Press "Enter" to skip to content

Day: September 4, 2008

SMTP-AUTH for Postfix via courier-authlib (authdaemond)

Getting SMTP authentication working with Postfix via authdaemond on FreeBSD 7.0 without occasional, useless errors in /var/log/messages has just caused me an hour of frustration. Therefore, I wish to document what I had to do to make it work right:

First off, Postfix (mail/postfix) and courier-authlib with MySQL support (security/courier-authlib with AUTH_MYSQL set in the config) must be installed. Setting up courier-authlib to talk to a MySQL db is beyond the scope of this document, but it basically involves setting the following lines:

/usr/local/etc/authlib/authdaemonrc:

authmodulelist="authmysql"

/usr/local/etc/authlib/authmysqlrc:

MYSQL_SERVER localhost
MYSQL_SOCKET /tmp/mysql.sock
MYSQL_PORT 0
MYSQL_OPT 0
MYSQL_USERNAME mail
MYSQL_PASSWORD [OBSCURED]
MYSQL_DATABASE mail
MYSQL_USER_TABLE mailbox
MYSQL_CRYPT_PWFIELD password
MYSQL_UID_FIELD uid
MYSQL_GID_FIELD gid
MYSQL_LOGIN_FIELD pobox
MYSQL_HOME_FIELD homedir
MYSQL_MAILDIR_FIELD CONCAT(homedir,'/',maildir,'/')
MYSQL_QUOTA_FIELD quota
MYSQL_NAME_FIELD name

After that is set, Postfix’s main.cf must have SASL enabled with smtpd_sasl_auth_enable = yes. Next, the following smtpd.conf must be placed in /usr/local/etc/sasl2:

/usr/local/etc/sasl2/smtpd.conf

pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path: /var/run/authdaemond/socket

auxprop_plugin: mysql
sql_select: select password from users where email = '%u@%r'

Now, here’s the stupid part. See those last two lines, auxprop_plugin: mysql and sql_select: select...? They don’t do anything, and that SELECT statement won’t even return anything useful on my db. Without them there SMTP AUTH works great. However, if you don’t have those lines there, Postfix will regularly complain loudly with errors such as these:

Sep 4 21:30:02 banstyle postfix/smtpd[47677]: sql_select option missing
Sep 4 21:30:02 banstyle postfix/smtpd[47677]: auxpropfunc error no mechanism available

Please note that with authdaemond, CRAM-MD5 and DIGEST-MD5 authentication mechanisms won’t work. (These would normally be set with mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5.) If enabled they will appear available but won’t work.

One final thing… Want to know how to be sure that the server is notifying clients that it supports authentication? Just simply telnet to port 25 on your mail server and type in EHLO domain.com. The AUTH LOGIN PLAIN and AUTH=LOGIN PLAIN lines show you that plain-text authentication is now available:

c0nsumer@banstyle:~> telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 banstyle.nuxx.net ESMTP Postfix
EHLO nuxx.net
250-banstyle.nuxx.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

2 Comments