Re: Postfix/SASL/mysql encrypted passwords

Iain Pople <iain@webcentre.unimelb.edu.au> writes:

>>> Has anyone deployed Postfix with SASL and mysql support using
>>> encrypted passwords? All of the examples I've seen authenticate
>>> against cleartext passwords in the database (transport isn't a
>>> concern, I'm using TLS).

I'm using sasl2, saslauthd, pam, and libpam-mysql.

,----[ /etc/postfix/sasl/smtpd.conf ]
| pwcheck_method: saslauthd
| mech_list: plain login
`----

,----[ /etc/pam.d/smtp ]
| auth required pam_mysql.so user=pamsmtp passwd=secret \
| host=localhost db=postfix table=mailbox usercolumn=oldemail \
| passwdcolumn=password where=active=1 crypt=1 md5=y
| account sufficient pam_mysql.so user=pamsmtp passwd=secret \
| host=localhost db=postfix table=mailbox usercolumn=oldemail \
| passwdcolumn=password where=active=1 crypt=1 md5=y
`----

I don't think the pam.d config files really support escaped
newlines. Maybe it does. Anyway, those are actually only two lines
instead of six.

From Debian/stable and Backports.org:

libpam-mysql 0.5.0-4
libsasl2 2.1.15-5.backports.org.1
libsasl2-modules 2.1.15-5.backports.org.1

Likewise I use Courier POP/IMAP. The /etc/courier/authdaemonrc has
authmodulelist="authmysql". In /etc/courier/authmysqlrc, I specify
the MYSQL_CRYPT_PWFIELD rather than the MYSQL_CLEAR_PWFIELD.
--
(__) Doug Alcorn - Unix/Linux/Web Developing
oo / PGP 02B3 1E26 BCF2 9AAF 93F1 61D7 450C B264 3E63 D543
|_/ mailto:doug@lathi.net http://www.lathi.net
mailto:tarpit@lathi.net is a spam trap