A BUGNOTE has been added to this bug.
======================================================================
http://www.dbmail.org/mantis/bug_view_advanced_page.php?bug_id=0000137
======================================================================
Reported By: aaron
Assigned To:
======================================================================
Project: DBMail
Bug ID: 137
Category: Documentation
Reproducibility: always
Severity: feature
Priority: normal
Status: new
======================================================================
Date Submitted: 11-Dec-04 00:59 CET
Last Modified: 17-Jul-05 19:19 CEST
======================================================================
Summary: Configuration for SMTP AUTH for various MTA's
Description:
We should have a document explaining SMTP AUTH, with subdocuments for how
to connect each of the major MTA's to DBMail's database.
======================================================================
----------------------------------------------------------------------
aaron - 11-Dec-04 00:59 CET
----------------------------------------------------------------------
Drew Morris asked, and Christian Warden answered:
Exim configuration for SMTP AUTH against dbmail database is pretty
straight
forward.
begin authenticators
plain:
driver = plaintext
public_name = PLAIN
server_condition = ${lookup mysql{SELECT user_idnr FROM users WHERE
userid =
'${quote_mysql:$2}' AND passwd = '${quote_mysql:$3}'}{1}fail}
server_set_id = $2
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = ${lookup mysql{SELECT user_idnr FROM users WHERE
userid =
'${quote_mysql:$1}' AND passwd = '${quote_mysql:$2}'}{1}fail}
server_set_id = $1
server_advertise_condition = ${if eq{$tls_cipher}{}{no}{yes}}
cram_md5:
driver = cram_md5
public_name = CRAM-MD5
server_secret = ${lookup mysql{SELECT passwd FROM users WHERE userid =
'${quote_mysql:$1}'}{$value}fail}
server_set_id = $1
spa:
driver = spa
public_name = NTLM
server_password = ${lookup mysql{SELECT passwd FROM users WHERE userid
=
'${quote_mysql:$1}'}{$value}fail}
----------------------------------------------------------------------
aaron - 11-Dec-04 01:07 CET
----------------------------------------------------------------------
Blake Mitchell said:
We had to rebuild postfix to use SASL then from main.cf:
....
# SMTP SERVER CONTROLS
# The smtpd_sasl_auth_enable parameter controls whether SMTP client
# authentication is enabled in the Postfix SMTP server. By default,
# the Postfix SMTP server does not use authentication.
#
# If an SMTP client is authenticated, then the permit_sasl_authenticated
# access restriction can be used to permit relay access, like this:
#
# smtpd_recipient_restrictions = permit_sasl_authenticated, ...
#
# To reject all SMTP connections from unauthenticated clients,
# specify smtpd_delay_reject=yes (which is the default) and use:
#
# smtpd_client_restrictions = permit_sasl_authenticated
smtpd_recipient_restrictions =
permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
#
# In order to enable server-side authentication, build Postfix with
# SASL support, and install a configuration file /usr/lib/sasl/smtpd.conf
# (SASL version 1) or /usr/lib/sasl2/smtpd.conf (SASL version 2) with
# as contents, for example,
#
# pwcheck_method: sasldb
#
# or whatever method is suitable for your environment: PAM, shadow,
# etc. If you use sasldb, you can add users with the "saslpasswd"
# command that comes with the SASL library. If you configure Postfix
# to use PAM, the PAM service name for SASL authentication is "smtp",
# and adding users depends entirely on how PAM is set up.
#
# If you run your SMTP server chrooted, then you need to copy PAM
# and/or SASL support libraries and data files into the chroot jail.
# That's a lot of files, and it seems not very practical to do so.
#
smtpd_sasl_auth_enable = yes
#smtpd_sasl_auth_enable = no
# The smtpd_sasl_security_options parameter controls what authentication
# mechanisms the Postfix SMTP server will offer to the client. The
# list of available authentication mechanisms is system dependent.
#
# Specify zero or more of the following:
#
# noplaintext: disallow methods that use plaintext passwords
# noactive: disallow methods subject to active (non-dictionary)
attack
# nodictionary: disallow methods subject to passive (dictionary) attack
# noanonymous: disallow methods that allow anonymous authentication
#
# An additional option is available in SASL version 2:
#
# mutual_auth: only allow methods that provide mutual authentication
#
# By default, the Postfix SMTP server accepts plaintext passwords but
# not anonymous logins.
#
# HORROR! It appears that clients try authentication methods in the
# order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5)
# which means that if you disable plaintext passwords, clients will
# log in anonymously, even when they should be able to use CRAM-MD5.
# So, if you disable plaintext logins, disable anonymous logins too.
# Postfix treats anonymous login as no authentication.
#
#smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_security_options = noanonymous
# The smtpd_sasl_local_domain parameter specifies the name of the
# local authentication realm.
#
# By default, the local authentication realm name is the name of the
# machine.
#
#smtpd_sasl_local_domain = $mydomain
smtpd_sasl_local_domain = $myhostname
....
[EMAIL PROTECTED]:~$ cat /usr/lib/sasl/smtpd.conf
pwcheck_method:PAM
[EMAIL PROTECTED]:~$ cat /etc/pam.d/smtp
#%PAM-1.0
auth required /lib/security/pam_mysql.so user=root db=dbmail
table=dbmail_users usercolumn=userid passwdcolumn=passwd
account required /lib/security/pam_mysql.so user=root db=dbmail
table=dbmail_users usercolumn=userid passwdcolumn=passwd
This is on RedHat 7.3.
----------------------------------------------------------------------
aaron - 11-Dec-04 01:08 CET
----------------------------------------------------------------------
Wolfram Kraushaar said:
For SMTP-Auth with Postfix 2.1.5 and cyrus-sasl 2.1.20 and a DBMail
MySQL-Backend I use the following settings:
prerequisites:
- Cyrus-SASL was built with support for MySQL and PostgreSQL
- Postfix was built with support for Cyrus-SASL, MySQL and PostgreSQL
In Postfix's main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_unknown_sender_domain,
reject_non_fqdn_sender, permit_sasl_authenticated,
reject_unauth_destination
In Cyrus-SASL's /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: login plain cram-md5 digest-md5
sql_engine: mysql
sql_hostnames: <dbmail-dbhost>
sql_user: <dbmail-dbuser>
sql_passwd: <dbmail-dbpass>
sql_database: <dbmail-dbname>
sql_select: select passwd from dbmail_users where userid = '%u'
AND userid != '[EMAIL PROTECTED]@__'
AND userid != 'anyone'
AND userid != '__public__'
As a sidenote: You can not use encryption for the dbmail user-passwords
in the database if you want cyrus-sasl to use the dbmail-database as
authentication backend.
----------------------------------------------------------------------
cwarden - 17-Jul-05 19:19 CEST
----------------------------------------------------------------------
The spa authenticator for Exim was missing a line. It should be:
spa:
driver = spa
public_name = NTLM
<b>server_set_id = $1</b>
server_password = ${lookup mysql{SELECT passwd FROM users WHERE userid =
'${quote_mysql:$1}'}{$value}fail}
Bug History
Date Modified Username Field Change
======================================================================
11-Dec-04 00:59aaron New Bug
11-Dec-04 00:59aaron Bugnote Added: 0000434
11-Dec-04 01:07aaron Bugnote Added: 0000435
11-Dec-04 01:08aaron Bugnote Added: 0000436
17-Jul-05 19:19cwarden Bugnote Added: 0000775
======================================================================
