Backend / DevOps / Architect
Brit by birth,
located worldwide

All content © Alex Shepherd 2008-2024
unless otherwise noted

Postfix and Courier IMAP Authentication via MySQL using Courier

Published
5 min read
image
Image Credit: Unknown (if this is your work, reach out to me and I'll credit you!)

Hi guys!

I've been working on making a Postfix server authenticate using encrypted passwords in a MySQL database. This seemed, by all accounts, and the number of How-To guides online, to be a pretty simple job. I seriously couldn't have been more wrong. The majority of the guides worked without a hitch... Courier IMAP connected straight up, without a hitch, but Postfix simply refused to. The case seemed to be (from reading online about it), that saslauthd's auxprop SQL driver doesn't like passwords being stored in an encrypted form. For modern software, this is absolutely absurd, if you ask me. Nevertheless, after multiple days tearing my hair out, I thought to myself "Why am I using two different auth mechanisms? Can I use Courier's Authdaemon, which works fine with Courier IMAP, to authenticate Postfix too?". The answer is absolutely yes.

This is how I did it:

The first step, was to use the following guide, and a couple of others available online as a basepoint, without adding any of the user interface tools, and changing the layout of the email tables somewhat, to better fit my own purpose: http://flurdy.com/docs/postfix/.

Once, however, I got to the section about using saslauthd via pam to authenticate your SMTP server, it rapidly became impossible to complete. No matter if the guide is followed to the letter, you may well still end up with authentication problems. The specific problem I had, was that saslauthd wouldn't seem to query my SQL server. All I ever saw in the SQL debug logs was logins, and the server quitting again, without querying the db at all. Needless to say, this was pretty seriously frustrating, as I could find little to no help online, and whenever I found something relevant, the only answers were something to the effect of "LOL, give up - Postfix sucks".

As I previously mentioned, the IMAP server was working without fault, so I could only assume that Courier-Authdaemon was doing its job perfectly, and sure enough, when I checked the auth and mysql debug logs, I could see that it was successfully querying the db, and authenticating my mail user correctly. It is a pretty simple job to make postfix use authdaemond to authenticate, too.

The first step is to fill out the following information into saslauthd's smtpd.conf. This may be found in one of a few places, including /etc/sasl2/, /usr/lib/sasl2/, and /etc/postfix/sasl/. Find your distribution's copy, and paste in the following:

pwcheck_method: authdaemond
mech_list: PLAIN LOGIN
authdaemond_path: /var/run/courier/authdaemon/socket

auxprop_plugin: mysql
sql_select: select stuff from things where user = '%u';

Note that the last two lines there serve to achieve absolutely nothing, but stop saslauthd whinging and filling your logs with stuff about not having them configured. Now if you've followed Postfix's security guidelines, you will have left it in its chroot jail. If not, I hope you have a damn good reason for having taken it out, as it means that if your mail system is compromised, it's far less likely that the rest of your machine is at risk.

If you have left it in its jail, you will find that you still can't authenticate, as Postfix starts shouting about not being able to find the Courier-Authdaemon socket to connect to. This is quite right, as the socket is located outside of Postfix's jail. You probably can't hard link, as /var/run is a different partition to /, and symlinking from within the chroot jail will fail, as the folder you want to symlink to is located outside it, so it can't see it. I found a nifty way to do this here. I'll detail the content as follows.

Note: Before you do this, make sure that before you stop the courier-authdaemon, you check which folder on your Linux system contains the authdaemon socket. You will be able to find this by using the command lsof -n | grep authdaemon.

First, you need to stop the Courier-Authdaemon. This depends on your OS, but on Ubuntu, you will run /etc/init.d/courier-authdaemon stop. Now you need to remove the folder in which the socket is normally created:

rm -rf /var/run/courier/authdaemon/

You now need to symlink the folder outside the chroot to the folder inside. This means that courier's authdaemon, which is running outside the chroot, will unwittingly be putting its socket in a folder within Postfix's chroot, while it doesn't see any difference from the way in which it originally did so. First, make sure the folder you're symlinking to exists, then put the symlink in place:

mkdir -p /var/spool/postfix/var/run/courier/authdaemon/
ln -s /var/spool/postfix/var/run/courier/authdaemon/ /var/run/courier/authdaemon

Now start Courier-Authdaemon again, and if you check /var/spool/postfix/var/run/courier/authdaemon, you will see that in there is the file we pointed it to, in the sasl smtpd.conf.

Now restart Postfix, and you will hopefully be able to authenticate to SMTP, and send messages without a problem.

If anybody has experienced this same problem, and has any other resolution for it, I'd be intrigued to see how it has been done, or yet again, if anybody has any questions, either direct them to me in the comments, or if you'd prefer to contact me privately, just fill out the form on my contact page!

n00b