Hi,

I just got SASL working on my Fedora 3 linux box, but when i need to
type in my password when doing an SMTP AUTH from Thunderbird it won't
accept my password. I have come this far and found that when I copy the
encrypted password from mysql user database it works. That means that
SASL is not decrypting the password from mysql when i try to logon. It
works from Courier-Imap though :-|

What am I doing wrong? I want to use crypted passwords in MySQL as I
have LOADS of users already in the base and I want the security ofcourse.

smtpd.conf (SASL)
pwcheck_method: auxprop
auxprop_plugin: sql login plain
sql_engine: mysql
mech_list: PLAIN LOGIN
sql_hostnames: localhost
sql_user: <removed>
sql_passwd: <removed>
sql_database: postfix
sql_statement: SELECT password FROM mailbox WHERE username = '%u@%r'
sql_verbose: yes
log_level: 7

main.cf (parts of it)

broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
....
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_rbl_client relays.ordb.org,
reject_rbl_client dnsbl.sorbs.net,
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_unauth_destination,
permit
....


Any ideas ??



versions:
cyrus-sasl-2.1.19-3
cyrus-sasl-md5-2.1.19-3
cyrus-sasl-plain-2.1.19-3
cyrus-sasl-sql-2.1.19-3
cyrus-sasl-devel-2.1.19-3
cyrus-sasl-gssapi-2.1.19-3
Postfix version: 2.1.5
courier-imap-mysql-2.2.2.20040114-1.1
mysql-3.23.58-16.FC3.1
courier-authlib-mysql-0.50.20041203-1.3
mysql-devel-3.23.58-16.FC3.1
libdbi-dbd-mysql-0.6.5-9
mysql-server-3.23.58-16.FC3.1

Christian Jensen wrote:
> Hi,
>
> I just got SASL working on my Fedora 3 linux box, but when i need to
> type in my password when doing an SMTP AUTH from Thunderbird it won't
> accept my password. I have come this far and found that when I copy the
> encrypted password from mysql user database it works. That means that
> SASL is not decrypting the password from mysql when i try to logon. It
> works from Courier-Imap though :-|
>
> What am I doing wrong? I want to use crypted passwords in MySQL as I
> have LOADS of users already in the base and I want the security ofcourse.
>
> smtpd.conf (SASL)
> pwcheck_method: auxprop
> auxprop_plugin: sql login plain
> sql_engine: mysql
> mech_list: PLAIN LOGIN
> sql_hostnames: localhost
> sql_user: <removed>
> sql_passwd: <removed>
> sql_database: postfix
> sql_statement: SELECT password FROM mailbox WHERE username = '%u@%r'
> sql_verbose: yes
> log_level: 7
>
> main.cf (parts of it)
>
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_local_domain = $myhostname
> ...
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated,
> reject_rbl_client relays.ordb.org,
> reject_rbl_client dnsbl.sorbs.net,
> reject_rbl_client sbl.spamhaus.org,
> reject_rbl_client bl.spamcop.net,
> reject_unauth_destination,
> permit
> ...
>
>
> Any ideas ??
>
>
>
> versions:
> cyrus-sasl-2.1.19-3
> cyrus-sasl-md5-2.1.19-3
> cyrus-sasl-plain-2.1.19-3
> cyrus-sasl-sql-2.1.19-3
> cyrus-sasl-devel-2.1.19-3
> cyrus-sasl-gssapi-2.1.19-3
> Postfix version: 2.1.5
> courier-imap-mysql-2.2.2.20040114-1.1
> mysql-3.23.58-16.FC3.1
> courier-authlib-mysql-0.50.20041203-1.3
> mysql-devel-3.23.58-16.FC3.1
> libdbi-dbd-mysql-0.6.5-9
> mysql-server-3.23.58-16.FC3.1
>

Tonight I'm tired, beat, and totally brain dead, so I hope that tomorrow when I'm fresh, this
doesn't look totally stupid. But I think what you are looking for is:

mech_list: DIGEST-MD5 CRAM-MD5
auxprop_plugin: sql

--
Greg

Greg Hackney wrote:
> Christian Jensen wrote:
>> Hi,
>>
>> I just got SASL working on my Fedora 3 linux box, but when i need to
>> type in my password when doing an SMTP AUTH from Thunderbird it won't
>> accept my password. I have come this far and found that when I copy the
>> encrypted password from mysql user database it works. That means that
>> SASL is not decrypting the password from mysql when i try to logon. It
>> works from Courier-Imap though :-|
>>
>> What am I doing wrong? I want to use crypted passwords in MySQL as I
>> have LOADS of users already in the base and I want the security ofcourse.
>>
>> smtpd.conf (SASL)
>> pwcheck_method: auxprop
>> auxprop_plugin: sql login plain
>> sql_engine: mysql
>> mech_list: PLAIN LOGIN
>> sql_hostnames: localhost
>> sql_user: <removed>
>> sql_passwd: <removed>
>> sql_database: postfix
>> sql_statement: SELECT password FROM mailbox WHERE username = '%u@%r'
>> sql_verbose: yes
>> log_level: 7
>>
>> main.cf (parts of it)
>>
>> broken_sasl_auth_clients = yes
>> smtpd_sasl_auth_enable = yes
>> smtpd_sasl_security_options = noanonymous
>> smtpd_sasl_local_domain = $myhostname
>> ...
>> smtpd_recipient_restrictions = permit_mynetworks,
>> permit_sasl_authenticated,
>> reject_rbl_client relays.ordb.org,
>> reject_rbl_client dnsbl.sorbs.net,
>> reject_rbl_client sbl.spamhaus.org,
>> reject_rbl_client bl.spamcop.net,
>> reject_unauth_destination,
>> permit
>> ...
>>
>>
>> Any ideas ??
>>
>>
>>
>> versions:
>> cyrus-sasl-2.1.19-3
>> cyrus-sasl-md5-2.1.19-3
>> cyrus-sasl-plain-2.1.19-3
>> cyrus-sasl-sql-2.1.19-3
>> cyrus-sasl-devel-2.1.19-3
>> cyrus-sasl-gssapi-2.1.19-3
>> Postfix version: 2.1.5
>> courier-imap-mysql-2.2.2.20040114-1.1
>> mysql-3.23.58-16.FC3.1
>> courier-authlib-mysql-0.50.20041203-1.3
>> mysql-devel-3.23.58-16.FC3.1
>> libdbi-dbd-mysql-0.6.5-9
>> mysql-server-3.23.58-16.FC3.1
>>
>
> Tonight I'm tired, beat, and totally brain dead, so I hope that tomorrow
> when I'm fresh, this
> doesn't look totally stupid. But I think what you are looking for is:
>
> mech_list: DIGEST-MD5 CRAM-MD5
> auxprop_plugin: sql
>
> --
> Greg
>
>
>
>
>
>
>
The mech_list: isn't that for client-side operations? I mean. This would
tell for example Thunderbird to send the password using MD5, right? I
would like SASL to receive the PLAIN password as authenticate it up
against the encrypted password in MySQL.

/Christian

Christian Jensen wrote:
> Greg Hackney wrote:
>> Christian Jensen wrote:
>>> Hi,
>>>
>>> I just got SASL working on my Fedora 3 linux box, but when i need to
>>> type in my password when doing an SMTP AUTH from Thunderbird it won't
>>> accept my password. I have come this far and found that when I copy the
>>> encrypted password from mysql user database it works. That means that
>>> SASL is not decrypting the password from mysql when i try to logon. It
>>> works from Courier-Imap though :-|
>>>
>>> What am I doing wrong? I want to use crypted passwords in MySQL as I
>>> have LOADS of users already in the base and I want the security ofcourse.
>>>
>>> smtpd.conf (SASL)
>>> pwcheck_method: auxprop
>>> auxprop_plugin: sql login plain
>>> sql_engine: mysql
>>> mech_list: PLAIN LOGIN
>>> sql_hostnames: localhost
>>> sql_user: <removed>
>>> sql_passwd: <removed>
>>> sql_database: postfix
>>> sql_statement: SELECT password FROM mailbox WHERE username = '%u@%r'
>>> sql_verbose: yes
>>> log_level: 7
>>>
>>> main.cf (parts of it)
>>>
>>> broken_sasl_auth_clients = yes
>>> smtpd_sasl_auth_enable = yes
>>> smtpd_sasl_security_options = noanonymous
>>> smtpd_sasl_local_domain = $myhostname
>>> ...
>>> smtpd_recipient_restrictions = permit_mynetworks,
>>> permit_sasl_authenticated,
>>> reject_rbl_client relays.ordb.org,
>>> reject_rbl_client dnsbl.sorbs.net,
>>> reject_rbl_client sbl.spamhaus.org,
>>> reject_rbl_client bl.spamcop.net,
>>> reject_unauth_destination,
>>> permit
>>> ...
>>>
>>>
>>> Any ideas ??
>>>
>>>
>>>
>>> versions:
>>> cyrus-sasl-2.1.19-3
>>> cyrus-sasl-md5-2.1.19-3
>>> cyrus-sasl-plain-2.1.19-3
>>> cyrus-sasl-sql-2.1.19-3
>>> cyrus-sasl-devel-2.1.19-3
>>> cyrus-sasl-gssapi-2.1.19-3
>>> Postfix version: 2.1.5
>>> courier-imap-mysql-2.2.2.20040114-1.1
>>> mysql-3.23.58-16.FC3.1
>>> courier-authlib-mysql-0.50.20041203-1.3
>>> mysql-devel-3.23.58-16.FC3.1
>>> libdbi-dbd-mysql-0.6.5-9
>>> mysql-server-3.23.58-16.FC3.1
>>>
>> Tonight I'm tired, beat, and totally brain dead, so I hope that tomorrow
>> when I'm fresh, this
>> doesn't look totally stupid. But I think what you are looking for is:
>>
>> mech_list: DIGEST-MD5 CRAM-MD5
>> auxprop_plugin: sql
>>
>> --
>> Greg

>>
> The mech_list: isn't that for client-side operations? I mean. This would
> tell for example Thunderbird to send the password using MD5, right? I
> would like SASL to receive the PLAIN password as authenticate it up
> against the encrypted password in MySQL.
>
> /Christian

Are there any way I can see what exactly SASL/postfix is sending for SQL
-queries anywhere? I would like to see if the password is in cleartext
or in some form of encryption thats different from the one in the
mysql-database.

/C

> The mech_list: isn't that for client-side operations?

The mech_list is for Postfix server-side operations. It tells Postfix
which SASL methods to offer up in the SMTP protocol. For example:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 myserver.com ESMTP Postfix
ehlo world.com
250-myserver.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

The display of "250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5" is controlled by what's
in the mech_list.

Thunderbird supports both CRAM-MD5 and DIGEST-MD5 secure authentication, and PLAIN authentication.
To use encrypted SMTP AUTH passwords, you need to offer CRAM-MD5 and/or DIGEST-MD5 in your mech_list.
Also the encrypted passwords in your MySQL database must have been created using one of the types offered up.

Your config said: mech_list: PLAIN LOGIN
which offers no encrypted SMTP AUTH support.

--
Greg

Greg Hackney wrote:
>
>> The mech_list: isn't that for client-side operations?
>
> The mech_list is for Postfix server-side operations. It tells Postfix
> which SASL methods to offer up in the SMTP protocol. For example:
>
> # telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.localdomain (127.0.0.1).
> Escape character is '^]'.
> 220 myserver.com ESMTP Postfix
> ehlo world.com
> 250-myserver.com
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5
> 250-AUTH=LOGIN DIGEST-MD5 PLAIN CRAM-MD5
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
>
> The display of "250-AUTH LOGIN DIGEST-MD5 PLAIN CRAM-MD5" is controlled
> by what's
> in the mech_list.
>
> Thunderbird supports both CRAM-MD5 and DIGEST-MD5 secure authentication,
> and PLAIN authentication.
> To use encrypted SMTP AUTH passwords, you need to offer CRAM-MD5 and/or
> DIGEST-MD5 in your mech_list.
> Also the encrypted passwords in your MySQL database must have been
> created using one of the types offered up.
>
> Your config said: mech_list: PLAIN LOGIN
> which offers no encrypted SMTP AUTH support.
>
> --
> Greg
>

Hi Greg,

Thanks for your input.

I have temporary made a column more in my mailbox table that includes
the same password but in cleartext. I then changed the smtpd.conf to
look in the cleartext column i made and changed mech-list to accept
CRAM-MD5. Now it works, so I can safely say that mech-list has only
something to do with communication between the client(thunderbird) and
server (postfix/sasl) and not postfix/sasl and MySQL.

Any other suggestions? I really need this to work.

/C

> I have temporary made a column more in my mailbox table that includes
> the same password but in cleartext. I then changed the smtpd.conf to
> look in the cleartext column i made and changed mech-list to accept
> CRAM-MD5. Now it works, so I can safely say that mech-list has only
> something to do with communication between the client(thunderbird) and
> server (postfix/sasl) and not postfix/sasl and MySQL.
>
> Any other suggestions? I really need this to work.

I think I understand what you are wanting: If the user is "joe"
and his password is "blow", you want Thunderbird to hand the
password off to Postfix as "blow", and Postfix to encrypt the password
and match that encrypted value against an MySQL query. Right?

If so, sorry, it just doesn't work that way.

Postfix just acts a relay between the mail client and the SASL/MySQL query
for the password string. Postfix doesn't modify the password string.
All it does is to pass along the string (and also a realm string) to the MySQL lookup.

The mail client (Thunderbird) picks an SMTP AUTH mechanism from the list
of mechanisms that Postfix advertises. The list that Postfix advertises is
controlled by the mech_list.

The conversion of the plain ASCII string "blow" to the encrypted string, is
performed by Thunderbird, and not by Postfix. Postfix uses that encrypted string
in the MySQL query. Therefore, if Thunderbird can only choose LOGIN, it will
BASE-64 encode the string "blow", and try to match what's in your MySQL password field.

I dunno what format your encrypted passwords are in (probably CRAM-MD5 if they are the
same as what's in the UNIX passwd file), but you need for the mech_list to advertise whatever
format you use in MySQL. Otherwise it just isn't going to work.

Postfix isn't a midstream password encrypter/re-encrypter. It's possible that it may
be sometime in the future. Presently, the SASL libraries are linked into the smtpd daemon.
In the future, there will be a Postfix sasld process running via master.cf, and it will
speak to the authentication backend. Perhaps they will add options...

--
Greg

Greg Hackney wrote:
>
>> I have temporary made a column more in my mailbox table that includes
>> the same password but in cleartext. I then changed the smtpd.conf to
>> look in the cleartext column i made and changed mech-list to accept
>> CRAM-MD5. Now it works, so I can safely say that mech-list has only
>> something to do with communication between the client(thunderbird) and
>> server (postfix/sasl) and not postfix/sasl and MySQL.
>>
>> Any other suggestions? I really need this to work.
>
> I think I understand what you are wanting: If the user is "joe"
> and his password is "blow", you want Thunderbird to hand the
> password off to Postfix as "blow", and Postfix to encrypt the password
> and match that encrypted value against an MySQL query. Right?
>
> If so, sorry, it just doesn't work that way.
>
> Postfix just acts a relay between the mail client and the SASL/MySQL query
> for the password string. Postfix doesn't modify the password string.
> All it does is to pass along the string (and also a realm string) to the
> MySQL lookup.
>
> The mail client (Thunderbird) picks an SMTP AUTH mechanism from the list
> of mechanisms that Postfix advertises. The list that Postfix advertises is
> controlled by the mech_list.
>
> The conversion of the plain ASCII string "blow" to the encrypted string, is
> performed by Thunderbird, and not by Postfix. Postfix uses that
> encrypted string
> in the MySQL query. Therefore, if Thunderbird can only choose LOGIN, it
> will
> BASE-64 encode the string "blow", and try to match what's in your MySQL
> password field.
>
> I dunno what format your encrypted passwords are in (probably CRAM-MD5
> if they are the
> same as what's in the UNIX passwd file), but you need for the mech_list
> to advertise whatever
> format you use in MySQL. Otherwise it just isn't going to work.
>
> Postfix isn't a midstream password encrypter/re-encrypter. It's possible
> that it may
> be sometime in the future. Presently, the SASL libraries are linked into
> the smtpd daemon.
> In the future, there will be a Postfix sasld process running via
> master.cf, and it will
> speak to the authentication backend. Perhaps they will add options...
>
> --
> Greg
>
>

Thank you very much for you reply. I have given up and is now modifying
postfixadmin to insert the encrypted password in one field and the
cleartext password in another field. That way Courier-IMAP can use the
encrypted passwords in MySQL and Postfix can use the cleartext passwords
in another field. This way I don't have to ask everyone to change
password and I can live with it until I change server.

/Christian

> Thank you very much for you reply. I have given up and is now modifying
> postfixadmin to insert the encrypted password in one field and the
> cleartext password in another field. That way Courier-IMAP can use the
> encrypted passwords in MySQL and Postfix can use the cleartext passwords
> in another field. This way I don't have to ask everyone to change
> password and I can live with it until I change server.
>
> /Christian

If the user's Thunderbird account is configured with his cleartext password, Thunderbird
should work okay into Postfix's SMTPD with CRAM-MD5 encrypted MySQL passwords, using "mech_list: CRAM-MD5"


--
Greg

Greg Hackney wrote:
>
> If the user's Thunderbird account is configured with his cleartext
> password, Thunderbird
> should work okay into Postfix's SMTPD with CRAM-MD5 encrypted MySQL
> passwords, using "mech_list: CRAM-MD5"
>
>
> --
> Greg


Well, I tried that. I got an error in the maillog saying that CRAM-MD5
failed. As multiple clients need to connect to my server I think its
best to use plain text passwords anyways. But thanks for your input.

/Christian