{"id":297,"date":"2008-09-04T22:21:22","date_gmt":"2008-09-05T02:21:22","guid":{"rendered":"http:\/\/nuxx.net\/blog\/?p=297"},"modified":"2008-09-04T22:47:29","modified_gmt":"2008-09-05T02:47:29","slug":"smtp-auth-for-postfix-via-courier-authlib-authdaemond","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2008\/09\/04\/smtp-auth-for-postfix-via-courier-authlib-authdaemond\/","title":{"rendered":"SMTP-AUTH for Postfix via courier-authlib (authdaemond)"},"content":{"rendered":"

Getting SMTP authentication<\/a> working with Postfix via authdaemond on FreeBSD 7.0 without occasional, useless errors in \/var\/log\/messages<\/tt> has just caused me an hour of frustration. Therefore, I wish to document what I had to do to make it work right:<\/p>\n

First off, Postfix<\/a> (mail\/postfix<\/a>) and courier-authlib<\/a> with MySQL support (security\/courier-authlib<\/a> with AUTH_MYSQL set in the config) must be installed. Setting up courier-authlib to talk to a MySQL db is beyond the scope of this document, but it basically involves setting the following lines:<\/p>\n

\/usr\/local\/etc\/authlib\/authdaemonrc:<\/tt><\/p>\n

authmodulelist=\"authmysql\"<\/tt><\/p><\/blockquote>\n

\/usr\/local\/etc\/authlib\/authmysqlrc<\/tt>:<\/p>\n

MYSQL_SERVER localhost<\/tt>
\nMYSQL_SOCKET \/tmp\/mysql.sock<\/tt>
\nMYSQL_PORT 0<\/tt>
\nMYSQL_OPT 0<\/tt>
\nMYSQL_USERNAME mail<\/tt>
\nMYSQL_PASSWORD [OBSCURED]<\/tt>
\nMYSQL_DATABASE mail<\/tt>
\nMYSQL_USER_TABLE mailbox<\/tt>
\nMYSQL_CRYPT_PWFIELD password<\/tt>
\nMYSQL_UID_FIELD uid<\/tt>
\nMYSQL_GID_FIELD gid<\/tt>
\nMYSQL_LOGIN_FIELD pobox<\/tt>
\nMYSQL_HOME_FIELD homedir<\/tt>
\nMYSQL_MAILDIR_FIELD CONCAT(homedir,'\/',maildir,'\/')<\/tt>
\nMYSQL_QUOTA_FIELD quota<\/tt>
\nMYSQL_NAME_FIELD name<\/tt><\/p><\/blockquote>\n

After that is set, Postfix’s main.cf<\/tt> must have SASL enabled with smtpd_sasl_auth_enable = yes<\/tt>. Next, the following smtpd.conf<\/tt> must be placed in \/usr\/local\/etc\/sasl2<\/tt>:<\/p>\n

\/usr\/local\/etc\/sasl2\/smtpd.conf<\/tt><\/p>\n

pwcheck_method: authdaemond<\/tt>
\nlog_level: 3<\/tt>
\nmech_list: PLAIN LOGIN<\/tt>
\nauthdaemond_path: \/var\/run\/authdaemond\/socket<\/tt><\/p>\n

auxprop_plugin: mysql<\/tt>
\nsql_select: select password from users where email = '%u@%r'<\/tt><\/p><\/blockquote>\n

Now, here’s the stupid part. See those last two lines, auxprop_plugin: mysql<\/tt> and sql_select: select...<\/tt>? They don’t do anything, and that SELECT statement won’t even return anything useful on my db. Without them there SMTP AUTH works great. However, if you don’t have those lines there, Postfix will regularly complain loudly with errors such as these:<\/p>\n

Sep 4 21:30:02 banstyle postfix\/smtpd[47677]: sql_select option missing<\/tt>
\nSep 4 21:30:02 banstyle postfix\/smtpd[47677]: auxpropfunc error no mechanism available<\/tt><\/p><\/blockquote>\n

Please note that with authdaemond, CRAM-MD5 and DIGEST-MD5 authentication mechanisms won’t work. (These would normally be set with mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5<\/tt>.) If enabled they will appear available but won’t work.<\/p>\n

One final thing… Want to know how to be sure that the server is notifying clients that it supports authentication? Just simply telnet<\/a> to port 25 on your mail server and type in EHLO domain.com<\/tt>. The AUTH LOGIN PLAIN<\/tt> and AUTH=LOGIN PLAIN<\/tt> lines show you that plain-text authentication is now available:<\/p>\n

c0nsumer@banstyle:~> telnet localhost 25<\/tt>
\nTrying 127.0.0.1...<\/tt>
\nConnected to localhost.<\/tt>
\nEscape character is '^]'.<\/tt>
\n220 banstyle.nuxx.net ESMTP Postfix<\/tt>
\nEHLO nuxx.net<\/tt>
\n250-banstyle.nuxx.net<\/tt>
\n250-PIPELINING<\/tt>
\n250-SIZE 10240000<\/tt>
\n250-VRFY<\/tt>
\n250-ETRN<\/tt>
\n250-STARTTLS<\/tt>
\n250-AUTH LOGIN PLAIN<\/tt>
\n250-AUTH=LOGIN PLAIN<\/tt>
\n250-ENHANCEDSTATUSCODES<\/tt>
\n250-8BITMIME<\/tt>
\n250 DSN<\/tt>
\nQUIT<\/tt>
\n221 2.0.0 Bye<\/tt>
\nConnection closed by foreign host.<\/tt><\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

Getting SMTP authentication working with Postfix via authdaemond on FreeBSD 7.0 without occasional, useless errors in \/var\/log\/messages has just caused me an hour of frustration.…<\/p>\n

Continue readingSMTP-AUTH for Postfix via courier-authlib (authdaemond)<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,4],"tags":[],"class_list":["post-297","post","type-post","status-publish","format-standard","hentry","category-computers","category-nuxxnet","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=297"}],"version-history":[{"count":12,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/297\/revisions"}],"predecessor-version":[{"id":309,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/297\/revisions\/309"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}