LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 01-08-2012, 11:42 AM   #1
sanjioh
Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 48

Rep: Reputation: Disabled
Slackware 13.37 + Postfix + Cyrus SASL + MySQL: encrypted passwords?


Hi everybody,

I'm trying to setup SASL authentication for Postfix using Cyrus SASL with a MySQL database as a backend for account storage.
After reading a lot of tutorials around the Internet, it seems to me that the only way to have encrypted (hashed) passwords in the database would mean using saslauthd + PAM + pam_mysql.
Since Slackware doesn't use PAM (at default), is there a "Slackware way" to have encrypted passwords? I couldn't figure out one myself...

Thanks a lot for your help!
 
Old 01-08-2012, 01:42 PM   #2
Mike_M
Member
 
Registered: Mar 2011
Location: California
Distribution: Slackware
Posts: 116

Rep: Reputation: 50
Assuming you are trying to set up SASL authentication for the SMTP server (rather than the SMTP client):

Set the following Postfix parameters in main.cf:
Code:
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
"smtpd_sasl_security_options = noanonymous" should be the default, so you may not need to set it. This will allow plain-text SASL mechanisms (PLAIN, LOGIN).

"smtpd_tls_auth_only = yes" forces users authenticating to do so over a TLS encrypted connection. This way their plain-text passwords will be sent encrypted.

This is a perfectly acceptable method as long as your database backend is secure. If nobody can access the stored passwords, then storing them in plain text is not a problem. If you don't currently use TLS for your Postfix SMTP client and server, read the TLS_README file for more information. There really is no reason not to use TLS on a mail server, especially when self-signed or private CA signed certs are widely accepted for SMTP.

If for whatever reason you don't like the idea of storing your passwords in plain text in your MySQL database, then have a look at using Dovecot as the SASL backend for Postfix. Dovecot can be configured with "default_pass_scheme = MD5-CRYPT" to store a hash of the passwords in the database, and still work with the PLAIN SASL mechanism. You will still want to use TLS for authenticated sessions, as clients will otherwise send their passwords in the clear. One limitation of using Dovecot for SASL is that it is not supported in the Postfix SMTP client, which is needed if your mail server needs to authenticate with another server for relay purposes (i.e., a smart host).
 
Old 01-08-2012, 05:52 PM   #3
sanjioh
Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 48

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Mike_M View Post
If for whatever reason you don't like the idea of storing your passwords in plain text in your MySQL database, then have a look at using Dovecot as the SASL backend for Postfix. Dovecot can be configured with "default_pass_scheme = MD5-CRYPT" to store a hash of the passwords in the database, and still work with the PLAIN SASL mechanism. You will still want to use TLS for authenticated sessions, as clients will otherwise send their passwords in the clear. One limitation of using Dovecot for SASL is that it is not supported in the Postfix SMTP client, which is needed if your mail server needs to authenticate with another server for relay purposes (i.e., a smart host).
Hi, thanks for your reply.
Yes, I'm using SASL to authenticate clients to my SMTP server.
And yes, the whole point is the problem of storing plaintext passwords in a database on a VPS directly connected to the Internet. Of course TLS will be an absolute priority, but my concern was about password storage as well. I'll read more about Dovecot SASL implementation - it still seems strange to me that such a requisite appears to be so uncommon: is there a best practice to store user accounts that doesn't involve password encryption? I wouldn't sleep well with plaintext accounts, even if stored on another machine. Maybe LDAP is the answer here (overkill for my needs, anyway).
Cyrus SASL is quite poor regarding this issue maybe it just targets SASL implementation, leaving encryption as a task for the authentication backend. I still wonder how it has to be done with stock Slackware packages (sendmail + cyrus).

Thanks again
 
Old 01-08-2012, 07:07 PM   #4
Mike_M
Member
 
Registered: Mar 2011
Location: California
Distribution: Slackware
Posts: 116

Rep: Reputation: 50
Quote:
Originally Posted by sanjioh View Post
the whole point is the problem of storing plaintext passwords in a database on a VPS directly connected to the Internet. Of course TLS will be an absolute priority, but my concern was about password storage as well.
I don't blame you for being concerned about this. Storing passwords in the clear should raise alarms.

Quote:
Originally Posted by sanjioh View Post
is there a best practice to store user accounts that doesn't involve password encryption? I wouldn't sleep well with plaintext accounts, even if stored on another machine.
I don't know about best practice, but you could have a separate instance of MySQL running on the same machine just for this purpose. It could listen only on a socket or a local IP address, thus making it inaccessible to other hosts. Also, you could configure the user that has access to the tables to only be allowed to connect from the local host.

Quote:
Originally Posted by sanjioh View Post
Cyrus SASL is quite poor regarding this issue
I agree. There are reasons why some people have moved away from the Cyrus SASL implementation. The Dovecot implementation is so much easier to work with, and seems to be much more flexible. The main downside (other than the Postfix SMTP client not being able to use it) is that it is not (yet) available as standalone software. It is only available as part of the Dovecot IMAP/POP server. But if you need an IMAP/POP server, you probably can't go wrong using Dovecot.

Quote:
Originally Posted by sanjioh View Post
Thanks again
You're welcome. I hope I'm of some help.
 
Old 01-10-2012, 07:44 AM   #5
sanjioh
Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 48

Original Poster
Rep: Reputation: Disabled
Hi, thanks again for your help. I'll study Dovecot and try with that

bye!
 
Old 10-13-2012, 11:27 PM   #6
o2cool
LQ Newbie
 
Registered: Jan 2009
Location: Ewwtah
Distribution: Slackware -current
Posts: 24
Blog Entries: 1

Rep: Reputation: 0
Just wondering how dovecot worked for you?
I have been trying to figure out sendmail tls with no luck for a few days as all the documentation i have found has been for slack 12 or lower.
 
Old 11-26-2012, 04:06 AM   #7
sanjioh
Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 48

Original Poster
Rep: Reputation: Disabled
Hi,

sorry for the late answer
I didn't use dovecot in the end, for my purpose cyrus-sasl with passwd backend worked fine.
At work, on CentOS, I'm using pam-mysql and I'm storing md5 hashes of the passwords. It's doing its job at the moment (apart from a bad memory leak solved like this: http://www.web-cyradm.org/pipermail/...st/019268.html).

Bye!
 
Old 11-26-2012, 06:06 AM   #8
NetNightmare
Member
 
Registered: Sep 2005
Location: Rome
Distribution: Slackware
Posts: 32

Rep: Reputation: 15
Hi I recently set up a slackware64 14 + Dovecot2 + Postfix + Mysql for a customer and to solve the problem of creating encrypted password I used http://wiki2.dovecot.org/Tools/Doveadm/Pw I do use PostfixAdmin for managing virtual domains so I modified the configuration file ( wich use the old tool of dovecot 1.x ) to use the new one I linked here. It works good for me
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
postfix +Cyrus SASL authentication problem + pam-mysql+mysql database kibirango Slackware 1 12-25-2012 08:47 AM
Postfix Slackbuild with Cyrus-SASL, LDAP and MySQL gezley Slackware 5 12-18-2012 04:20 AM
[SOLVED] Slackware64, postfix and cyrus-sasl wargus Slackware 2 03-18-2010 01:41 AM
Postfix + Cyrus-SASL seprob Linux - Server 5 11-18-2009 08:12 AM
slackware + postfix + cyrus-sasl (not using system users) zux Slackware 3 03-06-2009 07:39 AM


All times are GMT -5. The time now is 11:26 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration