[smtp_auth:postfix_centos]
 
Trace: postfix_centos

Task: IMAP, SMTP, virtual mailboxes, easy to maintain and manage vdomains and users.

System: production server with CentOS (no gcc, no devel packages), non-production system with CentsOS and gcc.

Tools: postfix, DBMAIL, DBMA, cyrus-sasl2

I had some troubles while tried to setup SMTP AUTH against DBMAIL MySQL database, because there are no exact instruction, that describe many difficult moments.

DBMAIL installation requires postfix with mysql support.

CentsOS 4.2 comes with postfix w/o mysql support, so download

  • postfix-2.1.5-4.2.RHEL4.src.rpm
  • MySQL-client-standard-5.0.18-0.rhel4.i386.rpm
  • MySQL-devel-standard-5.0.18-0.rhel4.i386.rpm
  • MySQL-server-standard-5.0.18-0.rhel4.i386.rpm
  • MySQL-shared-standard-5.0.18-0.rhel4.i386.rpm

from mysql.com and rebuild postfix:

rpmbuild —-rebuild postfix-2.1.5-4.2.RHEL4.src.rpm —-clean

Setup postfix+DBMAIL+DBMA as usual.

I tried to setup SMTP AUTH as described in previous article, but get only a 2 sleepless nights. The problem was with cyrus-sasl-sql library, that understand only plain passwords. But! my dbmail-2.0.10 do not understand plain passwords. May be I miss something when I compiled DBMAIL, but I was so tired so I choose do not investigate this.

So, I start discovering internet with keywords “sasl mysql encryption” and find some pach to cyrus-sasl that allow SMTP AUTH as described in previous article by adding special parameter “password_format: [plaintext|crypt|crypt_trad]”.

Ok, I don't look for easy way, so I tried to recompile cyrus-sasl-2.1.19-5.EL4.src.rpm with patch, copied from cyrus-sasl2-2.1.20-alt7.src.rpm(from Alt Linux repository) but get problem with cyrus-sasl-sql and my MySQL-5.0.18.

And after all I found one article, that described generic steps to setup postfix+cyrus-imapd+cyradm. This article says to use simple pam_mysql module with saslauthd daemon. There are the steps:

  • Install pam_mysql
  • Edit /etc/pam.d/smtp.postfix and synlink smtp.postfix to /etc/pam.d/smtp

content of original etc/pam.d/smtp.postfix: 

   #%PAM-1.0
   auth       required    pam_stack.so service=system-auth
   account    required    pam_stack.so service=system-auth

after aditing: 

  #%PAM-1.0
  auth sufficient pam_mysql.so user=dbmailuser passwd=dbmailpass host=localhost db=dbmail table=dbmail_users usercolumn=userid passwdcolumn=passwd crypt=1
   
  account required pam_mysql.so user=dbmailuser passwd=dbmailpass host=localhost db=dbmail table=dbmail_users usercolumn=userid passwdcolumn=passwd crypt=1

where are(copy/paste from pam_mysql.s README): 

    user(nobody) - The user with access to the open the connection to mysql
    and has permission to read the table with the passwords.
    passwd("") - Password for the same.
    host(localhost) - Machine that is running the sql server
    db(mysql) - database that contents the table with the user/password
    combos
    table(user) - table that you want to use for the user/password checking
    usercolumn(User) - column that has the username field
    passwdcolumn(password) - column that has the password field
    crypt(0) - Used to decide to use MySQL's PASSWORD() function or crypt()
          0 = No encryption. Passwords in database in plaintext. NOT recommended!
          1 = Use crypt
          2 = Use MySQL PASSWORD() function
  • Edit /etc/sysconfig/saslauthd:
   ...
   MECH=pam
   FLAGS=-r
   ...

“FLAGS=-r” option is very important: w/o this option if userid contains domain name, like username@somehost.com pam_mysql will query only “username”, that is unacceptable if you have more than 1 domain.

  • /usr/lib/sasl2/smtpd.conf contains “pwcheck_method: saslauthd”
  • /etc/postfix/main.cf contains:
  broken_sasl_auth_clients = yes
  smtpd_sasl_auth_enable = yes
  smtpd_sasl_security_options = noanonymous
  smtpd_recipient_restrictions =
                              permit_mynetworks,
                              reject_invalid_hostname,
                              reject_non_fqdn_sender,
                              reject_non_fqdn_recipient,
                              reject_unknown_recipient_domain,
                              reject_unauth_pipelining,
                              reject_unknown_sender_domain,
                              permit_sasl_authenticated,
                              reject

After applying this settings restart postfix, saslauthd. Create a user with password encrypter with “crypt” function in DBMA. If you are not using DBMA, you can create the account with dbmail-users by specifying -p crypt. Now attempt to login and send e-mail from place that not described as “mynetworks_style” directive, or comment “permit_mynetworks” and make “mynetworks_style = host”, restart postfix and try from any PC from you'r network.

 
smtp_auth/postfix_centos.txt · Last modified: 2010/12/19 11:02 by haxyek
 
DBMail is developed by Paul J Stevens together with developers world-wide