Sasl CRAM MD5 Postfix SMTP

Hi,

I have setup my postfix config to get a smtp server I can use for sending mails from home.

Got it working with a SSL connection and using PLAIN login.

But now I would like to login with CRAM MD5 authentication.

But when I enable CRAM MD5 in my Apple Mail client, I get a authentication failed, while PLAIN login is working fine.

Which setting do I miss?

Password is stored PLAIN in my database, because I have CRAM MD5 working for my IMAP server already.
> saslfinger - postfix Cyrus sasl configuration Sun Mar 15 18:14:24 CET 2009

version: 1.0.2

mode: server-side SMTP AUTH

– basics --

Postfix: 2.5.5

System: Debian GNU/Linux 5.0 \n \l

-- smtpd is linked to --

libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7e35000)

-- active SMTP AUTH and TLS parameters for smtpd --

brokensaslauth_clients = no

smtpdsaslauth_enable = yes

smtpdsaslauthenticated_header = no

smtpdsasllocal_domain =

smtpdsaslsecurity_options = noanonymous

smtpdtlsauth_only = yes

smtpdtlscert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

smtpdtlskey_file = /etc/ssl/private/ssl-cert-snakeoil.key

smtpdtlsreceived_header = yes

smtpdtlssessioncachedatabase = btree:${datadirectory}/smtpdscache

smtpdusetls = yes

-- listing of /usr/lib/sasl2 --

total 780

drwxr-xr-x 2 root root 4096 Mar 15 01:56 .

drwxr-xr-x 39 root root 12288 Mar 15 14:54 ..

-rw-r--r-- 1 root root 13468 Sep 1 2008 libanonymous.a

-rw-r--r-- 1 root root 855 Sep 1 2008 libanonymous.la

-rw-r--r-- 1 root root 13016 Sep 1 2008 libanonymous.so

-rw-r--r-- 1 root root 13016 Sep 1 2008 libanonymous.so.2

-rw-r--r-- 1 root root 13016 Sep 1 2008 libanonymous.so.2.0.22

-rw-r--r-- 1 root root 15810 Sep 1 2008 libcrammd5.a

-rw-r--r-- 1 root root 841 Sep 1 2008 libcrammd5.la

-rw-r--r-- 1 root root 15352 Sep 1 2008 libcrammd5.so

-rw-r--r-- 1 root root 15352 Sep 1 2008 libcrammd5.so.2

-rw-r--r-- 1 root root 15352 Sep 1 2008 libcrammd5.so.2.0.22

-rw-r--r-- 1 root root 46412 Sep 1 2008 libdigestmd5.a

-rw-r--r-- 1 root root 864 Sep 1 2008 libdigestmd5.la

-rw-r--r-- 1 root root 43500 Sep 1 2008 libdigestmd5.so

-rw-r--r-- 1 root root 43500 Sep 1 2008 libdigestmd5.so.2

-rw-r--r-- 1 root root 43500 Sep 1 2008 libdigestmd5.so.2.0.22

-rw-r--r-- 1 root root 13646 Sep 1 2008 liblogin.a

-rw-r--r-- 1 root root 835 Sep 1 2008 liblogin.la

-rw-r--r-- 1 root root 13460 Sep 1 2008 liblogin.so

-rw-r--r-- 1 root root 13460 Sep 1 2008 liblogin.so.2

-rw-r--r-- 1 root root 13460 Sep 1 2008 liblogin.so.2.0.22

-rw-r--r-- 1 root root 29068 Sep 1 2008 libntlm.a

-rw-r--r-- 1 root root 829 Sep 1 2008 libntlm.la

-rw-r--r-- 1 root root 28436 Sep 1 2008 libntlm.so

-rw-r--r-- 1 root root 28436 Sep 1 2008 libntlm.so.2

-rw-r--r-- 1 root root 28436 Sep 1 2008 libntlm.so.2.0.22

-rw-r--r-- 1 root root 13966 Sep 1 2008 libplain.a

-rw-r--r-- 1 root root 835 Sep 1 2008 libplain.la

-rw-r--r-- 1 root root 14036 Sep 1 2008 libplain.so

-rw-r--r-- 1 root root 14036 Sep 1 2008 libplain.so.2

-rw-r--r-- 1 root root 14036 Sep 1 2008 libplain.so.2.0.22

-rw-r--r-- 1 root root 21702 Sep 1 2008 libsasldb.a

-rw-r--r-- 1 root root 866 Sep 1 2008 libsasldb.la

-rw-r--r-- 1 root root 18080 Sep 1 2008 libsasldb.so

-rw-r--r-- 1 root root 18080 Sep 1 2008 libsasldb.so.2

-rw-r--r-- 1 root root 18080 Sep 1 2008 libsasldb.so.2.0.22

-rw-r--r-- 1 root root 23796 Sep 1 2008 libsql.a

-rw-r--r-- 1 root root 964 Sep 1 2008 libsql.la

-rw-r--r-- 1 root root 23312 Sep 1 2008 libsql.so

-rw-r--r-- 1 root root 23312 Sep 1 2008 libsql.so.2

-rw-r--r-- 1 root root 23312 Sep 1 2008 libsql.so.2.0.22

-- content of /etc/postfix/sasl/smtpd.conf --

pwcheck_method: saslauthd

mech_list: plain login cram-md5

allow_plaintext: true

auxprop_plugin: mysql

sql_hostnames: 127.0.0.1

sql_user: --- replaced ---

sql_passwd: --- replaced ---

sql_database: Mail

sql_select: select Password from Mailboxes where User = '%u'

-- active services in /etc/postfix/master.cf --

service type private unpriv chroot wakeup maxproc command + args

(yes) (yes) (yes) (never) (100)

smtp inet n - - - - smtpd

587 inet n - - - - smtpd

pickup fifo n - - 60 1 pickup

cleanup unix n - - - 0 cleanup

qmgr fifo n - n 300 1 qmgr

tlsmgr unix - - - 1000? 1 tlsmgr

rewrite unix - - - - - trivial-rewrite

bounce unix - - - - 0 bounce

defer unix - - - - 0 bounce

trace unix - - - - 0 bounce

verify unix - - - - 1 verify

flush unix n - - 1000? 0 flush

proxymap unix - - n - - proxymap

proxywrite unix - - n - 1 proxymap

smtp unix - - - - - smtp

relay unix - - - - - smtp

-o smtpfallbackrelay=

showq unix n - - - - showq

error unix - - - - - error

retry unix - - - - - error

discard unix - - - - - discard

local unix - n n - - local

virtual unix - n n - - virtual

lmtp unix - - - - - lmtp

anvil unix - - - - 1 anvil

scache unix - - - - 1 scache

maildrop unix - n n - - pipe

flags=DRu user=vmail argv=/usr/bin/maildrop -w 90 -d ${recipient}

uucp unix - n n - - pipe

flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail unix - n n - - pipe

flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)

bsmtp unix - n n - - pipe

flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient

scalemail-backend unix - n n - 2 pipe

flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}

mailman unix - n n - - pipe

flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py

${nexthop} ${user}

-- mechanisms on localhost --

-- end of saslfinger output --

Thanks in advantage,

Laurens

14 Replies

Extra information:

When setting MD5 auth, I don't even see a query in my MYSQL log, so sasl isn't even passing the query to mysql.

Working PLAIN:
> Mar 15 18:16:17 lin postfix/smtpd[3116]: connect from 00-22-161-161.access.telenet.be[00.22.161.161]

Mar 15 18:16:18 lin postfix/smtpd[3116]: 8487A4CE4: client=00-22-161-161.access.telenet.be[00.22.161.161], saslmethod=PLAIN, saslusername=[email protected]

Mar 15 18:16:18 lin postfix/cleanup[3119]: 8487A4CE4: message-id=<[email protected]>

Not working MD5:
> Mar 15 18:16:38 lin postfix/smtpd[3129]: connect from 00-22-161-161.access.telenet.be[00.22.161.161]

Mar 15 18:16:38 lin postfix/smtpd[3129]: warning: SASL authentication failure: no secret in database

Mar 15 18:16:38 lin postfix/smtpd[3129]: warning: 00-22-161-161.access.telenet.be[00.22.161.161]: SASL CRAM-MD5 authentication failed: authentication failure

Mar 15 18:16:38 lin postfix/smtpd[3129]: lost connection after AUTH from 00-22-161-161.access.telenet.be[00.22.161.161]

What distro?

I fought with SASL and Postfix for a while and I got it, but I'm not entirely sure how.

First suggestion: is /etc/sasldb2 available to the chroot? On my Debian, I had to add "etc/sasldb2" to the definition of FILES in /etc/init.d/postfix.

@Alucard:

What distro?

I fought with SASL and Postfix for a while and I got it, but I'm not entirely sure how.

First suggestion: is /etc/sasldb2 available to the chroot? On my Debian, I had to add "etc/sasldb2" to the definition of FILES in /etc/init.d/postfix.

Thanks for your reply.

I'm running Debian Lenny.

I have done nothing with the sasldb2, so thats not in my chroot.

But I think I don't need that file, because I only want to authenticate with users from my MySQL database. I think the sasldb2 file is for local users?

To connect to the database, I have set up a "/etc/pam.d/smtp" file and a smtpd.conf file in the sasl directory under my postfix chroot.

But SASL is working, but with PLAIN auhentication. So my database connection is set up correctly (got this after many hours of tweaking and trying). But only CRAM-MD5 is not.

It's strange, because my password is retreived from my database without encryption, so SALS should be able to make the MD5 from it?

apt-get install libsasl2-modules

?

I already have those, because the MySQL module needs that one.
> libsasl2-modules is already the newest version. .

That module is working. I just want to send my password as a MD5 string instead of a plain password, as an extra..

Any other things I can check to get CRAM MD5 working?

I had similar headaches with Cyrus SASL and switched to using Dovecot SASL mechanism which saved me a world of trouble - not just CRAM-MD5 but getting it to look up the password from the postfixadmin database.

Of course if you're not using Dovecot this might not be of help, but happy to offer my configs if you're interested.

> I had similar headaches with Cyrus SASL and switched to using Dovecot SASL mechanism which saved me a world of trouble - not just CRAM-MD5 but getting it to look up the password from the postfixadmin database.
I second this. I couldn't get Cyrus to work for me at all, and all the Howtos recommended I stay away from Cyrus. Dovecot, however, worked almost immediately out of the box with Postfix. It's a very tight fit, and comes with the recommendation of a lot of sysadmins.

I'd be happy to share my configs as well (but I don't do MySQL, I authenticate against Unix users).

As I can see Dovecot is IMAP client. I have already set up Courier for that, and I'm just getting to know Courier. I see Dovecot is a bit smaller in memory footprint, but I have only one client (meself 8)), so thats not worth changing.

I did got the password lookup from my database working, but also after 2/3 days of trying and seeing a lot of tutorials.

Thats just the strange thing, PLAIN login works, so the module HAS the password.

I could use the IMAP authentication, which is I think the way it works with Dovecot? So the SMTP checks if there is an successful IMAP connection for those user/password combo? But then you can't change you query, so you can't specify which users can send mail trough your server or not, or add users who doesn't have a mailbox.

For my next installation I will use Dovecot, thanks for the tip!

But in this installation, I'm not goiing to change it anymore, I have put to many time to get this working :twisted:.

The CRAM MD5 is not that imported, but it would be nice to get it working.

Thanks for your replies, condate and jed.

Hi tofu, I've been google-fu'ing around and I saw this

> A better option would be to configure courier-authlib to authenticate

against the SQL database, then have Cyrus-SASL use the courier-authlib

authentication scheme.

While it sounds like hackery, it works very well and is very light

weight.

As to how to do that.. not sure. But I had the identical issue to you, in that the db was being bypassed altogether and the failures were related to its attempt to check the passwd against its own sasldb. I fixed that error by copying /etc/sasldb to the /var/spool/postfix/… etc location (so a chroot issue there I guess), but never worked out how to get it to stop being stubborn and just use the db.

This howto has some information on using courier authlib, though the author seems to compile everything (may not be necessary.. hopefully not)

Good luck!

Thanks for your input.

I tried with the authdaemond from the tutorial, but got a "socket not found", because the socket of that daemon is outside my postfix chroot (postfix runs chrooted under Debian).

Did some further investigation with my current configuration.

When I add CRAM-MD5 to the mech list, I get a "secret not found" message.

But when I look here, I see this seems to be the error you get if you're missing a module.

When I enable MySQL logging, I see indeed no queries when using CRAM-MD5. While I do see them when using PLAIN login.

So it looks like "secret not found" means something like "no module found for this authentication method". So that the -sql module is only configured for plain and login, and not for md5?

But here it looks like its working with that module.

But now I found here that also authdaemond wouldn't solve my problem, that those module also only supports plain login

EDIT: found another one, also here they say saslauthd only supports plain login. How stupid is that :evil:.

A big disadvantantage with the IMAP authentication method, or the courier authentication is that then I have the same SQL query, so I can't specify who can use the smtp server and who not.

In that HOWTO they also speak of only PLAIN and LOGIN:
> From the telnet we can see postfix already support Auth with Login and Plain,
> 250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-ENHANCEDSTATUSCODES

YES! Got it working :D.

Just changed some things in my smtpd.conf and it worked :?.

> pwcheck_method: auxprop

pwcheck_method: saslauthd

pwcheck_method: authdaemond

mech_list: plain login cram-md5 digest-md5

authdaemond_path:/var/run/courier/authdaemon/socket

allow_plaintext: true

auxprop_plugin: mysql

sql_engine: mysql

sql_hostnames: 127.0.0.1

sql_user: Postfix

sql_passwd: removed

sql_database: Mail

sql_select: select Password from Mailboxes where User = '%u'

I added the sqlengine and changed the pwcheckmethod (was: auxpropplugin: mysql in combination with pwcheckmethod: saslauthd).

Now AUTH MD5 works, and I can specify the users who can use it or not 8)

Thanks all!

Good to hear! :) you should write a howto on the Wiki or something for the courier users :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct