headers
Andreas Winkelmann | 15 May 21:24
Picon

Re: SASL postgresql backend doesn't work. Please help.

On Donnerstag, 15. Mai 2008, Chris St Denis wrote:

> I am trying to get SASL to work authenticated to a postgresql database
> for SMTP auth with postfix. But it sasl is being very uncooperative.
>
> basic system info
>
>     barium# uname -mrs
>     FreeBSD 7.0-RELEASE-p1 amd64
>
>     cyrus-sasl version: 2.1.22
>     postfix version: 2.5.1
>
> One of my biggest problems is I can't find any documentation of the
> smtpd.conf file, but form what I've pieced together from tutorials and
> such I've got this.
>
>     pwcheck_method: auxprop
>     auxprop_plugin: sql
>     sql_engine: pgsql

>     allowanonymouslogin: no

Not a Cyrus-SASL Option

>     allowplaintext: yes

Not a Cyrus-SASL Option

>     mech_list: LOGIN PLAIN

>     password_format: plaintext

Not a Cyrus-SASL Option. Maybe implemented with a Patch?

>     sql_user: mail
>     sql_passwd:
>     sql_hostnames: localhost
>     sql_database: mail
>     sql_select: SELECT pass FROM emails_view WHERE email = '%u@%r'
>     log_level: 7
>     sql_verbose: true
>
> If I use saslpasswd2 on an account I get "generic failure". Does
> saslpasswd2 even work on sql or is it sasldb only?

It works generally with MySQL or PostgreSQL, too. But not with your 
Config-File above. To add or change Data to/in a SQL Database, normally 
someone would expect UPDATE- or INSERT-Commands. I see none in your config. 
The associated Cyrus-SASL Options would be "sql_insert:" or "sql_update:".

>     barium# saslpasswd2 -a smtpd jeann <at> darkadsl.ca
>     saslpasswd2: generic failure
>
> If I run "pluginviewer -a" it only lists sasldb. Shouldn't SQL be in here?
>
>     barium# pluginviewer -a
>     Installed auxprop mechanisms are:
>     sasldb
>     List of auxprop plugins follows
>     Plugin "sasldb" ,       API version: 4
>             supports store: yes
>
>
>     barium# pluginviewer -s
>     Installed SASL (server side) mechanisms are:
>     LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 EXTERNAL
>     List of server plugins follows
>     Plugin "login" [loaded],        API version: 4
>             SASL mechanism: LOGIN, best SSF: 0, supports setpass: no
>             security flags: NO_ANONYMOUS
>             features:
>     Plugin "anonymous" [loaded],    API version: 4
>             SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no
>             security flags: NO_PLAINTEXT
>             features: WANT_CLIENT_FIRST
>     Plugin "plain" [loaded],        API version: 4
>             SASL mechanism: PLAIN, best SSF: 0, supports setpass: no
>             security flags: NO_ANONYMOUS
>             features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>     Plugin "gssapiv2" [loaded],     API version: 4
>             SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no
>             security flags:
>     NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH
>             features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
>     Plugin "digestmd5" [loaded],    API version: 4
>             SASL mechanism: DIGEST-MD5, best SSF: 128, supports setpass: no
>             security flags: NO_ANONYMOUS|NO_PLAINTEXT|MUTUAL_AUTH
>             features: PROXY_AUTHENTICATION
>     Plugin "crammd5" [loaded],      API version: 4
>             SASL mechanism: CRAM-MD5, best SSF: 0, supports setpass: no
>             security flags: NO_ANONYMOUS|NO_PLAINTEXT
>             features: SERVER_FIRST
>
>
> Configure line
>
>     './configure' --prefix=/usr/local  '--sysconfdir=/usr/local/etc'
>     '--with-configdir=/usr/local/lib/sasl2:/usr/local/etc/sasl2'
>     '--with-plugindir=/usr/local/lib/sasl2'
>     '--with-dbpath=/usr/local/etc/sasldb2'
>     '--includedir=/usr/local/include' '--enable-static'
>     '--enable-auth-sasldb' '--with-rc4=openssl'
>     '--with-saslauthd=/var/run/saslauthd' '--with-dblib=berkeley'
>     '--with-bdb-libdir=/usr/local/lib'
>     '--with-bdb-incdir=/usr/local/include/db41' '--with-bdb=db41'
>     '--enable-sql' '--without-mysql' '--with-pgsql=/usr/local'
>     '--without-sqlite' '--enable-alwaystrue' '--with-authdaemond=no'
>     '--enable-login' '--disable-otp' '--disable-ntlm' '--enable-gssapi'
>     '--disable-krb4' '--with-openssl=yes' '--prefix=/usr/local'
>     '--mandir=/usr/local/man' '--infodir=/usr/local/info/'
>     'amd64-portbld-freebsd7.0' 'CC=cc' 'CFLAGS=-O -pipe -march=nocona'
>     'CPPFLAGS=-fPIC -I/usr/local/include' 'LDFLAGS=
>     -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib'
>     'build_alias=amd64-portbld-freebsd7.0'
>     'host_alias=amd64-portbld-freebsd7.0'
>     'target_alias=amd64-portbld-freebsd7.0'
>     --cache-file=.././config.cache --srcdir=.
>
> I don't see any errors related to sql in the configure, all I get is
>
>     checking SQL... enabled
>
> And the SQL module seems to get compiled ok.
>
>     if /bin/sh /usr/local/bin/libtool --mode=compile cc -DHAVE_CONFIG_H
>     -I. -I. -I..  -I../include -I../lib -I../sasldb -I../include  -fPIC
>     -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL
>     -I/usr/local/include  -Wall -W -O -pipe -march=nocona -MT sql.lo -MD
>     -MP -MF ".deps/sql.Tpo"  -c -o sql.lo `test -f 'sql.c' || echo
>     './'`sql.c;  then mv ".deps/sql.Tpo" ".deps/sql.Plo";  else rm -f
>     ".deps/sql.Tpo"; exit 1;  fi
>      cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
>     -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
>     -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
>     -MT sql.lo -MD -MP -MF .deps/sql.Tpo -c sql.c  -fPIC -DPIC -o
>     .libs/sql.o
>     sql.c: In function 'sql_auxprop_plug_init':
>     sql.c:1077: warning: unused parameter 'plugname'
>      cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
>     -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
>     -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
>     -MT sql.lo -MD -MP -MF .deps/sql.Tpo -c sql.c -o sql.o >/dev/null 2>&1
>     if /bin/sh /usr/local/bin/libtool --mode=compile cc -DHAVE_CONFIG_H
>     -I. -I. -I..  -I../include -I../lib -I../sasldb -I../include  -fPIC
>     -I/usr/local/include -I/usr/local/include/db41 -DKRB5_HEIMDAL
>     -I/usr/local/include  -Wall -W -O -pipe -march=nocona -MT
>     sql_init.lo -MD -MP -MF ".deps/sql_init.Tpo"  -c -o sql_init.lo
>     `test -f 'sql_init.c' || echo './'`sql_init.c;  then mv
>     ".deps/sql_init.Tpo" ".deps/sql_init.Plo";  else rm -f
>     ".deps/sql_init.Tpo"; exit 1;  fi
>      cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
>     -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
>     -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
>     -MT sql_init.lo -MD -MP -MF .deps/sql_init.Tpo -c sql_init.c  -fPIC
>     -DPIC -o .libs/sql_init.o
>      cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../lib -I../sasldb
>     -I../include -fPIC -I/usr/local/include -I/usr/local/include/db41
>     -DKRB5_HEIMDAL -I/usr/local/include -Wall -W -O -pipe -march=nocona
>     -MT sql_init.lo -MD -MP -MF .deps/sql_init.Tpo -c sql_init.c -o
>     sql_init.o >/dev/null 2>&1
>     /bin/sh /usr/local/bin/libtool --mode=link cc  -Wall -W -O -pipe
>     -march=nocona  -module -export-dynamic -rpath /usr/local/lib/sasl2
>     -rpath=/usr/lib:/usr/local/lib -L/usr/local/lib -o libsql.la
>     -L/usr/local/lib  -R/usr/local/lib -lpq  -version-info 2:22:0 sql.lo
>     sql_init.lo plugin_common.lo
>     cc -shared  .libs/sql.o .libs/sql_init.o .libs/plugin_common.o
>     -Wl,--rpath -Wl,/usr/local/lib -L/usr/local/lib -lpq  -march=nocona
>     -Wl,-soname -Wl,libsql.so.2 -o .libs/libsql.so.2
>     (cd .libs && rm -f libsql.so && ln -s libsql.so.2 libsql.so)
>     (cd .libs && rm -f libsql.so && ln -s libsql.so.2 libsql.so)
>     ar cru .libs/libsql.a  sql.o sql_init.o plugin_common.o
>     ranlib .libs/libsql.a
>     creating libsql.la
>     (cd .libs && rm -f libsql.la && ln -s ../libsql.la libsql.la)
>     <snip>
>     if cc -DHAVE_CONFIG_H -I. -I. -I.. -I../include -I../plugins
>     -I../include -I../sasldb   -fPIC -I/usr/local/include
>     -I/usr/local/include/db41 -DKRB5_HEIMDAL -I/usr/local/include  -Wall
>     -W -O -pipe -march=nocona -MT sql.o -MD -MP -MF ".deps/sql.Tpo"  -c
>     -o sql.o `test -f
>    
> '/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.
>c'
>
>     || echo
>
>    
> './'`/usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/
>sql.c; then mv ".deps/sql.Tpo" ".deps/sql.Po";  else rm -f ".deps/sql.Tpo";
> exit 1;  fi
>    
> /usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c
>: In function 'sql_auxprop_plug_init':
>    
> /usr/ports/security/cyrus-sasl2/work/cyrus-sasl-2.1.22/lib/../plugins/sql.c
>:1077: warning: unused parameter 'plugname'
>     adding static plugins and dependencies
>     ar cru .libs/libsasl2.a sasldb.o db_berkeley.o allockey.o cram.o
>     digestmd5.o gssapi.o plain.o anonymous.o login.o sql.o
>
> And the files are there
>
>     barium# ll /usr/local/lib/sasl2/*sql*
>     -rw-r--r--  1 root  wheel  28568 May 13 10:27
>     /usr/local/lib/sasl2/libsql.a
>     -rwxr-xr-x  1 root  wheel    826 May 13 10:27
>     /usr/local/lib/sasl2/libsql.la
>     lrwxr-xr-x  1 root  wheel     11 May 13 10:27
>     /usr/local/lib/sasl2/libsql.so -> libsql.so.2
>     -rwxr-xr-x  1 root  wheel  27026 May 13 10:27
>     /usr/local/lib/sasl2/libsql.so.2
>
>
> For some reason I get some mysql related errors in the syslog like
> these. I'm using postgresql not mysql. It's compiled --without-mysql and
> mysql isn't even installed in the server.

"mysql" is the default sql_engine if no other is specified. In your case this 
means your smtpd.conf is not read. Maybe wrong Directory? Some Distributions 
do a lot of Patching.

>     May 13 15:05:42 barium pluginviewer: SQL engine 'mysql' not supported
>     May 13 15:05:42 barium pluginviewer: auxpropfunc error no mechanism
>     available

Check where your Cyrus-SASL expects the Config File. Maybe trace the 
saslpasswd Binary.

>     May 13 15:05:46 barium pluginviewer: SQL engine 'mysql' not supported
>     May 13 15:05:46 barium pluginviewer: auxpropfunc error no mechanism
>     available
>     May 13 15:05:51 barium pluginviewer: SQL engine 'mysql' not supported
>     May 13 15:05:51 barium pluginviewer: auxpropfunc error no mechanism
>     available
>     May 13 15:17:38 barium server: SQL engine 'mysql' not supported
>     May 13 15:17:38 barium server: auxpropfunc error no mechanism available
>
> Other than that, I only get generic errors like
>
>     May 13 15:31:07 barium postfix/smtpd[79672]: warning: SASL
>     per-process initialization failed: generic failure
>     May 13 15:31:07 barium postfix/smtpd[79672]: fatal: SASL per-process
>     initialization failed
>
> using the client/server in "sample"
>
> Client
>
>     barium# ./client -s smtpd -m LOGIN localhost
>     receiving capability list... recv: {48}
>     LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
>     LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
>     send: {5}
>     LOGIN
>     send: {1}
>     N
>     recv: {9}
>     Username:
>     please enter an authentication id: jeann <at> darkadsl.ca
>     Password:
>     send: {17}
>     jeann <at> darkadsl.ca
>     recv: {9}
>     Password:
>     send: {6}
>     asdfgh
>     authentication failed
>     closing connection
>
> Server
>
>     accepted new connection
>     send: {48}
>     LOGIN ANONYMOUS PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
>     recv: {5}
>     LOGIN
>     recv: {1}
>     N
>     send: {9}
>     Username:
>     recv: {17}
>     jeann <at> darkadsl.ca
>     send: {9}
>     Password:
>     recv: {6}
>     asdfgh
>     performing SASL negotiation: user not foundclosing connection

--

-- 
	Andreas
Permalink | Reply |

Gmane