Cyrus-SASL | daniels.id.au

Cyrus-SASL

Archive:

deb http://www.daniels.id.au/debian/cyrus-sasl i386/

deb http://www.daniels.id.au/debian/cyrus-sasl sparc/

Description:

Cyrus-SASL 2.1.19-1.5 from Sarge, repackaged with the frost crypt patch.

Packages:

libsasl2-dev, libsasl2-modules-gssapi-heimdal, libsasl2-modules-kerberos-heimdal, libsasl2-modules-sql, libsasl2-modules, libsasl2, sasl2-bin

I started my Adventure into SASL when I was given the task of rebuilding one of our SMTP gateways, the existing system was running Cyrus POP and IMAP with encrypted passwords stored in a MySQL database.

After spending days searching for similar configurations to mine, I finally came across this message which led me to some existing debian packages here, At last some progress, but these packages were a little to old for my liking, So I rolled my own, and here they are.

So heres the SASL crypt story, or what I can gather of it.
SASL uses many mechanisms to communicate username and password information to and from the client, thses include plain, login, cram-md5, digest-md5 and many others.

The problem is that the mechanisms that use encryption (cram-md5, digest-md5, etc.) are one way, meaning the received transmission cannot be decrypted, this means that when a password is received by the smtp server in cram-md5 format the server takes the existing plain text password, cram-md5 encrypts it itself, and if result are identical presto your in!

This works fine for most installations, but if you are anything like me and dispise the thought of storing any passwords in plain text then this is no good and in my case impossible as the system I had inherited had encrypted passwords stored (I didnt know the plain text passwords).

Fortunately there is a solution. If your installation doesnt use any encryption methods for SASL there is patches available that will use standard libc crypt functions, allowing you to store your passwords encrypted.

There are many How-to's out there detailing how configure Postfix for SASL, the one I used is here, the difference between this setup and ours is we connect to MySQL from SASL and not PAM, so using the above how-to simply use the below smtpd.conf and forget the PAM section.

Sample /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sql
allowanonymouslogin: no
allowplaintext: yes
mech_list: plain login
password_format: crypt
sql_engine: mysql
sql_user: postfix
sql_passwd: secret
sql_hostnames: 127.0.0.1
sql_database: postfix2
sql_select: select password from mailbox where username='%u'