LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Slackware 13.37 + Postfix + Cyrus SASL + MySQL: encrypted passwords? (http://www.linuxquestions.org/questions/slackware-14/slackware-13-37-postfix-cyrus-sasl-mysql-encrypted-passwords-922740/)

sanjioh 01-08-2012 11:42 AM

Slackware 13.37 + Postfix + Cyrus SASL + MySQL: encrypted passwords?
 
Hi everybody,

I'm trying to setup SASL authentication for Postfix using Cyrus SASL with a MySQL database as a backend for account storage.
After reading a lot of tutorials around the Internet, it seems to me that the only way to have encrypted (hashed) passwords in the database would mean using saslauthd + PAM + pam_mysql.
Since Slackware doesn't use PAM (at default), is there a "Slackware way" to have encrypted passwords? I couldn't figure out one myself...

Thanks a lot for your help!

Mike_M 01-08-2012 01:42 PM

Assuming you are trying to set up SASL authentication for the SMTP server (rather than the SMTP client):

Set the following Postfix parameters in main.cf:
Code:

smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes

"smtpd_sasl_security_options = noanonymous" should be the default, so you may not need to set it. This will allow plain-text SASL mechanisms (PLAIN, LOGIN).

"smtpd_tls_auth_only = yes" forces users authenticating to do so over a TLS encrypted connection. This way their plain-text passwords will be sent encrypted.

This is a perfectly acceptable method as long as your database backend is secure. If nobody can access the stored passwords, then storing them in plain text is not a problem. If you don't currently use TLS for your Postfix SMTP client and server, read the TLS_README file for more information. There really is no reason not to use TLS on a mail server, especially when self-signed or private CA signed certs are widely accepted for SMTP.

If for whatever reason you don't like the idea of storing your passwords in plain text in your MySQL database, then have a look at using Dovecot as the SASL backend for Postfix. Dovecot can be configured with "default_pass_scheme = MD5-CRYPT" to store a hash of the passwords in the database, and still work with the PLAIN SASL mechanism. You will still want to use TLS for authenticated sessions, as clients will otherwise send their passwords in the clear. One limitation of using Dovecot for SASL is that it is not supported in the Postfix SMTP client, which is needed if your mail server needs to authenticate with another server for relay purposes (i.e., a smart host).

sanjioh 01-08-2012 05:52 PM

Quote:

Originally Posted by Mike_M (Post 4569603)
If for whatever reason you don't like the idea of storing your passwords in plain text in your MySQL database, then have a look at using Dovecot as the SASL backend for Postfix. Dovecot can be configured with "default_pass_scheme = MD5-CRYPT" to store a hash of the passwords in the database, and still work with the PLAIN SASL mechanism. You will still want to use TLS for authenticated sessions, as clients will otherwise send their passwords in the clear. One limitation of using Dovecot for SASL is that it is not supported in the Postfix SMTP client, which is needed if your mail server needs to authenticate with another server for relay purposes (i.e., a smart host).

Hi, thanks for your reply.
Yes, I'm using SASL to authenticate clients to my SMTP server.
And yes, the whole point is the problem of storing plaintext passwords in a database on a VPS directly connected to the Internet. Of course TLS will be an absolute priority, but my concern was about password storage as well. I'll read more about Dovecot SASL implementation - it still seems strange to me that such a requisite appears to be so uncommon: is there a best practice to store user accounts that doesn't involve password encryption? I wouldn't sleep well with plaintext accounts, even if stored on another machine. Maybe LDAP is the answer here (overkill for my needs, anyway).
Cyrus SASL is quite poor regarding this issue :( maybe it just targets SASL implementation, leaving encryption as a task for the authentication backend. I still wonder how it has to be done with stock Slackware packages (sendmail + cyrus).

Thanks again :)

Mike_M 01-08-2012 07:07 PM

Quote:

Originally Posted by sanjioh (Post 4569727)
the whole point is the problem of storing plaintext passwords in a database on a VPS directly connected to the Internet. Of course TLS will be an absolute priority, but my concern was about password storage as well.

I don't blame you for being concerned about this. Storing passwords in the clear should raise alarms.

Quote:

Originally Posted by sanjioh (Post 4569727)
is there a best practice to store user accounts that doesn't involve password encryption? I wouldn't sleep well with plaintext accounts, even if stored on another machine.

I don't know about best practice, but you could have a separate instance of MySQL running on the same machine just for this purpose. It could listen only on a socket or a local IP address, thus making it inaccessible to other hosts. Also, you could configure the user that has access to the tables to only be allowed to connect from the local host.

Quote:

Originally Posted by sanjioh (Post 4569727)
Cyrus SASL is quite poor regarding this issue :(

I agree. There are reasons why some people have moved away from the Cyrus SASL implementation. The Dovecot implementation is so much easier to work with, and seems to be much more flexible. The main downside (other than the Postfix SMTP client not being able to use it) is that it is not (yet) available as standalone software. It is only available as part of the Dovecot IMAP/POP server. But if you need an IMAP/POP server, you probably can't go wrong using Dovecot.

Quote:

Originally Posted by sanjioh (Post 4569727)
Thanks again :)

You're welcome. I hope I'm of some help.

sanjioh 01-10-2012 07:44 AM

Hi, thanks again for your help. I'll study Dovecot and try with that :)

bye!

o2cool 10-13-2012 11:27 PM

Just wondering how dovecot worked for you?
I have been trying to figure out sendmail tls with no luck for a few days as all the documentation i have found has been for slack 12 or lower.

sanjioh 11-26-2012 04:06 AM

Hi,

sorry for the late answer :(
I didn't use dovecot in the end, for my purpose cyrus-sasl with passwd backend worked fine.
At work, on CentOS, I'm using pam-mysql and I'm storing md5 hashes of the passwords. It's doing its job at the moment (apart from a bad memory leak solved like this: http://www.web-cyradm.org/pipermail/...st/019268.html).

Bye!

NetNightmare 11-26-2012 06:06 AM

Hi I recently set up a slackware64 14 + Dovecot2 + Postfix + Mysql for a customer and to solve the problem of creating encrypted password I used http://wiki2.dovecot.org/Tools/Doveadm/Pw I do use PostfixAdmin for managing virtual domains so I modified the configuration file ( wich use the old tool of dovecot 1.x ) to use the new one I linked here. It works good for me


All times are GMT -5. The time now is 07:05 PM.