Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 445568 - mail-mta/postfix with dev-libs/cyrus-sasl-2.1.25-r3 - broken SASL authentication
Summary: mail-mta/postfix with dev-libs/cyrus-sasl-2.1.25-r3 - broken SASL authentication
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: AMD64 Linux
: Normal normal with 4 votes (vote)
Assignee: Eray Aslan
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-02 07:07 UTC by Zdenek Herman
Modified: 2021-11-21 12:34 UTC (History)
10 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zdenek Herman 2012-12-02 07:07:21 UTC
Hello
After upgrade to dev-libs/cyrus-sasl-2.1.25-r3 stop work postfix with SASL support.
I am using MySQL storage and password in crypt format. I see that USE="crypt" disappeared in this version.

My smtpd.conf
pwcheck_method: auxprop                                                         
log_level: 1                                                                                                     
mech_list: PLAIN LOGIN                                                          
auxprop_plugin: sql                                                             
srp_mda: md5                                                                    
password_format: crypt                                                          
sql_engine: mysql                                                               
sql_hostnames: localhost                                              
sql_user: username                                                              
sql_passwd: pasword                                                            
sql_database: postfix                                                           
sql_select: SELECT passwd FROM postfix_users WHERE email = '%u@%r' AND access = 
'Y' LIMIT 1                                                                     
sql_verbose: no
Comment 1 Daniel Schröder 2012-12-02 20:24:23 UTC
same here...not sure why...but after upgrade smtp auth stopped working and failed:

Dec  2 21:10:23 XXX postfix/smtpd[11256]: warning: SASL authentication failure: Password verification failed
Dec  2 21:10:23 XXX postfix/smtpd[11256]: warning: unknown[10.XXX.XXX.XXX]: SASL PLAIN authentication failed: authentication failure
Dec  2 21:10:24 XXX postfix/smtpd[11256]: warning: unknown[10.XXX.XXX.XXX]: SASL LOGIN authentication failed: authentication failure

downgrade solved this issue...for now..
Comment 2 Eray Aslan gentoo-dev 2012-12-03 20:14:55 UTC
Can you please confirm that authentication without the mysql crypt function, such as storing password in plain text, works on your setups?
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-04 15:48:24 UTC
*** Bug 445932 has been marked as a duplicate of this bug. ***
Comment 4 Zdenek Herman 2012-12-04 15:55:31 UTC
(In reply to comment #2)
> Can you please confirm that authentication without the mysql crypt function,
> such as storing password in plain text, works on your setups?

Sorry, not now. This bug was found on productive server. I will try make a testing machine on this week.
Comment 5 Marcel Greter 2012-12-19 06:46:03 UTC
I got the same problem. Unmasking dev-libs/cyrus-sasl-2.1.25-r3 and downgrading to dev-libs/cyrus-sasl-2.1.23-r6 fixed the problem.

postfix/smtpd: warning: unknown[192.168.0.XXX]: SASL PLAIN authentication failed: no mechanism available
postfix/smtpd: warning: unknown[192.168.0.XXX]: SASL LOGIN authentication failed: no mechanism available
Comment 6 lou 2012-12-19 19:43:15 UTC
So is crypt support no longer going to be available? Any recommendations if we have crypted passwords in mysql?
Comment 7 Eray Aslan gentoo-dev 2012-12-20 12:06:09 UTC
(In reply to comment #6)
> So is crypt support no longer going to be available? Any recommendations if
> we have crypted passwords in mysql?

Problem is crypt support is not provided by upstream.  It is just some random patch that was added to 2.1.23.  Carrying it forward will be problematic.

You can continue using cyrus-sasl-2.1.23 for crypt support.  It is not going away anytime soon.  And perhaps consider migrating away from crypt in cyrus-sasl:
* if you are using dovecot, you can go with its sasl implementation
* if you are using courier, you can use authdaemon via cyrus-sasl
* if neither is an option, you can stop using auxprop plugin and instead configure saslauthd to use pam and configure pam to check the mysql database.  You still get to keep crypted passwords in mysql (and you still lose the shared secret mechanisms).
Comment 8 frank 2013-10-27 14:16:35 UTC
hello,
same problem after upgrading from 2.1.23 to 2.1.26 because of glsa 201309-01.
the only difference here passwords are stored as plain text not crypted...
i'm running saslauthd with the getpwent authentication mechanism and /etc/sasl2/smtpd.conf is like this:

pwcheck_method: auxprop
auxprop_plugin: sql
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
sql_engine: mysql
sql_hostnames: localhost
sql_user: smtp
sql_passwd: password
sql_database: smtp
sql_select: SELECT password FROM users WHERE user = '%u@%r'

with ver. 2.1.26 i get the following errors from postfix when trying to send a mail:

Oct 27 13:08:51 mistral postfix/smtpd[28583]: warning: SASL authentication failure: no secret in database
Oct 27 13:08:51 mistral postfix/smtpd[28583]: warning: 
unknown[217.203.196.171]: SASL CRAM-MD5 authentication failed: 
authentication failure

and saslauthd, even if started with the debug flag doesn't show any activity during authentication step.
i wonder if something has changed in the way to configure it with a mysql backend...
thank you
Comment 9 frank 2013-10-27 17:47:19 UTC
> * if neither is an option, you can stop using auxprop plugin and instead
> configure saslauthd to use pam and configure pam to check the mysql
> database.  You still get to keep crypted passwords in mysql (and you still
> lose the shared secret mechanisms).

ok, after reading again your post i've got it: it's the auxprop plugin that isn't available anymore and this issue has nothing to do with cryptography, right?
but then, why is --enable-sql (enable SQL auxprop) configure flag still there? and more importantly why isn't it working anymore?
sorry but i'm very puzzled by this and no, pam_mysql is not an option...
thank you.
Comment 10 Oleg Gawriloff 2015-09-30 08:20:21 UTC
sasl 2.1.26 with crypt available at barzog-overlay. Tested it in production (with postgresql backend), works well.