Hello After upgrade to dev-libs/cyrus-sasl-2.1.25-r3 stop work postfix with SASL support. I am using MySQL storage and password in crypt format. I see that USE="crypt" disappeared in this version. My smtpd.conf pwcheck_method: auxprop log_level: 1 mech_list: PLAIN LOGIN auxprop_plugin: sql srp_mda: md5 password_format: crypt sql_engine: mysql sql_hostnames: localhost sql_user: username sql_passwd: pasword sql_database: postfix sql_select: SELECT passwd FROM postfix_users WHERE email = '%u@%r' AND access = 'Y' LIMIT 1 sql_verbose: no
same here...not sure why...but after upgrade smtp auth stopped working and failed: Dec 2 21:10:23 XXX postfix/smtpd[11256]: warning: SASL authentication failure: Password verification failed Dec 2 21:10:23 XXX postfix/smtpd[11256]: warning: unknown[10.XXX.XXX.XXX]: SASL PLAIN authentication failed: authentication failure Dec 2 21:10:24 XXX postfix/smtpd[11256]: warning: unknown[10.XXX.XXX.XXX]: SASL LOGIN authentication failed: authentication failure downgrade solved this issue...for now..
Can you please confirm that authentication without the mysql crypt function, such as storing password in plain text, works on your setups?
*** Bug 445932 has been marked as a duplicate of this bug. ***
(In reply to comment #2) > Can you please confirm that authentication without the mysql crypt function, > such as storing password in plain text, works on your setups? Sorry, not now. This bug was found on productive server. I will try make a testing machine on this week.
I got the same problem. Unmasking dev-libs/cyrus-sasl-2.1.25-r3 and downgrading to dev-libs/cyrus-sasl-2.1.23-r6 fixed the problem. postfix/smtpd: warning: unknown[192.168.0.XXX]: SASL PLAIN authentication failed: no mechanism available postfix/smtpd: warning: unknown[192.168.0.XXX]: SASL LOGIN authentication failed: no mechanism available
So is crypt support no longer going to be available? Any recommendations if we have crypted passwords in mysql?
(In reply to comment #6) > So is crypt support no longer going to be available? Any recommendations if > we have crypted passwords in mysql? Problem is crypt support is not provided by upstream. It is just some random patch that was added to 2.1.23. Carrying it forward will be problematic. You can continue using cyrus-sasl-2.1.23 for crypt support. It is not going away anytime soon. And perhaps consider migrating away from crypt in cyrus-sasl: * if you are using dovecot, you can go with its sasl implementation * if you are using courier, you can use authdaemon via cyrus-sasl * if neither is an option, you can stop using auxprop plugin and instead configure saslauthd to use pam and configure pam to check the mysql database. You still get to keep crypted passwords in mysql (and you still lose the shared secret mechanisms).
hello, same problem after upgrading from 2.1.23 to 2.1.26 because of glsa 201309-01. the only difference here passwords are stored as plain text not crypted... i'm running saslauthd with the getpwent authentication mechanism and /etc/sasl2/smtpd.conf is like this: pwcheck_method: auxprop auxprop_plugin: sql mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM sql_engine: mysql sql_hostnames: localhost sql_user: smtp sql_passwd: password sql_database: smtp sql_select: SELECT password FROM users WHERE user = '%u@%r' with ver. 2.1.26 i get the following errors from postfix when trying to send a mail: Oct 27 13:08:51 mistral postfix/smtpd[28583]: warning: SASL authentication failure: no secret in database Oct 27 13:08:51 mistral postfix/smtpd[28583]: warning: unknown[217.203.196.171]: SASL CRAM-MD5 authentication failed: authentication failure and saslauthd, even if started with the debug flag doesn't show any activity during authentication step. i wonder if something has changed in the way to configure it with a mysql backend... thank you
> * if neither is an option, you can stop using auxprop plugin and instead > configure saslauthd to use pam and configure pam to check the mysql > database. You still get to keep crypted passwords in mysql (and you still > lose the shared secret mechanisms). ok, after reading again your post i've got it: it's the auxprop plugin that isn't available anymore and this issue has nothing to do with cryptography, right? but then, why is --enable-sql (enable SQL auxprop) configure flag still there? and more importantly why isn't it working anymore? sorry but i'm very puzzled by this and no, pam_mysql is not an option... thank you.
sasl 2.1.26 with crypt available at barzog-overlay. Tested it in production (with postgresql backend), works well.