> these. I'm using postgresql not mysql. It's compiled --without-mysql and
> mysql isn't even installed in the server.

"mysql" is the default sql_engine if no other is specified. In your case this
means your smtpd.conf is not read. Maybe wrong Directory? Some Distributions
do a lot of Patching.

>     May 13 15:05:42 barium pluginviewer: SQL engine 'mysql' not supported
>     May 13 15:05:42 barium pluginviewer: auxpropfunc error no mechanism
>     available

Check where your Cyrus-SASL expects the Config File. Maybe trace the
saslpasswd Binary.

>     May 13 15:05:46 barium pluginviewer: SQL engine 'mysql' not supported
>     May 13 15:05:46 barium pluginviewer: auxpropfunc error no mechanism
>     available
>     May 13 15:05:51 barium pluginviewer: SQL engine 'mysql' not supported
>     May 13 15:05:51 barium pluginviewer: auxpropfunc error no mechanism
>     available
>     May 13 15:17:38 barium server: SQL engine 'mysql' not supported
>     May 13 15:17:38 barium server: auxpropfunc error no mechanism available
>
> Other than that, I only get generic errors like
>
>     May 13 15:31:07 barium postfix/smtpd[79672]: warning: SASL
>     per-process initialization failed: generic failure
>     May 13 15:31:07 barium postfix/smtpd[79672]: fatal: SASL per-process
>     initialization failed
>
> using the client/server in "sample"
>
> Client
>
>     barium# ./client -s smtpd -m LOGIN localhost
>     receiving capability list... recv: {48}
>     LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
>     LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
>     send: {5}
>     LOGIN
>     send: {1}
>     N
>     recv: {9}
>     Username:
>     please enter an authentication id: [hidden email]
>     Password:
>     send: {17}
>     [hidden email]
>     recv: {9}
>     Password:
>     send: {6}
>     asdfgh
>     authentication failed
>     closing connection
>
> Server
>
>     accepted new connection
>     send: {48}
>     LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
>     recv: {5}
>     LOGIN
>     recv: {1}
>     N
>     send: {9}
>     Username:
>     recv: {17}
>     [hidden email]
>     send: {9}
>     Password:
>     recv: {6}
>     asdfgh
>     performing SASL negotiation: user not foundclosing connection



--
        Andreas
Reply | Threaded
Open this post in threaded view
|

Re: SASL postgresql backend doesn't work. Please help.

Chris St Denis-4
In reply to this post by Patrick Ben Koetter
(forgot to reply to all. Resending for list)

Patrick Ben Koetter wrote:
* Chris St Denis [hidden email]:
  
I am trying to get SASL to work authenticated to a postgresql database for 
SMTP auth with postfix. But it sasl is being very uncooperative.

basic system info

   barium# uname -mrs
   FreeBSD 7.0-RELEASE-p1 amd64

   cyrus-sasl version: 2.1.22
   postfix version: 2.5.1

One of my biggest problems is I can't find any documentation of the 
smtpd.conf file, but form what I've pieced together from tutorials and such 
I've got this.

   pwcheck_method: auxprop
   auxprop_plugin: sql
   sql_engine: pgsql
   allowanonymouslogin: no
   allowplaintext: yes
   mech_list: LOGIN PLAIN
   password_format: plaintext
   sql_user: mail
   sql_passwd:
   sql_hostnames: localhost
   sql_database: mail
   sql_select: SELECT pass FROM emails_view WHERE email = '%u@%r'
   log_level: 7
   sql_verbose: true
    

Reduce it to this:

pwcheck_method: auxprop
auxprop_plugin: sql
sql_engine: pgsql
mech_list: LOGIN PLAIN
sql_user: mail
sql_passwd:
sql_hostnames: localhost
sql_database: mail
sql_select: SELECT pass FROM emails_view WHERE email = '%u@%r'

  
Done. Still doesn't work.

If I use saslpasswd2 on an account I get "generic failure". Does 
saslpasswd2 even work on sql or is it sasldb only?
    

It's sasldb only (it is said to be others too, but that's hearsay).


  
And the files are there

   barium# ll /usr/local/lib/sasl2/*sql*
   -rw-r--r--  1 root  wheel  28568 May 13 10:27
   /usr/local/lib/sasl2/libsql.a
   -rwxr-xr-x  1 root  wheel    826 May 13 10:27
   /usr/local/lib/sasl2/libsql.la
   lrwxr-xr-x  1 root  wheel     11 May 13 10:27
   /usr/local/lib/sasl2/libsql.so -> libsql.so.2
   -rwxr-xr-x  1 root  wheel  27026 May 13 10:27
   /usr/local/lib/sasl2/libsql.so.2
    

Did you create the required, symbolic link from /usr/local/lib/sasl2/ to
/usr/lib/sasl2/?
  
No forgot about that one. But it's there now. Still doesn't work.

barium# ll /usr/lib/sasl2
lrwxr-xr-x  1 root  wheel  20 May 15 12:01 /usr/lib/sasl2 -> /usr/local/lib/sasl2

All of the software is installed through the FreeBSD ports system which patches stuff to have the correct paths so it's probably not necessary on this platform anyway.
  
For some reason I get some mysql related errors in the syslog like these. 
I'm using postgresql not mysql. It's compiled --without-mysql and mysql 
isn't even installed in the server.

   May 13 15:05:42 barium pluginviewer: SQL engine 'mysql' not supported
   May 13 15:05:42 barium pluginviewer: auxpropfunc error no mechanism
   available
   May 13 15:05:46 barium pluginviewer: SQL engine 'mysql' not supported
   May 13 15:05:46 barium pluginviewer: auxpropfunc error no mechanism
   available
   May 13 15:05:51 barium pluginviewer: SQL engine 'mysql' not supported
   May 13 15:05:51 barium pluginviewer: auxpropfunc error no mechanism
   available
   May 13 15:17:38 barium server: SQL engine 'mysql' not supported
   May 13 15:17:38 barium server: auxpropfunc error no mechanism available
    

It can't find any mechanisms such as PLAIN and LOGIN.


  
Other than that, I only get generic errors like

   May 13 15:31:07 barium postfix/smtpd[79672]: warning: SASL
   per-process initialization failed: generic failure
   May 13 15:31:07 barium postfix/smtpd[79672]: fatal: SASL per-process
   initialization failed

using the client/server in "sample"

Client

   barium# ./client -s smtpd -m LOGIN localhost
   receiving capability list... recv: {48}
   LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
   LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
    

The mechanisms are there.

Are the passwords in your database crypted? They must not. They must be
plaintext.
  
They are plain text. I'll deal with getting crypted to work (with the appropriate mechanisms) once I get basic plain text working.
Have you checked the access permissions to the database? Can your "mail" user
connect and SELECT FROM as you need it?
  
Yes, it's the same settings that postfix is using for Virtual. Anyway, according to the database logs, it's not even trying to connect.
p@rick
  

I wish I was getting more verbose error messages. I had log_level: 7 and sql_verbose: true but still have gotten very little in terms of useful errors. "fatal: SASL per-process initialization failed" just isn't that useful on it's own.

Not seeing the mysql errors anymore, but they were somewhat intermittent anyway.
Reply | Threaded
Open this post in threaded view
|

Re: SASL postgresql backend doesn't work. Please help.

Chris St Denis-4
In reply to this post by Andreas Winkelmann
Andreas Winkelmann wrote:
On Donnerstag, 15. Mai 2008, Chris St Denis wrote:

  
I am trying to get SASL to work authenticated to a postgresql database
for SMTP auth with postfix. But it sasl is being very uncooperative.

basic system info

    barium# uname -mrs
    FreeBSD 7.0-RELEASE-p1 amd64

    cyrus-sasl version: 2.1.22
    postfix version: 2.5.1

One of my biggest problems is I can't find any documentation of the
smtpd.conf file, but form what I've pieced together from tutorials and
such I've got this.

    pwcheck_method: auxprop
    auxprop_plugin: sql
    sql_engine: pgsql
    

  
    allowanonymouslogin: no
    

Not a Cyrus-SASL Option

  
    allowplaintext: yes
    

Not a Cyrus-SASL Option

  
    mech_list: LOGIN PLAIN
    

  
    password_format: plaintext
    

Not a Cyrus-SASL Option. Maybe implemented with a Patch?
  

These are what I've pulled from various tutorials, mailing list posts, etc If they are wrong they are gone now as per Patrick's post.
  
    sql_user: mail
    sql_passwd:
    sql_hostnames: localhost
    sql_database: mail
    sql_select: SELECT pass FROM emails_view WHERE email = '%u@%r'
    log_level: 7
    sql_verbose: true

If I use saslpasswd2 on an account I get "generic failure". Does
saslpasswd2 even work on sql or is it sasldb only?
    

It works generally with MySQL or PostgreSQL, too. But not with your 
Config-File above. To add or change Data to/in a SQL Database, normally 
someone would expect UPDATE- or INSERT-Commands. I see none in your config. 
The associated Cyrus-SASL Options would be "sql_insert:" or "sql_update:".
  
I am not interested it using it to maintain data. I was just using it to try to get account data as part of my debug process. I have a web interface that manipulates the database directly.
  
    barium# saslpasswd2 -a smtpd [hidden email]
    saslpasswd2: generic failure

If I run "pluginviewer -a" it only lists sasldb. Shouldn't SQL be in here?

    barium# pluginviewer -a
    Installed auxprop mechanisms are:
    sasldb
    List of auxprop plugins follows
    Plugin "sasldb" ,       API version: 4
            supports store: yes


    barium# pluginviewer -s
    Installed SASL (server side) mechanisms are:
    LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 EXTERNAL
    List of server plugins follows
    Plugin "login" [loaded],        API version: 4
            SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
            security flags: NO_ANONYMOUS
            features:
    Plugin "anonymous" [loaded],    API version: 4
            SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
            security flags: NO_PLAINTEXT
            features: WANT_CLIENT_FIRST
    Plugin "plain" [loaded],        API version: 4
            SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
            security flags: NO_ANONYMOUS
            features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
    Plugin "gssapiv2" [loaded],     API version: 4
            SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
            security flags:
    NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
            features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
    Plugin "digestmd5" [loaded],    API version: 4
            SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
            security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
            features: PROXY_AUTHENTICATION
    Plugin "crammd5" [loaded],      API version: 4
            SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
            security flags: NO_ANONYMOUS|NO_PLAINTEXT
            features: SERVER_FIRST
    
<snip compile related stuff for space. We know it's compiling and linking ok>

And the files are there

    barium# ll /usr/local/lib/sasl2/*sql*
    -rw-r--r--  1 root  wheel  28568 May 13 10:27
    /usr/local/lib/sasl2/libsql.a
    -rwxr-xr-x  1 root  wheel    826 May 13 10:27
    /usr/local/lib/sasl2/libsql.la
    lrwxr-xr-x  1 root  wheel     11 May 13 10:27
    /usr/local/lib/sasl2/libsql.so -> libsql.so.2
    -rwxr-xr-x  1 root  wheel  27026 May 13 10:27
    /usr/local/lib/sasl2/libsql.so.2


For some reason I get some mysql related errors in the syslog like
these. I'm using postgresql not mysql. It's compiled --without-mysql and
mysql isn't even installed in the server.
    

"mysql" is the default sql_engine if no other is specified. In your case this 
means your smtpd.conf is not read. Maybe wrong Directory? Some Distributions 
do a lot of Patching.
  
This is where the ports system installed it so it seems the logical place. Ports tend to work together very well.
  
    May 13 15:05:42 barium pluginviewer: SQL engine 'mysql' not supported
    May 13 15:05:42 barium pluginviewer: auxpropfunc error no mechanism
    available
    

Check where your Cyrus-SASL expects the Config File. Maybe trace the 
saslpasswd Binary.
  
I'm not very familiar with tracing programs, but from what I tried here is what I've found

libpq (postgres's client library) is getting loaded

  1493 saslpasswd2 NAMI  "/usr/local/lib/libpq.so.5"
  1493 saslpasswd2 RET   access 0
  1493 saslpasswd2 CALL  open(0x80052a480,O_RDONLY,<unused>0x62eee0)
  1493 saslpasswd2 NAMI  "/usr/local/lib/libpq.so.5"
  1493 saslpasswd2 RET   open 3
  1493 saslpasswd2 CALL  fstat(0x3,0x7fffffffe7f0)
  1493 saslpasswd2 RET   fstat 0
  1493 saslpasswd2 CALL  read(0x3,0x80062dec0,0x1000)
  1493 saslpasswd2 GIO   fd 3 read 4096 bytes

and it is opening /usr/local/lib/sasl2/smtpd.conf just fine.

  1493 saslpasswd2 CALL  open(0x801b19080,O_RDONLY,<unused>0x1b6)
  1493 saslpasswd2 NAMI  "/usr/local/lib/sasl2/smtpd.conf"
  1493 saslpasswd2 RET   open 3
  1493 saslpasswd2 CALL  fstat(0x3,0x7fffffffd4c0)
  1493 saslpasswd2 RET   fstat 0
  1493 saslpasswd2 CALL  read(0x3,0x801b1b000,0x1000)
  1493 saslpasswd2 GIO   fd 3 read 219 bytes
       "pwcheck_method: auxprop
        auxprop_plugin: sql
        sql_engine: pgsql
        mech_list: LOGIN PLAIN
        sql_user: mail
        sql_passwd:
        sql_hostnames: localhost
        sql_database: mail
        sql_select: SELECT pass FROM emails_view WHERE email = '%u@%r'
       "
  1493 saslpasswd2 RET   read 219/0xdb
  1493 saslpasswd2 CALL  write(0x2,0x7fffffffe2b0,0x1d)
  1493 saslpasswd2 GIO   fd 2 wrote 29 bytes
       "saslpasswd2: generic failure
       "
  1493 saslpasswd2 RET   write 29/0x1d
  1493 saslpasswd2 CALL  exit(0x1)

  
    May 13 15:05:46 barium pluginviewer: SQL engine 'mysql' not supported
    May 13 15:05:46 barium pluginviewer: auxpropfunc error no mechanism
    available
    May 13 15:05:51 barium pluginviewer: SQL engine 'mysql' not supported
    May 13 15:05:51 barium pluginviewer: auxpropfunc error no mechanism
    available
    May 13 15:17:38 barium server: SQL engine 'mysql' not supported
    May 13 15:17:38 barium server: auxpropfunc error no mechanism available

Other than that, I only get generic errors like

    May 13 15:31:07 barium postfix/smtpd[79672]: warning: SASL
    per-process initialization failed: generic failure
    May 13 15:31:07 barium postfix/smtpd[79672]: fatal: SASL per-process
    initialization failed

using the client/server in "sample"

Client

    barium# ./client -s smtpd -m LOGIN localhost
    receiving capability list... recv: {48}
    LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
    LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
    send: {5}
    LOGIN
    send: {1}
    N
    recv: {9}
    Username:
    please enter an authentication id: [hidden email]
    Password:
    send: {17}
    [hidden email]
    recv: {9}
    Password:
    send: {6}
    asdfgh
    authentication failed
    closing connection

Server

    accepted new connection
    send: {48}
    LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
    recv: {5}
    LOGIN
    recv: {1}
    N
    send: {9}
    Username:
    recv: {17}
    [hidden email]
    send: {9}
    Password:
    recv: {6}
    asdfgh
    performing SASL negotiation: user not foundclosing connection