Task: IMAP, SMTP, virtual mailboxes, easy to maintain and manage vdomains and users.
System: production server with CentOS (no gcc, no devel packages), non-production system with CentsOS and gcc.
Tools: postfix, DBMAIL, DBMA, cyrus-sasl2
I had some troubles while tried to setup SMTP AUTH against DBMAIL MySQL database, because there are no exact instruction, that describe many difficult moments.
DBMAIL installation requires postfix with mysql support.
CentsOS 4.2 comes with postfix w/o mysql support, so download
from mysql.com and rebuild postfix:
rpmbuild —-rebuild postfix-2.1.5-4.2.RHEL4.src.rpm —-clean
Setup postfix+DBMAIL+DBMA as usual.
I tried to setup SMTP AUTH as described in previous article, but get only a 2 sleepless nights. The problem was with cyrus-sasl-sql library, that understand only plain passwords. But! my dbmail-2.0.10 do not understand plain passwords. May be I miss something when I compiled DBMAIL, but I was so tired so I choose do not investigate this.
So, I start discovering internet with keywords “sasl mysql encryption” and find some pach to cyrus-sasl that allow SMTP AUTH as described in previous article by adding special parameter “password_format: [plaintext|crypt|crypt_trad]”.
Ok, I don't look for easy way, so I tried to recompile cyrus-sasl-2.1.19-5.EL4.src.rpm with patch, copied from cyrus-sasl2-2.1.20-alt7.src.rpm(from Alt Linux repository) but get problem with cyrus-sasl-sql and my MySQL-5.0.18.
And after all I found one article, that described generic steps to setup postfix+cyrus-imapd+cyradm. This article says to use simple pam_mysql module with saslauthd daemon. There are the steps:
content of original etc/pam.d/smtp.postfix:
#%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth
after aditing:
#%PAM-1.0 auth sufficient pam_mysql.so user=dbmailuser passwd=dbmailpass host=localhost db=dbmail table=dbmail_users usercolumn=userid passwdcolumn=passwd crypt=1 account required pam_mysql.so user=dbmailuser passwd=dbmailpass host=localhost db=dbmail table=dbmail_users usercolumn=userid passwdcolumn=passwd crypt=1
where are(copy/paste from pam_mysql.s README):
user(nobody) - The user with access to the open the connection to mysql and has permission to read the table with the passwords. passwd("") - Password for the same. host(localhost) - Machine that is running the sql server db(mysql) - database that contents the table with the user/password combos table(user) - table that you want to use for the user/password checking usercolumn(User) - column that has the username field passwdcolumn(password) - column that has the password field crypt(0) - Used to decide to use MySQL's PASSWORD() function or crypt() 0 = No encryption. Passwords in database in plaintext. NOT recommended! 1 = Use crypt 2 = Use MySQL PASSWORD() function
... MECH=pam FLAGS=-r ...
“FLAGS=-r” option is very important: w/o this option if userid contains domain name, like username@somehost.com pam_mysql will query only “username”, that is unacceptable if you have more than 1 domain.
broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unknown_sender_domain, permit_sasl_authenticated, reject
After applying this settings restart postfix, saslauthd. Create a user with password encrypter with “crypt” function in DBMA. If you are not using DBMA, you can create the account with dbmail-users by specifying -p crypt. Now attempt to login and send e-mail from place that not described as “mynetworks_style” directive, or comment “permit_mynetworks” and make “mynetworks_style = host”, restart postfix and try from any PC from you'r network.