auxprop 不支持md5crypt類型的加密?
我安裝的版本是
cyrus-sasl-2.1.23
postfix-2.6.5,1
postfixadmin-2.3_1
用戶是通過 postfixadmin 添加到 pgsql 資料庫中的,密碼保存為類似 $1$86fa88b8$0rSw07ELxbMZSudFtGlzx0 這樣的字元串。
問題表現為:
telnet 登陸到 25 埠,當資料庫中保存的密碼是加密時,認證失敗。不加密保存時,認證成功。
如何讓它支持密碼加密?
/usr/local/lib/sasl2/smtpd.conf 文件內容為:
pwcheck_method: auxprop
log_level: 3
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
auxprop_plugin: sql
sql_engine: pgsql
sql_hostnames: 192.168.1.2
sql_user: mail
sql_passwd: mail123
sql_database: pmail
sql_select: SELECT password FROM mailbox WHERE username = '%u@%r' AND active = true
/usr/local/etc/postfix/main.cf 文件中的一部分:
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated permit_auth_destination reject
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_sender_restrictions = permit_sasl_authenticated
smtpd_sasl_path = smtpd
《解決方案》
回復 #5 zlj2208 的帖子
Cyrus-SASL 2.1.x patches
NOTE from pieps: This page is mirrored from http://frost.ath.cx/software/cyrus-sasl-patches, AND is the property of the author.
His site was down occasionally, so I've mirrored it here for convenience.
If there's something wrong with this page, AND not with Brane's, feel free to email me at nick (at) pieps (dot/period) org
The following software is provided for free. You can do with it, whatever you want. Software is provided "AS IS", without any warranty at all (including the implied warranties of merchantability AND fitness for a particular purpose).
If you like this piece of software, send me a postcard from somewhere :)
Snail mail address:
Branko F. Gracnar
Rakitovec 13
3263 Gorica pri Slivnici
Slovenia
Europe
Available patches:
checkpw.c
This patch makes cyrus-sasl to authenticate crypt(3) hashed passwords from various backends (auxprop plugins) - so you can authenticate crypt hashed passwords in your sql database (this is probably why are you reading this homepage).
Patch adds the following plugin configuration directive:
* password_format:
Installation
*
o Download cyrus-sasl-2.1.x.tar.gz from ftp://ftp.ANDrew.cmu.edu/pub/cyrus-mail/ (Also downloadable locally, here)
o Download checkpw.c patch from download page
o Unpack distribution (tar zxf cyrus-sasl-2.1.x.tar.gz)
o Enter source directory (cd cyrus-sasl-2.1.x)
o Apply patch (patch -p0 < ../cyrus-sasl-2.1.x-checkpw.c.patch)
o Run configure (./configure)
o Compile it (make)
o Install it (make install)
* FreeBSD ports collection
o Download FreeBSD version of checkpw.c patch from download page
o Put patch files in directory /usr/ports/security/cyrus-sasl2/files
Configuration
Configuration directive can be set to the following values:
* plaintext - passwords are stored in plaintext format - this is default
* crypt - passwords are stored as modular crypt hashes (md5 or blowfish crypt)
* crypt_trad - passwords are stored as des crypt hashes (2 character salt crypt)
If configuration directive password_format is not specified, then passwords are considered to be in a PLAINTEXT format.
Example mailserver configuration (file smtpd.conf):
pwcheck_method: auxprop
auxprop_plugin: sql
allowanonymouslogin: no
allowplaintext: yes
mech_list: PLAIN LOGIN
srp_mda: md5
srvtab: /dev/null
opiekeys: /dev/null
password_format: crypt
sql_user: username
sql_passwd: password
sql_hostnames: sql.example.org
sql_database: database_name
sql_select: SELECT password FROM mailbox WHERE username = '%u' AND realm = '%r'
Download
* version 2.1.19
* version 2.1.19, FreeBSD Ports edition
Contact
You are free to contact me on my personal email address.
《解決方案》
回復 #1 iheaing 的帖子
http://bbs3.chinaunix.net/archiver/tid-1195705.html
http://www.host01.com/article/server/00070002/0621409074080879_2.htm
《解決方案》
如果sasl要支持crypt加密,是要打補丁的.
下面的文章共你參考
http://www.thismail.org/bbs/viewthread.php?tid=2251&extra=page%3D1
《解決方案》
原帖由 ruochen 於 2010-1-14 18:13 發表 http://bbs.chinaunix.net/images/common/back.gif
如果sasl要支持crypt加密,是要打補丁的.
下面的文章共你參考
http://www.thismail.org/bbs/viewthread.php?tid=2251&extra=page%3D1
在安裝 /usr/ports/security/cyrus-sasl2 時,我鉤選了 AUTHDAEMOND,而且 authtest 測試也是正常的。
# authtest -s login iheaing@ddss.org inmmged
Authentication succeeded.
Authenticated: iheaing@ddss.org (uid 80, gid 80)
Home Directory: /usr/virtual
Maildir: ddss.org/iheaing/
Quota: 51200000
Encrypted Password: $1$86fa88b8$0rSwa7ELxbMZSudFtGlzx0
Cleartext Password: inmmged
Options: wbnodsn=1
當 /usr/local/lib/sasl2/smtpd.conf 文件內容改為下面這樣也不行:
pwcheck_method: authdaemond
authdaemond_path: /var/run/authdaemond/socket
log_level: 3
mech_list: PLAIN LOGIN
auxprop_plugin: sql
sql_engine: pgsql
sql_hostnames: 192.168.1.2
sql_user: mail
sql_passwd: mailer
sql_database: pmail
sql_select: SELECT password FROM mailbox WHERE username = '%u@%r' AND active = true
/var/log/maillog 文件提示:
postfix/smtpd: connect from unknown
postfix/smtpd: warning: SASL authentication failure: could not verify password
postfix/smtpd: warning: unknown: SASL login authentication failed: generic failure
postfix/smtpd: lost connection after AUTH from unknown
postfix/smtpd: disconnect from unknown
[ 本帖最後由 iheaing 於 2010-1-15 08:34 編輯 ]
《解決方案》
回復 #4 iheaing 的帖子
把 courier-authlib 的日誌打開 文件名為:authdeamonrc,具體位置,根據你安裝方式,自己查找以下,看看 DEBUG_LOGIN 的值是多少,改成 DEBUG_LOGIN=2 試試。
看看日誌裡面有沒有更詳細的日誌。
/usr/local/lib/sasl2/smtpd.conf
改成
pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path: /your/install/authdaemon/socket
修改 authlib 的配置文件 authmysqlrc 文件按照這個格式寫,根據你的事件情況,實際配置吧
MYSQL_SERVER localhost
MYSQL_DATABASE postfix
MYSQL_USERNAME postfix
MYSQL_PASSWORD passwd
MYSQL_USER_TABLE mailbox
MYSQL_LOGIN_FIELD username
MYSQL_CRYPT_PWFIELD password
MYSQL_UID_FIELD '1000'
MYSQL_GID_FIELD '1000'
MYSQL_HOME_FIELD '/var/mailbox/'
MYSQL_MAILDIR_FIELD CONCAT('/var/mailbox/',maildir)
MYSQL_NAME_FIELD name
MYSQL_QUOTA_FIELD concat(quota,'S')
MYSQL_WHERE_CLAUSE active='1'
[ 本帖最後由 zlj2208 於 2010-1-15 19:30 編輯 ]
《解決方案》
原帖由 scyzxp 於 2010-1-15 12:28 發表 http://bbs.chinaunix.net/images/common/back.gif
Cyrus-SASL 2.1.x patches
NOTE from pieps: This page is mirrored from http://frost.ath.cx/software/cyrus-sasl-patches, AND is the property of the author.
His site was down occasionally, so I'v ...
似乎是正解,但我的是 cyrus-sasl-2.1.23,
cyrus-sasl-2.1.19-checkpw.c.patch可以用嗎?
我在忙其它,試過的同志說一聲。
《解決方案》
回復 #7 iheaing 的帖子
可以的。他是2.1.x的。沒有問題。我都 在用
《解決方案》
原帖由 scyzxp 於 2010-1-15 15:19 發表 http://bbs.chinaunix.net/images/common/back.gif
可以的。他是2.1.x的。沒有問題。我都 在用
嗯
應該是沒問題的
《解決方案》
多謝淺嘗孤獨同志!第六樓的回答為最佳答案,有意見的站出來。
這個補丁在 2.1.19 就有了,為什麼還不集成到 2.1.23 版本呢?
[ 本帖最後由 iheaing 於 2010-1-15 18:46 編輯 ]
