For protocols such as SMTP, most normal cases can be handled by a server such as Postfix with relaying allowed from internal hosts. However, with features such as SMTP-AUTH and SMTP-TLS in use, proxying can break, and there is no way to differentiate between “normal” SMTP traffic and SMTP traffic using SMTP-AUTH on most firewalls or routers.
When we try it we get mixed results. On some mail clients it appears to work, on other there is an error, and on other’s it prompt for a username and password every time the user tries to send e-mail.
Depending on your SMTP server software, you may be able to configure it to always accept SMTP authentication requests and allow the user to send mail. Of course, you wouldn’t want to leave this server exposed to the internet either.
Fantastic! That’s what I was hoping. We have Postfix and I have searched high and low to figure this out, but no clues yet. Do you have any for Postfix, or any other server for that matter? I could use information from another server and cross reference this with Postfix info.
I was able to get this working by having this for my smtpd.conf file (assuming you have the sasl packages installed and running):
pwcheck_method: saslauthd
mech_list: DIGEST-MD5
I wasn’t able to get it working with any other mech_list options, and it appears to accept any user-name and password because it’s not really checking the password file. I’m not sure if it works for everyone, because there are auth-failures in the logs, but we haven’t had many/any complaints about the e-mail relays since having this setup.
You could configure Postfix to use SASL with PAM, and then hook PAM into a database (say MySQL) with a query that always returns success. Not the most straightforward configuration, but it should work fairly cleanly.
I tried suggestions from Feklar but I get mixed results. On some Windows workstations some options work (with Outlook but not Outlook Express) and on some Linux mail clients (most) options work. If it works on the one it doesn’t work on the other.
But I cannot only live with DIGEST-MD5 or PLAIN as I am intercepting 100s of different mail user’s SMTP. I need at least a longer list maybe even this long:
mech_list: plain login digest-md5 cram-md5
I like your suggestion a lot. I tried it but ran into some problems. First it appears that when SASL with PAM is hooked into MySQL due whatever reason it insists on always checking the password.
I tried fooling it by modifying the sql_select statement:
smtpd.conf
sql_select: SELECT ‘%v’ from users where username = ‘%u’
But it seems it’s catching my plan:
Feb 3 13:07:05 monitor postfix/smtpd[32315]: ‘%v’ shouldn’t be in a SELECT or DELETE
Feb 3 13:07:05 monitor postfix/smtpd[32315]: sql plugin doing query SELECT ‘’ from users where username = ‘test’;
Feb 3 13:07:05 monitor postfix/smtpd[32315]: sql plugin: no result found
sql_select: SELECT ‘%v’ from users where username = ‘%u’
But it seems it’s catching my plan:
Feb 3 13:07:05 monitor postfix/smtpd[32315]: ‘%v’ shouldn’t be in a SELECT or DELETE
Feb 3 13:07:05 monitor postfix/smtpd[32315]: sql plugin doing query SELECT ‘’ from users where username = ‘test’;
Feb 3 13:07:05 monitor postfix/smtpd[32315]: sql plugin: no result found
Try using something like
SELECT '1' AS `result`;
This will not query any actual table, but simply return a single row containing a single column named “result” and “1”. eg.
mysql> SELECT '1' AS `result`;
+--------+
| result |
+--------+
| 1 |
+--------+
1 row in set (0.00 sec)
Thanks for the response. I worked past the compilation problem, it turns out to be a problem with GCC that has more stringent checking (actually a bug related to elif statements).
But I don’t think this SASL Cyrus MySQL plugin module was designed to be bypassed. I tried your suggestion and now I get:
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin Parse the username username
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin try and connect to a host
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin trying to open db ‘mail’ on host ‘127.0.0.1’
Feb 3 15:24:40 monitor postfix/smtpd[13212]: begin transaction
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin create statement from userPassword username server.domain.com
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin doing query SELECT ‘1’ AS ‘result’;
Feb 3 15:24:40 monitor postfix/smtpd[13212]: commit transaction
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin Parse the username username
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin try and connect to a host
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin trying to open db ‘mail’ on host ‘127.0.0.1’
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin Parse the username username
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin try and connect to a host
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin trying to open db ‘mail’ on host ‘127.0.0.1’
Feb 3 15:24:40 monitor postfix/smtpd[13212]: begin transaction
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin create statement from userPassword username server.domain.com
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin doing query SELECT ‘1’ AS ‘result’;
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin create statement from cmusaslsecretPLAIN username server.domain.com
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin doing query SELECT ‘1’ AS ‘result’;
Feb 3 15:24:40 monitor postfix/smtpd[13212]: commit transaction
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin Parse the username username
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin try and connect to a host
Feb 3 15:24:40 monitor postfix/smtpd[13212]: sql plugin trying to open db ‘mail’ on host ‘127.0.0.1’
On the front end it keeps on prompting for the password. I guess it’s off to look for some Cyrus mailing list. I can’t find any forum. What a drag.
Amongst the Cyrus SASL authentication mechanisms (pwcheck_method) there appears to be one called “alwaystrue”. It might be worth seeing if that does what it says
