From: Remko Lodder (remko at elvandar dot org)
Date: Thu Mar 11 2004 - 15:25:35 EST
Hi,
Well, dont be afraid, there are people who got it working under BSD, but it
seems
i am doing something wrong and cant figure it out {since it works with
sasldb}
how is your postfix configured anyways? does it have a
smtpd_sasl_local_domain =
statement?
I don't fill that in so the realm can change that way.
Perhaps that works, otherwise my options are out, since i cant even get it
to work :-)
cheers
-- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: owner-cyrus-sasl at lists dot andrew dot cmu dot edu [mailto:owner-cyrus-sasl at lists dot andrew dot cmu dot edu]Namens dwt Verzonden: donderdag 11 maart 2004 21:06 Aan: cyrus-sasl at lists dot andrew dot cmu dot edu Onderwerp: RE: SASL 2.1.17 with auxprop to Myqsl We're running all of this on RH 7.3. We may be switching to BSD once Redhat drops its support at the end of the year... depends on what that entails in it's entirety since we don't really use Redhat's support anyways. But it kind of make me weary since you can't get it working at all. It would really hurt my head to know that we have to switch from RH to BSD and everything we've migrated and done is now useless - that would be hard to explain to our customers... hmmm... I played around with the realm function and it always uses domain1. For instance, when it queries the database, even if we're going for janedoe at domain2 - it says: Select password from users where username='janedoe at domain1 dot com' The %p always returns the auth mech we're using - so the actual query logs report: "select password from users where username='janedoe' and password='saslauthPLAIN'" We could add more realms but then I run into the problem of importing domains where the users are used to using just their username to authenticate (we will be hosting the mail for other domains with thousands of users, so it needs to be a seamless migration; just change an mx record and cross your fingers). Do you have an idea I haven't thought of yet? I suppose I could do a Mysql "like"... but then it would still take the first entry and not the second (or third, or fourth, et cetera). - Demian -----Original Message----- From: Remko Lodder [mailto:remko at elvandar dot org] Sent: Thursday, March 11, 2004 2:38 PM To: dwt; cyrus-sasl at lists dot andrew dot cmu dot edu Subject: RE: SASL 2.1.17 with auxprop to Myqsl Select username from users where password='%p' and username='%u'; try using '%u@%r' at the username section => user at realm, so that Note that i am interested in what platform you run it on, on OpenBSD i dont get it working at all :-) Cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van: owner-cyrus-sasl at lists dot andrew dot cmu dot edu [mailto:owner-cyrus-sasl at lists dot andrew dot cmu dot edu]Namens dwt Verzonden: donderdag 11 maart 2004 20:09 Aan: cyrus-sasl at lists dot andrew dot cmu dot edu Onderwerp: SASL 2.1.17 with auxprop to Myqsl Hi, I spent quite a bit of time digging through the archives.. 3 hours to be exact. I saw a couple similar requests, yet didn't see one of them get answered. I'm hoping this one has better luck. Smtpd.conf: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pwcheck_method: auxprop auxprop_plugin: sql sql_engine: mysql mech_list: plain login sql_user: removed sql_passwd: removed sql_hostnames: localhost sql_database: postfix sql_statement: select Password from users where username='%u'; sql_verbose: true --------------------------------- This setup works fine with one domain. Not a single glitch ever. Regardless of how frustrating SASL may be to configure and compile, I have to give it a gold star on reliability. But now I've run into a problem. I'm building a massive server to support multiple domains: Courier IMAP, Postfix, and Mysql as an authentication module on all ends with Cyrus SASL for the outbound authentication. All users for all domains are stored in our one database table, "users". So in this instance we have janedoe at domain1 dot com with password pickles and janedoe at domain2 dot com with password plums. The problem we've found is, when SASL hits up the database to authenticate the user, it finds the first entry and then stops. So when janedoe at domain2 dot com tries to send mail, with her password plums, SASL looks through the database for janedoe and sees the password as pickles and thus rejects the authentication attempt. The solution is to make a statement that looks for the password and the username and then compares the two with the authentication attempt such as: Select username from users where password='%p' and username='%u'; I know %p doesn't give me what I want... but I was hoping there was some way I could make it what I want since according to some documentation I read, %p can "technically be anything". Any ideas or suggestions... or if you know exactly how to correct this problem... would be great appreciated. Thank you, - Demian
|
|
|