Author Topic: Can't login to postfix via SMTP when password has been changed from roundcube  (Read 2545 times)

Offline svasi

  • Newbie
  • *
  • Posts: 7
Hi all.
I'm trying to setup SASL authentication via PAM on a POSTFIX+ROUNDCUBE configuration on Ubuntu 10.04.
Since we are a small company I can easily create new users from a shell script where at the end an INSERT is performed against a MYSQL DB using an ENCRYPT function

Code: [Select]
mysql -u maildb -p maildb -e "INSERT INTO users (id,name,maildir,crypt) VALUES ('$FULLNAME','$ALIAS1 $3','$ALIAS1/',encrypt('$DEFPWD') );"


Everything is fine until now.
I can login from roundcube webmail with te $DEFPWD
I can also login to POSTFIX using AUTH LOGIN with BASE64 encoded $DEFPWD via PAM

This is my /etc/pam.d/smtp config

Code: [Select]
auth required pam_mysql.so user=maildb passwd=mypassword host=127.0.0.1 db=maildb table=users usercolumn=id passwdcolumn=crypt crypt=1 verbose=1
account sufficient pam_mysql.so user=maildb passwd=mypassword host=127.0.0.1 db=maildb table=users usercolumn=id passwdcolumn=crypt crypt=1 verbose=1

When a user changes its password through roundcube's password plugin the SMTP AUTH LOGIN doesn't authenticate the user while he can still use the webmail with the new password.

I know that PAM can't use MD5 so according to this my config.inc.php, for password plugin, says in its relevant part

Code: [Select]
$rcmail_config['password_crypt_hash'] = 'des';
$rcmail_config['password_query'] = 'UPDATE maildb.users SET crypt = %c WHERE id = %u';

I've also tried to change the password_query in this way

Code: [Select]
$rcmail_config['password_query'] = 'UPDATE maildb.users SET crypt = encrypt(%p) WHERE id = %u';

I can see that the password changes in the DB and still can't login using SMTP client while users can login through webmail

Do I miss something?


Below some relevant infos

postconf -n
Code: [Select]
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
delay_warning_time = 4h
disable_vrfy_command = yes
inet_interfaces = all
local_recipient_maps =
mailbox_size_limit = 0
maximal_backoff_time = 8000s
maximal_queue_lifetime = 7d
message_size_limit = 20480000
minimal_backoff_time = 1000s
mydestination = $myhostname, localhost.$mydomain, localhost
myhostname = mail.engenie.it
mynetworks = 127.0.0.0/8  192.168.0.0/24 192.168.2.0/24 
mynetworks_style = host
myorigin = [i]mydomain[/i]
readme_directory = no
recipient_delimiter = +
relayhost = [[i]myrelay[/i]]
smtp_helo_timeout = 60s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_data_restrictions = permit
smtpd_delay_reject = yes
smtpd_hard_error_limit = 12
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, warn_if_reject reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_recipient_limit = 100
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, check_policy_service inet:127.0.0.1:10023, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, warn_if_reject reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unauth_pipelining, permit
smtpd_soft_error_limit = 3
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450
virtual_alias_maps = mysql:/etc/postfix/mysql_alias.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail/virtual
virtual_mailbox_domains = $mydomain
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_mailbox.cf
virtual_uid_maps = static:5000


/etc/postfix/sasl/smtpd.conf
Code: [Select]
pwcheck_method: saslauthd
mech_list: plain login
log_level: 7


/etc/default/saslauthd
Code: [Select]
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# OPTIONS="-c -m /var/run/saslauthd"
# OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

OPTIONS="-r -c -m /var/spool/postfix/var/run/saslauthd"

« Last Edit: February 27, 2014, 09:20:07 AM by svasi »