Extra information:

When setting MD5 auth, I don't even see a query in my MYSQL log, so sasl isn't even passing the query to mysql.

Working PLAIN:
> Mar 15 18:16:17 lin postfix/smtpd[3116]: connect from 00-22-161-161.access.telenet.be[00.22.161.161]

Mar 15 18:16:18 lin postfix/smtpd[3116]: 8487A4CE4: client=00-22-161-161.access.telenet.be[00.22.161.161], saslmethod=PLAIN, saslusername=test@domain.be

Mar 15 18:16:18 lin postfix/cleanup[3119]: 8487A4CE4: message-id=<8120F7AC-414A-4086-BBA8-9C40C832D68F@domain.be>

Not working MD5:
> Mar 15 18:16:38 lin postfix/smtpd[3129]: connect from 00-22-161-161.access.telenet.be[00.22.161.161]

Mar 15 18:16:38 lin postfix/smtpd[3129]: warning: SASL authentication failure: no secret in database

Mar 15 18:16:38 lin postfix/smtpd[3129]: warning: 00-22-161-161.access.telenet.be[00.22.161.161]: SASL CRAM-MD5 authentication failed: authentication failure

Mar 15 18:16:38 lin postfix/smtpd[3129]: lost connection after AUTH from 00-22-161-161.access.telenet.be[00.22.161.161]

What distro?

I fought with SASL and Postfix for a while and I got it, but I'm not entirely sure how.

First suggestion: is /etc/sasldb2 available to the chroot? On my Debian, I had to add "etc/sasldb2" to the definition of FILES in /etc/init.d/postfix.

@Alucard:

What distro?

I fought with SASL and Postfix for a while and I got it, but I'm not entirely sure how.

First suggestion: is /etc/sasldb2 available to the chroot? On my Debian, I had to add "etc/sasldb2" to the definition of FILES in /etc/init.d/postfix.

Thanks for your reply.

I'm running Debian Lenny.

I have done nothing with the sasldb2, so thats not in my chroot.

But I think I don't need that file, because I only want to authenticate with users from my MySQL database. I think the sasldb2 file is for local users?

To connect to the database, I have set up a "/etc/pam.d/smtp" file and a smtpd.conf file in the sasl directory under my postfix chroot.

But SASL is working, but with PLAIN auhentication. So my database connection is set up correctly (got this after many hours of tweaking and trying). But only CRAM-MD5 is not.

It's strange, because my password is retreived from my database without encryption, so SALS should be able to make the MD5 from it?

apt-get install libsasl2-modules

?

I already have those, because the MySQL module needs that one.
> libsasl2-modules is already the newest version. .

That module is working. I just want to send my password as a MD5 string instead of a plain password, as an extra..

Any other things I can check to get CRAM MD5 working?

I had similar headaches with Cyrus SASL and switched to using Dovecot SASL mechanism which saved me a world of trouble - not just CRAM-MD5 but getting it to look up the password from the postfixadmin database.

Of course if you're not using Dovecot this might not be of help, but happy to offer my configs if you're interested.

> I had similar headaches with Cyrus SASL and switched to using Dovecot SASL mechanism which saved me a world of trouble - not just CRAM-MD5 but getting it to look up the password from the postfixadmin database.
I second this. I couldn't get Cyrus to work for me at all, and all the Howtos recommended I stay away from Cyrus. Dovecot, however, worked almost immediately out of the box with Postfix. It's a very tight fit, and comes with the recommendation of a lot of sysadmins.

I'd be happy to share my configs as well (but I don't do MySQL, I authenticate against Unix users).

As I can see Dovecot is IMAP client. I have already set up Courier for that, and I'm just getting to know Courier. I see Dovecot is a bit smaller in memory footprint, but I have only one client (meself 8)), so thats not worth changing.

I did got the password lookup from my database working, but also after 2/3 days of trying and seeing a lot of tutorials.

Thats just the strange thing, PLAIN login works, so the module HAS the password.

I could use the IMAP authentication, which is I think the way it works with Dovecot? So the SMTP checks if there is an successful IMAP connection for those user/password combo? But then you can't change you query, so you can't specify which users can send mail trough your server or not, or add users who doesn't have a mailbox.

For my next installation I will use Dovecot, thanks for the tip!

But in this installation, I'm not goiing to change it anymore, I have put to many time to get this working :twisted:.

The CRAM MD5 is not that imported, but it would be nice to get it working.

Thanks for your replies, condate and jed.

Hi tofu, I've been google-fu'ing around and I saw this

> A better option would be to configure courier-authlib to authenticate

against the SQL database, then have Cyrus-SASL use the courier-authlib

authentication scheme.

While it sounds like hackery, it works very well and is very light

weight.

As to how to do that.. not sure. But I had the identical issue to you, in that the db was being bypassed altogether and the failures were related to its attempt to check the passwd against its own sasldb. I fixed that error by copying /etc/sasldb to the /var/spool/postfix/… etc location (so a chroot issue there I guess), but never worked out how to get it to stop being stubborn and just use the db.

This howto has some information on using courier authlib, though the author seems to compile everything (may not be necessary.. hopefully not)

Good luck!

Thanks for your input.

I tried with the authdaemond from the tutorial, but got a "socket not found", because the socket of that daemon is outside my postfix chroot (postfix runs chrooted under Debian).

Did some further investigation with my current configuration.

When I add CRAM-MD5 to the mech list, I get a "secret not found" message.

But when I look here, I see this seems to be the error you get if you're missing a module.

When I enable MySQL logging, I see indeed no queries when using CRAM-MD5. While I do see them when using PLAIN login.

So it looks like "secret not found" means something like "no module found for this authentication method". So that the -sql module is only configured for plain and login, and not for md5?

But here it looks like its working with that module.

But now I found here that also authdaemond wouldn't solve my problem, that those module also only supports plain login

EDIT: found another one, also here they say saslauthd only supports plain login. How stupid is that :evil:.

A big disadvantantage with the IMAP authentication method, or the courier authentication is that then I have the same SQL query, so I can't specify who can use the smtp server and who not.

In that HOWTO they also speak of only PLAIN and LOGIN:
> From the telnet we can see postfix already support Auth with Login and Plain,
> 250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-ENHANCEDSTATUSCODES

YES! Got it working :D.

Just changed some things in my smtpd.conf and it worked :?.

> pwcheck_method: auxprop

pwcheck_method: saslauthd

pwcheck_method: authdaemond

mech_list: plain login cram-md5 digest-md5

authdaemond_path:/var/run/courier/authdaemon/socket

allow_plaintext: true

auxprop_plugin: mysql

sql_engine: mysql

sql_hostnames: 127.0.0.1

sql_user: Postfix

sql_passwd: removed

sql_database: Mail

sql_select: select Password from Mailboxes where User = '%u'

I added the sqlengine and changed the pwcheckmethod (was: auxpropplugin: mysql in combination with pwcheckmethod: saslauthd).

Now AUTH MD5 works, and I can specify the users who can use it or not 8)

Thanks all!

Good to hear! :) you should write a howto on the Wiki or something for the courier users :)