
SQL Authentication
******************


Pre-requisites
==============

All examples use MySQL but it should be possible to use PostgresQL or
similar database.


MySQL Server
------------

This document assumes that MySQL is running on "localhost" and that
you can connect as a user who has the required privileges to add users
and databases.

We will create a database "db_mail" with the "mail_users" table and
grant SELECT privileges to the user "db_mail_user" with password
"db_mail_password"

The database connection details are completely changeable and you can
even use a remote MySQL server, but remember to change them throughout
the instructions below.

Note: The database table doesn't need to be writable by the Cyrus
  server. If your master database is held on a different server, you
  could use MySQL replication to replicate just the mail_users table
  to the Cyrus server and make the table read-only on the replica.


saslauthd
---------

saslauthd needs to be configured to use PAM. In the output of **ps ax
| grep saslauthd** it'll probably look like **saslauthd -a pam**
Optionally "-r" (realm) parameter with saslauthd if you plan to use
username@domain style logins instead of just username


pam_mysql
---------

pam_mysql (0.7) from http://pam-mysql.sourceforge.net/ - it's quite
likely that other MySQL PAM modules would work, but this one
definitely works and using a different version will require different
configuration to that described below.


Database structure
==================

At the very minimum, the mail_users table requires username and
password columns. It is also recommended to include a column to
indicate if the account is permitted to login or not since this will
make disabling an account much easier than altering the password
field.

   CREATE DATABASE db_mail;
   GRANT SELECT ON db_mail.* TO 'db_mail_user'@'localhost'
       IDENTIFIED BY 'db_mail_password';

   USE db_mail;

   CREATE TABLE mail_users (
       username VARCHAR(200) NOT NULL,
       password VARCHAR(40) NOT NULL,
       active TINYINT(1) NOT NULL DEFAULT 1,
       INDEX username_idx(username)
   );

Next insert an example record for testing purposes. The username must
match the mailbox created in Cyrus and the login is the full email
address. If you don't need/want domain based virtual users, you can
also just insert a username without the @example.org

   INSERT INTO mail_users SET username='jane@example.org',
       password=ENCRYPT('janepass','$1$1234abcd'), active=1;

Warning: You should use better passwords and salts in production!

On modern versions of Linux, the salts used for the password
encryption should be $1$ followed by 8 random alphanumeric characters.
Other operating systems may have different requirements for the salt
as used by the system crypt(3) function and described in the relevant
man page.


PAM configuration for use with saslauthd
========================================

Assuming both POP3 and IMAP services are being offered, you will need
to update /etc/pam.d/pop and /etc/pam.d/imap to allow MySQL to be
used.

Assuming the files already contain the following

   #%PAM-1.0
   auth       required     pam_nologin.so
   auth       include      system-auth
   account    include      system-auth
   session    include      system-auth

amend them to read

   #%PAM-1.0
   auth       required     pam_nologin.so
   auth       sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
   auth       include      system-auth
   account    sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
   account    include      system-auth
   password   required     pam_deny.so
   session    include      system-auth

The configuration file specified also needs to be created. Using the
database connection details established earlier, the configuration
file should contain:

   verbose = 0;
   users.host = localhost;
   users.database = db_mail;
   users.db_user = db_mail_user;
   users.db_passwd = db_mail_password;
   users.password_crypt = 1;
   users.md5 = true;

   users.table = mail_users;
   users.where_clause = active = 1;
   users.user_column = username;
   users.password_column = password;

Warning: Because this file contains the database password, you
  should ensure it is properly protected. Change the ownership to
  root:root (if it's not already), and **chmod 600 /etc/mail-pam-
  mysql.conf**

Changing verbose to 1 results in a large amount of debugging output in
the logs, including the SQL being run. This can be useful if it's not
working as expected. If you are using the MySQL PASSWORD() function,
change password_crypt to 1


Testing the SASL configuration
==============================

If everything is correct, you should be able to run the following
commands:

   $ **testsaslauthd -u jane -r example.org -p janepass -s imap**
   0: OK "Success."

   $ **testsaslauthd -u jane -r example.org -p janepas3 -s imap**
   0: NO "authentication failed"

   $ **testsaslauthd -u jane -r example.org -p janepass -s pop**
   0: NO "authentication failed"

This fails because we haven't setup the PAM config file for the POP
service, update /etc/pam.d/pop by adding the following two
'sufficient' lines above the appropriate 'required' lines.

   auth       sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf
   account    sufficient   pam_mysql.so config_file=/etc/mail-pam-mysql.conf

If everything is correct, you should be able to run the following and
get an OK response.

   $ **testsaslauthd -u jane -r example.org -p janepass -s pop**
   0: OK "Success."


Create the test mailboxes within Cyrus
======================================

   cyradm> cm user/jane@example.org

If you get an error when creating the mailbox, check that you have
"virtdomains: userid" and "unixhierarchysep: on" in /etc/imapd.conf as
the syntax for the mailbox name will be different.


Testing everything together
===========================

This step assumes Cyrus is already configured and listening on
localhost port 143 (IMAP). Change the openssl command as required if
it's not.

   $ **openssl s_client -connect localhost:143 -starttls imap**
   ...
   . OK Completed
   0 LOGIN jane@example.org janepass
   0 OK [CAPABILITY ...] User logged in ...
   0 LOGOUT
   * BYE LOGOUT received
   0 OK Completed

If you don't get an OK response to the LOGIN command, something isn't
working properly and there may be useful log messages in either
maillog, messages or secure log files.

Back to Features
