Bonjour,

Je voudrais pouvoir activer l’authentification à postfix afin de pouvoir envoyer des mail depuis l’extérieur de postfix

Ma config postfix avant modification

alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix disable_vrfy_command = yes inet_interfaces = all mailbox_size_limit = 1024000000 mydestination = localhost, localhost.localdomain myhostname = mondomaine.com mynetworks = 127.0.0.0/8 192.168.1.0/24 relayhost = smtpd_client_restrictions = reject_unknown_client, permit_mynetworks smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, check_relay_domains smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, warn_if_reject reject_unverified_sender virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_aliases.cf, mysql:/etc/postfix/mysql-virtual_aliases_mailbox.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/spool/vmail/ virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_limit = 1024000000 virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_uid_maps = static:5000

J’ai ajouté quelque ligne dans mon main.cf

permit_sasl_authenticated, 

smtpd_sasl_auth_enable = yes
#smtpd_sasl2_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =

J’ai ensuite créer un fichier smtpd.conf (/etc/postfix/sasl/smtpd.conf)dans le quelle j’ai ajouter ce qui suis et completé avec les bonne infos.

pwcheck_method: auxprop auxprop_plugin: sql mech_list: plain login cram-md5 digest-md5 sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: provider_admin sql_passwd: ... sql_database: provider sql_select: select password from users where email='%u@%r'

Et pour finir j’ai adapté les droits

chown root:postfix /etc/postfix/sasl/smtpd.conf
chmod u=rw,g=r,o= /etc/postfix/sasl/smtpd.conf

Comme dab manque de bol sa ne fonctionne pas (qui l’aurais cru )

Mon client mail me crache " 5.7.0 Error: authentication failed: authentication failure" et dans mes logs j’ai.

warning: fff.kkkkkkkkkk.jjj.mmm[80.13.140.88]: SASL LOGIN authentication failed: authentication failure Sep 4 12:16:58 mondomain postfix/smtpd[24102]: lost connection after AUTH from fff.kkkkkkkkkk.jjj.mmm[80.13.140.88]

Quelqu’un aurais t-il une idée d’ou sa coince ?

Je vous remercie d’avance.

tu ne dis pas ou tu as mis permit_sasl_authenticated ?

Re bonjour,

Voici l’endroit exacte

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, check_relay_domains

Merci.

tes passwords sont encodés en quoi dans la base ?

Re bonjour,

J’ignore la vrais méthode de cryptage mais c’est avec cette commande que j’entre les comptes mails dans la db

Merci.

c’est de l’encrypt

jette un oeil a mon tuto sur le sujet
starbridge.org/spip/spip.php … sommaire_1

c’est fait pour les password en MD5 mais tu peux tres bien modifier les parametres de pam_mysql.so pour accepter les pass en ENCRYPT.

re bonjour,

Merci pour ce lien, j’ai suivi attentivement la partie sur l’authentification sasl, malheureusement, sa ne fonctionne pas et j’ai toujours la même erreur

SASL LOGIN authentication failed: authentication failure

as tu modifier le pam/smtp ?

fais le voir

Tu parle bien de /etc/pam.d/smtp ?

[code]
auth required pam_mysql.so user=myuser passwd=mypass host=127.0.0.1 db=postfix table=mailbox usercolumn=email passwdcolumn=password crypt=1 md5=1

account sufficient pam_mysql.so user=myuser passwd=mypass host=127.0.0.1 db=postfix table=mailbox usercolumn=email passwdcolumn=password crypt=1 md5=1[/code]

oui je te disais plus haut qu’il faut le modifier car ici il est parametré pour les pass en MD5

essaye ca (j’ai pas la doc sous les yeux mais de memoire je crois que c’est ca)

[code]auth required pam_mysql.so user=myuser passwd=mypass host=127.0.0.1 db=postfix table=mailbox usercolumn=email passwdcolumn=password crypt=2

account sufficient pam_mysql.so user=myuser passwd=mypass host=127.0.0.1 db=postfix table=mailbox usercolumn=email passwdcolumn=password crypt=2[/code]

grrr sa passe pas

que disent les logs ?

Juste 2 lignes.

Sep 4 17:12:05 mydomin postfix/smtpd[25454]: warning: SASL authentication failure: Password verification failed Sep 4 17:12:05 mydomain postfix/smtpd[25454]: warning: fff.kkkkkkkkkk.jjj.mmm[80.13.140.88]: SASL PLAIN authentication failed: authentication failure

fais voir ta conf complete:

le contenu des fichiers:
/etc/default/saslauthd
/etc/pam.d/smtp
/etc/postfix/sasl/smtpd.conf

le resultat des commandes:
postconf -n
ls -la /var/spool/postfix/var/run/saslauthd/
getent group | grep postfix
ps waux | grep saslauthd

Re bonjour,

/etc/default/saslathd

START=no MECHANISMS="pam" MECH_OPTIONS="" THREADS=5 OPTIONS="-c" START=yes MECHANISMS="pam" OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"

/etc/pam.d/smtp

[code]auth required pam_mysql.so user=myuser passwd=mypass host=127.0.0.1 db=postfix table=mailbox usercolumn=email passwdcolumn=password crypt=2

account sufficient pam_mysql.so user=myuser passwd=mypass host=127.0.0.1 db=postfix table=mailbox usercolumn=email passwdcolumn=password crypt=2[/code]

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd mech_list: PLAIN LOGIN log_level: 5

postconf -n

alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no broken_sasl_auth_clients = yes config_directory = /etc/postfix disable_vrfy_command = yes inet_interfaces = all mailbox_size_limit = 1024000000 mydestination = localhost, localhost.localdomain mydomain = mydomain.com myhostname = mydomain.com mynetworks = 127.0.0.0/8 192.168.1.0/24 myorigin = mydomain.com relayhost = smtp_tls_security_level = may smtpd_client_restrictions = reject_unknown_client, permit_mynetworks smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unknown_recipient_domain, reject_non_fqdn_recipient, check_relay_domains smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = permit_mynetworks, reject_unknown_sender_domain, warn_if_reject reject_unverified_sender smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt smtpd_tls_key_file = /etc/postfix/tls/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_aliases.cf, mysql:/etc/postfix/mysql-virtual_aliases_mailbox.cf virtual_gid_maps = static:5000 virtual_mailbox_base = /var/spool/vmail/ virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_limit = 1024000000 virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_uid_maps = static:5000

ls -la /var/spool/postfix/var/run/saslauthd/

total 940 drwx--x--- 2 root sasl 4096 2007-09-05 09:16 . drwxr-xr-x 3 root sasl 4096 2007-09-04 15:16 .. -rw------- 1 root root 0 2007-09-05 09:16 cache.flock -rw------- 1 root root 945152 2007-09-05 09:16 cache.mmap srwxrwxrwx 1 root root 0 2007-09-05 09:16 mux -rw------- 1 root root 0 2007-09-05 09:16 mux.accept -rw------- 1 root root 6 2007-09-05 09:16 saslauthd.pid

Bizarement les droit change, avant le redémarrage du service saslauthd, les droit était comme suite :

total 940 drwx--x--- 2 root sasl 4096 2007-09-05 09:14 . drwxr-xr-x 3 root sasl 4096 2007-09-04 15:16 .. -rw------- 1 root sasl 0 2007-09-05 09:14 cache.flock -rw------- 1 root sasl 945152 2007-09-05 09:14 cache.mmap srwxrwxrwx 1 root sasl 0 2007-09-05 09:14 mux -rw------- 1 root sasl 0 2007-09-05 09:14 mux.accept -rw------- 1 root sasl 5 2007-09-05 09:14 saslauthd.pid

getent group | grep postfix

sasl:x:45:postfix postfix:x:106:

ps waux | grep saslauthd

root 10044 0.0 0.3 7212 976 ? Ss 09:16 0:00 /usr/sbin/saslauthd -a pam -c -r -m /var/spool/postfix/var/run/saslauthd -n 5 root 10045 0.0 0.2 7212 536 ? S 09:16 0:00 /usr/sbin/saslauthd -a pam -c -r -m /var/spool/postfix/var/run/saslauthd -n 5 root 10046 0.0 0.1 7212 356 ? S 09:16 0:00 /usr/sbin/saslauthd -a pam -c -r -m /var/spool/postfix/var/run/saslauthd -n 5 root 10047 0.0 0.1 7212 356 ? S 09:16 0:00 /usr/sbin/saslauthd -a pam -c -r -m /var/spool/postfix/var/run/saslauthd -n 5 root 10048 0.0 0.1 7212 356 ? S 09:16 0:00 /usr/sbin/saslauthd -a pam -c -r -m /var/spool/postfix/var/run/saslauthd -n 5 root 10067 0.0 0.2 2880 756 pts/0 R+ 09:28 0:00 grep saslauthd

Voila.

Merci encore.

dans /etc/default/saslauthd il faut enlever les options par defaut:

START=no MECHANISMS="pam" OPTIONS="-c"

pour les droits c’est ok sur le repertoire

ta base sql est elle ok ? est elle accessible par 127.0.0.1 ?

poste ton /etc/mysql/my.cnf

et active les logs de mysql:
pour ca tu decommentes temporairemetn :
#log = /var/log/mysql/mysql.log

dans le my.cnf

puis tu regardes les logs de sql lors d’une tentative de connection SASL

/etc/mysql/mysql.cnf

[code]#

The MySQL database server configuration file.

You can copy this to one of:

- “/etc/mysql/my.cnf” to set global options,

- “~/.my.cnf” to set user-specific options.

One can use all long options that the program supports.

Run program with --help to get a list of available options and with

–print-defaults to see which it would actually understand and use.

For explanations see

http://dev.mysql.com/doc/mysql/en/server-system-variables.html

This will be passed to all mysql clients

It has been reported that passwords should be enclosed with ticks/quotes

escpecially if they contain “#” chars…

Remember to edit /etc/mysql/debian.cnf when changing the socket location.

[client]
port = 3306
socket = /var/run/mysqld/mysqld.sock

Here is entries for some specific programs

The following values assume you have at least 32M ram

This was formally known as [safe_mysqld]. Both versions are currently parsed.

[mysqld_safe]
socket = /var/run/mysqld/mysqld.sock
nice = 0

[mysqld]

* Basic Settings

user = mysql
pid-file = /var/run/mysqld/mysqld.pid
socket = /var/run/mysqld/mysqld.sock
port = 3306
basedir = /usr
datadir = /var/lib/mysql
tmpdir = /tmp
language = /usr/share/mysql/english
skip-external-locking

Instead of skip-networking the default is now to listen only on

localhost which is more compatible and is not less secure.

bind-address = 127.0.0.1

* Fine Tuning

key_buffer = 16M
max_allowed_packet = 16M
thread_stack = 128K
thread_cache_size = 8
#max_connections = 100
#table_cache = 64
#thread_concurrency = 10

* Query Cache Configuration

query_cache_limit = 1M
query_cache_size = 16M

* Logging and Replication

Both location gets rotated by the cronjob.

Be aware that this log type is a performance killer.

#log = /var/log/mysql/mysql.log

Error logging goes to syslog. This is a Debian improvement

Here you can see queries with especially long duration

#log_slow_queries = /var/log/mysql/mysql-slow.log
#long_query_time = 2
#log-queries-not-using-indexes

The following can be used as easy to replay backup logs or for replication.

#server-id = 1
log_bin = /var/log/mysql/mysql-bin.log

WARNING: Using expire_logs_days without bin_log crashes the server! See README.Debian!

expire_logs_days = 10
max_binlog_size = 100M
#binlog_do_db = include_database_name
#binlog_ignore_db = include_database_name

* BerkeleyDB

Using BerkeleyDB is now discouraged as its support will cease in 5.1.12.

skip-bdb

* InnoDB

InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.

Read the manual for more InnoDB related options. There are many!

You might want to disable InnoDB to shrink the mysqld process by circa 100MB.

#skip-innodb

* Security Features

Read the manual, too, if you want chroot!

chroot = /var/lib/mysql/

For generating SSL certificates I recommend the OpenSSL GUI “tinyca”.

ssl-ca=/etc/mysql/cacert.pem

ssl-cert=/etc/mysql/server-cert.pem

ssl-key=/etc/mysql/server-key.pem

[mysqldump]
quick
quote-names
max_allowed_packet = 16M

[mysql]
#no-auto-rehash # faster start of mysql but no tab completition

[isamchk]
key_buffer = 16M

* NDB Cluster

See /usr/share/doc/mysql-server-*/README.Debian for more information.

The following configuration is read by the NDB Data Nodes (ndbd processes)

not from the NDB Management Nodes (ndb_mgmd processes).

[MYSQL_CLUSTER]

ndb-connectstring=127.0.0.1

* IMPORTANT: Additional settings that can override those from this file!

!includedir /etc/mysql/conf.d/[/code]

quand j’active les logs et que je fais une connections, les logs ne bouge pas du tout.

ton /etc/pam.d/smtp est til ok ?
les champs correspondent t ils a ceux de la base ?

ajoute verbose=1 dnas les 2 lignes et reteste

Non sa ne change rien, mais question con, coté iptables rien à modifier pour que sa passe, pas de port autre que le 25 ?

ta base sql est bien sur la meme machine ?

essaie de te connecter en console en utilisant les parametres que tu as mis /etc/pam/smtp:

mysql -u myuser -p postfix