SQL Authentication

Pre-requisites

All examples use MySQL but it should be possible to use PostgresQL or similar database.

MySQL Server

This document assumes that MySQL is running on localhost and that you can connect as a user who has the required privileges to add users and databases.

We will create a database db_mail with the mail_users table and grant SELECT privileges to the user db_mail_user with password db_mail_password

The database connection details are completely changeable and you can even use a remote MySQL server, but remember to change them throughout the instructions below.

Note

The database table doesn't need to be writable by the Cyrus server. If your master database is held on a different server, you could use MySQL replication to replicate just the mail_users table to the Cyrus server and make the table read-only on the replica.

saslauthd

saslauthd needs to be configured to use PAM. In the output of ps ax | grep saslauthd it'll probably look like saslauthd -a pam Optionally -r (realm) parameter with saslauthd if you plan to use username@domain style logins instead of just username

pam_mysql

pam_mysql (0.7) from http://pam-mysql.sourceforge.net/ - it's quite likely that other MySQL PAM modules would work, but this one definitely works and using a different version will require different configuration to that described below.

Database structure

At the very minimum, the mail_users table requires username and password columns. It is also recommended to include a column to indicate if the account is permitted to login or not since this will make disabling an account much easier than altering the password field.

CREATE DATABASE db_mail;
GRANT SELECT ON db_mail.* TO 'db_mail_user'@'localhost'
    IDENTIFIED BY 'db_mail_password';

USE db_mail;

CREATE TABLE mail_users (
    username VARCHAR(200) NOT NULL,
    password VARCHAR(40) NOT NULL,
    active TINYINT(1) NOT NULL DEFAULT 1,
    INDEX username_idx(username)
);

Next insert an example record for testing purposes. The username must match the mailbox created in Cyrus and the login is the full email address. If you don't need/want domain based virtual users, you can also just insert a username without the @example.org

INSERT INTO mail_users SET username='jane@example.org',
    password=ENCRYPT('janepass','$1$1234abcd'), active=1;

Warning

You should use better passwords and salts in production!

On modern versions of Linux, the salts used for the password encryption should be $1$ followed by 8 random alphanumeric characters. Other operating systems may have different requirements for the salt as used by the system crypt(3) function and described in the relevant man page.

PAM configuration for use with saslauthd

Assuming both POP3 and IMAP services are being offered, you will need to update /etc/pam.d/pop and /etc/pam.d/imap to allow MySQL to be used.

Assuming the files already contain the following

#%PAM-1.0
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth

amend them to read

#%PAM-1.0
auth       required     pam_nologin.so
auth       sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
auth       include      system-auth
account    sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
account    include      system-auth
password   required     pam_deny.so
session    include      system-auth

The configuration file specified also needs to be created. Using the database connection details established earlier, the configuration file should contain:

verbose = 0;
users.host = localhost;
users.database = db_mail;
users.db_user = db_mail_user;
users.db_passwd = db_mail_password;
users.password_crypt = 1;
users.md5 = true;

users.table = mail_users;
users.where_clause = active = 1;
users.user_column = username;
users.password_column = password;

Warning

Because this file contains the database password, you should ensure it is properly protected. Change the ownership to root:root (if it's not already), and chmod 600 /etc/mail-pam-mysql.conf

Changing verbose to 1 results in a large amount of debugging output in the logs, including the SQL being run. This can be useful if it's not working as expected. If you are using the MySQL PASSWORD() function, change password_crypt to 1

Testing the SASL configuration

If everything is correct, you should be able to run the following commands:

$ testsaslauthd -u jane -r example.org -p janepass -s imap
0: OK "Success."

$ testsaslauthd -u jane -r example.org -p janepas3 -s imap
0: NO "authentication failed"

$ testsaslauthd -u jane -r example.org -p janepass -s pop
0: NO "authentication failed"

This fails because we haven't setup the PAM config file for the POP service, update /etc/pam.d/pop by adding the following two 'sufficient' lines above the appropriate 'required' lines.

auth       sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
account    sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf

If everything is correct, you should be able to run the following and get an OK response.

$ testsaslauthd -u jane -r example.org -p janepass -s pop
0: OK "Success."

Create the test mailboxes within Cyrus

cyradm> cm user/jane@example.org

If you get an error when creating the mailbox, check that you have virtdomains: userid and unixhierarchysep: on in /etc/imapd.conf as the syntax for the mailbox name will be different.

Testing everything together

This step assumes Cyrus is already configured and listening on localhost port 143 (IMAP). Change the openssl command as required if it's not.

$ openssl s_client -connect localhost:143 -starttls imap
...
. OK Completed
0 LOGIN jane@example.org janepass
0 OK [CAPABILITY ...] User logged in ...
0 LOGOUT
* BYE LOGOUT received
0 OK Completed

If you don't get an OK response to the LOGIN command, something isn't working properly and there may be useful log messages in either maillog, messages or secure log files.

Back to Features