Postfix (MySQL): Encrypted passwords does not work

postfixsasl

Update: I've tried to insert the password in plain text in the DB. That works, and I'm now able to send mail as well. I tried setting up the whole thing (using the guide mentioned) again, but with the same result. Any ideas?

Original question: Just set up a Postfix / Courier bundle following this tutorial. I've used this tutorial with luck before, but this time I am having problems sending email. My main problem is that I don't really know where to look for clues on what's causing this error. Mail.log only gives me the following lines,

Apr 21 17:38:50 gordon postfix/smtpd[5059]: connect from xxx.xx-xxx-xx.my.isp.carrier[xx.xxx.xx.xxx]
Apr 21 17:38:51 gordon imapd: LOGIN, user=my@domain.com, ip=[::ffff:xx.xxx.xx.xxx], port=[57701], protocol=IMAP
Apr 21 17:38:51 gordon postfix/smtpd[5059]: warning: xxx.xx-xxx-xx.my.isp.carrier[xx.xxx.xx.xxx]: SASL LOGIN authentication failed: authentication failure

When searching it appears "authentication failure" is a very generic error message and may be caused by a number of different errors – which makes it all the more diffifcult for a newbie like myself to locate the problem.

System

Ubuntu 12.04
Postfix
Courier
SASL with SSL and TLS
SpamAssassin
ClamAV
Amavis

Best Answer

In the tutorial linked above, the author using CRYPT hash algorithm. This fact can be looked in SQL query:

INSERT INTO `user` (`email`, `password`, `name`) VALUES ("admin@example.com", ENCRYPT("adminpassword"), "Administrator");

Saslauthd using pam-mysql to authenticate user, so we need to configure pam-mysql to use same hash algorithm. The configuration file is defined in /etc/pam.d/smtp

auth    required   pam_mysql.so user=mail passwd=mailpassword host=127.0.0.1 db=mail table=user usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mail passwd=mailpassword host=127.0.0.1 db=mail table=user usercolumn=email passwdcolumn=password crypt=1

The important parameter is crypt because it specifies the method to encrypt the user's password

0 (or "plain") = No encryption. Passwords stored in plaintext. HIGHLY DISCOURAGED.

1 (or "Y") = Use crypt(3) function

2 (or "mysql") = Use MySQL PASSWORD() function. It is possible that the encryption function used by pam-mysql is different from that of the MySQL server, as pam-mysql uses the function defined in MySQL's C-client API instead of using PASSWORD() SQL function in the query.

3 (or "md5") = Use MySQL MD5() function

So, if you need use encrypted password for authentication then set crypt parameter so it match with your original query.

Another important parameter is verbose. You can set it as 1 so you can know what the pam-mysql was doing.

Further info: PAM-MySQL Package README readme.php

SASL Authentication Check List

Base on question and comments, sasl may not be setup correctly. Following check list is created base on Ubunut Guide provided in question.

Check file/etc/postfix/sasl/smtpd.conf, should be like following
```
pwcheck_method: saslauthd
mech_list: plain login
```

Check libsasl installed

dpkg -l | grep sasl

Should have the following (version number may differ)

ii  libsasl2-2           2.1.25.dfsg1-4    Cyrus SASL - authentication abstraction library
ii  libsasl2-modules     2.1.25.dfsg1-4    Cyrus SASL - pluggable authentication modules
ii  sasl2-bin            2.1.25.dfsg1-4    Cyrus SASL - administration programs for SASL users database

Check saslauthd is running
```
ps -ef | grep sasl
```

Check saslauthd PWDIR

grep PWDIR /etc/default/saslauthd

Output should be

PWDIR="/var/spool/postfix/var/run/saslauthd"

Postfix submission/587

/etc/postfix/master.cf

The Ubuntu guide only un-comment one line

submission inet n       -       -       -       -       smtpd

Try ucomment the whole section, including the options following it

submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Then restart postfix

sudo service postfix restart

Double check your smtp login name

Since the guide is not using virtual user, your smtp login name should be joe only, not joe@mysite.com. Double check email clients on your deivces/computers/webservices(gmail) are NOT using your email address as smtp login name. (Many do that for you. You will have to manually change it if so.)
Remove Password Map

I believe you are authenticating against local Linux account, not virtual user. Remove the following lines in /etc/postfix/main.cf
```
# password maps will not work. Customer must provide credentials
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
```

Best Answer

Related Solutions

Ubuntu – Postfix Sender address rejected: Access denied

Can’t connect to SMTP over 587

SASL Authentication Check List

Postfix submission/587

Related Topic