SMTP-AUTH with crypt passwords in SQL backend

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

SMTP-AUTH with crypt passwords in SQL backend

Juan Miscaro-2
Hi everybody,

I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
in a SQL backend for a while now.  I am trying to switch over from
cleartext to crypt in terms of my passwords stored in MySQL.  I have
things running for IMAP with crypt.  For SMTP-AUTH I am using the same
SQL table and password.  I thought all I would need to do is edit my
smtpd.conf file (point to the encrypted table column and specify crypt
as password format) but I'm getting

postfix/smtpd[6085]: warning: SASL authentication failure: Password
verification failed
postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL PLAIN
authentication failed: authentication failure
postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL LOGIN
authentication failed: authentication failure

Here is my smtpd.conf:

pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: PLAIN LOGIN

#log_level: 2

sql_engine:     mysql
sql_hostnames:  localhost
sql_database:   mail
sql_user:       postfix
sql_passwd:     yeahright
sql_select:     SELECT crypt FROM virtual_users WHERE email = '%u@%r'
sql_usessl:     no
password_format: crypt

What am I missing?

/juan
Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH with crypt passwords in SQL backend

mouss-2
Juan Miscaro wrote:
> Hi everybody,
>
> I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
> in a SQL backend for a while now.  I am trying to switch over from
> cleartext to crypt in terms of my passwords stored in MySQL.  I have
> things running for IMAP with crypt.  For SMTP-AUTH I am using the same
> SQL table and password.

you forgot to tell us what sasl implementatoin you use. I guess it's
cyrus-sasl...

> I thought all I would need to do is edit my
> smtpd.conf file (point to the encrypted table column and specify crypt
> as password format) but I'm getting
>

cyrus-sasl does not support encrypted mysql passwords. try something else.

note that:
- if you are using dovecot, then you'd better use dovecot as a sasl
implementation
- if you are using courier, then you'd better use authdaemon via
cyrus-sasl.



> postfix/smtpd[6085]: warning: SASL authentication failure: Password
> verification failed
> postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL PLAIN
> authentication failed: authentication failure
> postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL LOGIN
> authentication failed: authentication failure
>
> Here is my smtpd.conf:
>
> pwcheck_method: auxprop
> auxprop_plugin: sql
> mech_list: PLAIN LOGIN
>
> #log_level: 2
>
> sql_engine:     mysql
> sql_hostnames:  localhost
> sql_database:   mail
> sql_user:       postfix
> sql_passwd:     yeahright
> sql_select:     SELECT crypt FROM virtual_users WHERE email = '%u@%r'
> sql_usessl:     no
> password_format: crypt
>
> What am I missing?

you missed the fact that we have no idea about your configuration. you
are asking questions as though we all have similar configs. we don't.
Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH with crypt passwords in SQL backend

Patrick Ben Koetter
In reply to this post by Juan Miscaro-2
* Juan Miscaro <[hidden email]>:

> Hi everybody,
>
> I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
> in a SQL backend for a while now.  I am trying to switch over from
> cleartext to crypt in terms of my passwords stored in MySQL.  I have
> things running for IMAP with crypt.  For SMTP-AUTH I am using the same
> SQL table and password.  I thought all I would need to do is edit my
> smtpd.conf file (point to the encrypted table column and specify crypt
> as password format) but I'm getting
>
> postfix/smtpd[6085]: warning: SASL authentication failure: Password
> verification failed
> postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL PLAIN
> authentication failed: authentication failure
> postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL LOGIN
> authentication failed: authentication failure
>
> Here is my smtpd.conf:
>
> pwcheck_method: auxprop
> auxprop_plugin: sql
> mech_list: PLAIN LOGIN
>
> #log_level: 2
>
> sql_engine:     mysql
> sql_hostnames:  localhost
> sql_database:   mail
> sql_user:       postfix
> sql_passwd:     yeahright
> sql_select:     SELECT crypt FROM virtual_users WHERE email = '%u@%r'
> sql_usessl:     no
> password_format: crypt
>
> What am I missing?

1. The so called FROST patch, which adds functionality to Cyrus SASL to have
it verify crypted MySQL password. You patch, and you loose shared-secret
mechanism functionality and are left to use plaintext passwords only.

2. You don't patch, but don't use the sql auxprop_plugin. Instead you
configure saslauthd to use PAM and PAM to use the Mysql Plugin. Again, you
gain crypted passwords and loose shared-secret mechanisms.

p@rick

--
The Book of Postfix
<http://www.postfix-book.com>
saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH with crypt passwords in SQL backend

Juan Miscaro-2
In reply to this post by mouss-2
2008/7/28 mouss <[hidden email]>:

> Juan Miscaro wrote:
>>
>> Hi everybody,
>>
>> I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
>> in a SQL backend for a while now.  I am trying to switch over from
>> cleartext to crypt in terms of my passwords stored in MySQL.  I have
>> things running for IMAP with crypt.  For SMTP-AUTH I am using the same
>> SQL table and password.
>
> you forgot to tell us what sasl implementatoin you use. I guess it's
> cyrus-sasl...

Yes, I'm using Cyrus-SASL.

>> I thought all I would need to do is edit my
>> smtpd.conf file (point to the encrypted table column and specify crypt
>> as password format) but I'm getting
>>
>
> cyrus-sasl does not support encrypted mysql passwords. try something else.

:(

> - if you are using courier, then you'd better use authdaemon via cyrus-sasl.

Ah.  That would be nice!  I am indeed running Courier.

I updated smtpd.conf and everything seems to be working.  Thanks!

> you missed the fact that we have no idea about your configuration. you are
> asking questions as though we all have similar configs. we don't.

My apologies.

/juan
Reply | Threaded
Open this post in threaded view
|

Re: SMTP-AUTH with crypt passwords in SQL backend

kj-12
In reply to this post by Juan Miscaro-2
Juan Miscaro wrote:

> Hi everybody,
>
> I have STARTTLS, SMTP-AUTH, and SASL running with cleartext passwords
> in a SQL backend for a while now.  I am trying to switch over from
> cleartext to crypt in terms of my passwords stored in MySQL.  I have
> things running for IMAP with crypt.  For SMTP-AUTH I am using the same
> SQL table and password.  I thought all I would need to do is edit my
> smtpd.conf file (point to the encrypted table column and specify crypt
> as password format) but I'm getting
>
> postfix/smtpd[6085]: warning: SASL authentication failure: Password
> verification failed
> postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL PLAIN
> authentication failed: authentication failure
> postfix/smtpd[6085]: warning: modemcableBLAH[69.10.10.10]: SASL LOGIN
> authentication failed: authentication failure

I'm using libsasl2 in Debian Etch (not sure if this is Cyrus or not,
none of the included documents specify) but either ways, I use sasl with
pam and pam with mysql.

~# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login

# cat /etc/pam.d/smtp
auth required pam_mysql.so user=postfix passwd=YOURPASS host=127.0.0.1
db=postfix table=mailbox usercolumn=username passwdcolumn=password
crypt=1 md5=1
account sufficient pam_mysql.so user=postfix passwd=YOURPASS
host=127.0.0.1 db=postfix table=mailbox usercolumn=username
passwdcolumn=password crypt=1 md5=1

One other gotcha is that if you're running Postfix in a chroot, you have
to make sasl put it's socket in the Postfix chroot, otherwise it won't work.

 From /etc/defaults/saslauthd:

# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Note: See /usr/share/doc/sasl2-bin/README.Debian

Hope this helps!

--kj
Reply | Threaded
Open this post in threaded view
|

504 5.5.2 error workaraound

Security Admin (NetSec)
One of my network devices seems to have issues with its hostname:

"Unexpected error from e-mail server(state=3): 504 5.5.2 <dazedandconfused>: Helo command rejected: need fully-qualified hostname."


Appears in my event log of the device when it tries to send logs to my Postfix gateway server.  Is there a filter I can add via main.cf to allow just this host/IP address without needed the full hostname (which my device has suddenly not to give :) )

Thanks in advance!

Edward Ray

--
This mail was scanned by BitDefender
For more informations please visit http://www.bitdefender.com
Reply | Threaded
Open this post in threaded view
|

Re: 504 5.5.2 error workaraound

Sahil Tandon
Security Admin (NetSec) <[hidden email]> wrote:

> One of my network devices seems to have issues with its hostname:
>
> "Unexpected error from e-mail server(state=3): 504 5.5.2
> <dazedandconfused>: Helo command rejected: need fully-qualified
> hostname."
>
> Appears in my event log of the device when it tries to send logs to my
> Postfix gateway server.  Is there a filter I can add via main.cf to
> allow just this host/IP address without needed the full hostname (which
> my device has suddenly not to give :) )
                       
You can probably use a check_helo_access map in your smtpd_*_checks
before you reject_non_fqdn_helo_hostname, but please provide the output
of postconf -n and read:

http://www.postfix.org/DEBUG_README.html#mail

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: 504 5.5.2 error workaraound

Noel Jones-2
In reply to this post by Security Admin (NetSec)
Security Admin (NetSec) wrote:

> One of my network devices seems to have issues with its hostname:
>
> "Unexpected error from e-mail server(state=3): 504 5.5.2 <dazedandconfused>: Helo command rejected: need fully-qualified hostname."
>
>
> Appears in my event log of the device when it tries to send logs to my Postfix gateway server.  Is there a filter I can add via main.cf to allow just this host/IP address without needed the full hostname (which my device has suddenly not to give :) )
>
> Thanks in advance!
>
> Edward Ray
>

Is this device's IP included in your mynetworks setting?  You
should list "permit_mynetworks" before you
"reject_non_fqdn_helo_hostname".

If you don't want to list this device in mynetworks for some
reason, you can use a check_client_access map to whitelist the
client's IP.  See the archives if you need examples.

--
Noel Jones