Today was a good day. Not only did I win Solitaire on my iPod on a train down to Providence, I fixed a mailserver issue that I’ve been struggling with for a few weeks.

I’m slowly switching over to Slicehost for all my web hosting requirements, and setting up the server (I’m running Ubuntu Hardy) so that I can get rid of all the other hosting I use (I already got rid of crappy Dreamhost). I’ve been using Pair for the last ten years and have been really happy with them, but I’m a server junkie. VPS is just too tasty. Anyway, most server stuff is pretty straight forward to set up. Pickled Onion articles and a bunch of howtoforge docs will get you started from a fresh disk image in no time. One thing that tripped me up was setting up the mail server. I wanted the standard PostfixAdmin controlled virtual user setup using MySQL to manage the users. Following this and this got everything working, except SMTP would not authenticate properly when storing passwords encrypted in the database.

Everything worked, Courier IMAP and SMTP Auth using TLS…but only if the users passwords were stored cleartext in the database. Even if connecting securely, storing passwords cleartext is a bad idea. The problem comes from Ubuntu SASL libraries not supporting password_format. I didn’t want to run the patch, since…well, I don’t really know how patching while using aptitude works (you probably have to run it every time you update), and I didn’t want to start compiling some things from source, while mostly relying on a package manager. I’ve inherited servers where some things are compiled from source and other things are managed on multiple package managers, and it is a BAD IDEA.

So, the solution. I followed the Ubuntu article and set up my database much like their example, but instead of using auxprop for pwcheck_method, I use saslauthd with PAM.

First, make sure you install libpam-mysql:

sudo aptitude install libpam-mysql


Then, in /etc/postfix/sasl/smtpd.conf:

pwcheck_method: saslauthd
mech_list: plain login


You might also want to add log_level: 7 while you are debugging. Next, create /etc/pam.d/smtp with the following:

auth required pam_mysql.so user=the_user passwd=the_password host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=the_user passwd=the_password host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1


Then make sure you use $CONF['encrypt'] = ’system’ for PostfixAdmin. You should observe /var/log/mail.log and /var/log/auth.log for any errors. When I first tried out PAM, I didn’t realize that I had not installed libpam-mysql, so only today when I went back and set the log_level did I actually realize I needed to install it.

Now I feel a little better not having cleartext passwords around…

ps. I am really bad at Solitaire, so it was a good day.