0

I am trying to setup smtp authentication using courier, mysql on postfix.

My passwords in my db are encrypted.

When I attempt to connect, I get an auth failure

r2d2 ~ # telnet mail.server.com 25
Trying 45.33.27.121...
Connected to mail.server.com.
Escape character is '^]'.
220 r2d2.server.com ESMTP Postfix
HELO server.com
250 r2d2.server.com
AUTH LOGIN
334 VXNrcm5hbWU6
dXNlci5jb20=
334 UGFyc3dvcmQ6
Qg=!
535 5.7.8 Error: authentication failed: authentication failure

when I look at my logs, I see a wrong username trying to authenticate

r2d2 postfix/smtpd[25275]: sql plugin Parse the username user.com

the username going into the database should be

user@server.com

It's not an encoding issue:

# perl -MMIME::Base64 -e 'print encode_base64("user@server.com");'
dXNlci5jb20=

it's dropping the virtual domain for some reason

config file /etc/courier/authlib/authmysqlrc:

MYSQL_SERVER            localhost
MYSQL_USERNAME          myuser
MYSQL_PASSWORD          mypass
MYSQL_PORT              3306
MYSQL_OPT               0
MYSQL_DATABASE          mail
MYSQL_USER_TABLE        mailbox
MYSQL_CRYPT_PWFIELD     password
MYSQL_UID_FIELD         5000
MYSQL_GID_FIELD         5000
MYSQL_LOGIN_FIELD       username
MYSQL_HOME_FIELD        '/var/vmail/'
MYSQL_NAME_FIELD        name
MYSQL_MAILDIR_FIELD     maildir
MYSQL_WHERE_CLAUSE active='1'

I tested the SQL, the statement works when applied manually to the mysql cli. mysql query logging shows the incorrect username being used. The error in the logs is accurate.

Somehow %u is receiving the wrong data.

smtp.conf

pwcheck_method: authdaemond
mech_list: LOGIN PLAIN CRAM-MD5 DIGEST-MD5
sql_select: dummy
authdaemond_path: /var/lib/courier/authdaemon/socket
log_level: 2
sasl_pwcheck_method: saslauthd
sasl_auxprop_plugin: mysql
password_format: plain
sql_engine: mysql
sql_hostnames: localhost
sql_database: db
sql_user: use
sql_passwd: pass
sql_select: SELECT password FROM mailbox WHERE username='%u' AND active='1'

How do I get courier to not drop the inbound virtual domain from the username, for query in mysql?

UPDATE from the IRC:

<SkunkyFone> tunage: i can't find it.  i know, long long ago, there were separate options for "username" and "domain" in either postfix or courier authlib, and there was an option to make it smoosh things together or drop the domain entirely, and getting them out of sync would do Bad Things.. but i can't find where in my config that is right now.
[07:30:38] <tunage> SkunkyFone: I have seen the exact setting you are talking about, probably about the same time you last looked at it...   o.0
dooode
  • 121
  • 4

1 Answers1

0

I think you may want to modify your sql select statement to be

sql_select: SELECT password FROM mailbox WHERE username='%u@%r' AND active ='1'

as that should select both the user and domain..

NickW
  • 10,263
  • 1
  • 20
  • 27
  • I did that and I also added -> SASLAUTHD_OPTS="-a pam -r" (the -r) to /etc/conf.d/saslauthd . Same error. It's definitely somewhere right there. – dooode Jun 08 '16 at 14:47
  • Why would you use pam? Anyhow, have you restarted postfix and courier to avoid any caching? – NickW Jun 08 '16 at 14:51
  • that particular file was at its defaults up until I added the -r, 5 min ago. Yes, I restarted postfix and the complete courier-auth system (smtp, imap, pop3) – dooode Jun 08 '16 at 14:53
  • So it's still trying to find user.com? – NickW Jun 08 '16 at 15:06
  • Those don't need to be postmapped do they? – NickW Jun 08 '16 at 15:18
  • I did not do postmap. according to other similar installs, it's not a requirement in a virtual host config https://www.howtoforge.com/virtual-users-and-domains-with-postfix-courier-mysql-and-squirrelmail-debian-wheezy-p2 – dooode Jun 08 '16 at 15:50
  • Yeah, I was just running through my "it should be working checklist", did you restart saslauthd? BTW, notice they use the same query for mysql on that page? – NickW Jun 08 '16 at 16:08
  • Yes, the entire system and all services have been restarted. I see they use %r, but not sure where they initialize it. :( – dooode Jun 08 '16 at 19:53
  • Postfix fills those values, `%u` is anything before the `@` (usually the username) ,`%r` is the realm or anything after the `@`. When you do a login, you pass your email address (which can also be your username) and your password, since not everyone wants the `@domain.tld` bit, postfix gives you the option to use parts of it. – NickW Jun 09 '16 at 08:59