Email Server/pam mysql
Views:
Part of the Email Server documentation
Contents |
Introduction
This page describes installing and configuring pam mysql for use with postfix and saslauthd when setting up a virtual domains Email Server on linux.
Dependancies
Well, you need PAM obviously and openSSL - you do have those don't you?
Also, you'll want the development packages, on CentOS this is:
# yum install openssl-devel # yum install pam-devel # ldconfig
To work with Postfix authentication, we need support for Cyrus SASL2, so you'll need to get the cyrus saslauthd installed first.
Installing
It's important to configure and build the software as a normal user, not root. You should only use root to carry out the final "make install" step.
Here we're getting the new pam module to install in /lib/security rather than somewhere under /usr/local. This may or may not be the "right" way to do it but it's the easiest way to make sure pam can see the new module.
PAM MySQL lives on sourceforge.net, you'll want to go the to find the latest version, we're using 0.7RC1 in this example.
$ cd /usr/local/src $ wget http://kent.dl.sourceforge.net/sourceforge/pam-mysql/pam_mysql-0.7RC1.tar.gz $ tar zxvf pam_mysql-0.7RC1.tar.gz $ cd pam_mysql-0.7RC1 $ ./configure --with-openssl --with-cyrus-sasl2 --with-pam-mods-dir=/lib/security $ make $ exit # cd pam_mysql-0.7RC1 # make intall
Issues?
If you get an error, you might need to copy md5.h from sasl, openssl or another library to /usr/include (sorry can't remember the exact details, but it's easy enough to figure out) try...
# cp -p /usr/include/openssl/md5.h /usr/include/md5.h # ./configure --with-openssl --with-cyrus-sasl2 --with-pam-mods-dir=/lib/security
Configuration
I guess you could use pam mysql for authentication with all sorts of things but we're just interested in smtp authentication. So the file we need to edit is /etc/pam.d/smtp
You might want to rename any existing /etc/pam.d/smtp file
We are using the Email Server/Database to back the authentication.
#%PAM-1.0 auth required pam_mysql.so user=<USERNAME> passwd=<PASSWORD> host=localhost db=<DATABASE> table=account_auth usercolumn=username passwdcolumn=cryptpw crypt=1 md5=0 verbose=true account sufficient pam_mysql.so user=<USERNAME> passwd=<PASSWORD> host=localhost db=<DATABASE> table=account_auth usercolumn=username passwdcolumn=cryptpw crypt=1 md5=0 verbose=true
You noticed you need to use the username, password and database name for your implementation didn't you? ;)
The user account only needs read access to the account_auth view.
The database name I used in virtualdomains, the user name vdomains_read
In this case, we are not using the clear text password in the database (clearpw), the passwords are stored as crypt-md5. You could use clear text if you want to support CRAM-MD5, or you could use MD5 hex but I don't think that is compatible with Courier Authlib
