Froxlor with hashed (encrypted) passwords and sasl

In current Froxlor settings it is not possible to disable clear text passwords and use Postfix with SASL (Note: I’am using Courier as IMAP- and POP3-Server). Also I’am using Ubuntu 12.04.

To enable this a few extra configuration steps are needed
(see also: http://www.ubuntufreunde.de/forum/4170/ubuntu_10_04_postfix_und_courier_imap_mit_mysql.html):

  1. Just configure Froxlor and all services as you would do normaly
  2. Don’t enable clear text passwords (Seetings -> Security Options -> “Also save passwords of mail accounts unencrypted in database”)
  3. Choose  password hash (I used SHA-256)
  4. Install libpam-mysql:
    apt-get install libpam-mysql
  5. Create following directory:
    mkdir -p /var/spool/postfix/var/run/saslauthd
  6. Edit /etc/default/saslauthd:
    Change START from “no” to “yes”
    # Should saslauthd run automatically on startup? (default: no)
    START=yes

    Edit “OPTIONS” on the end of the file:
    #OPTIONS="-c -m /var/run/saslauthd"
    OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
  7. Create /etc/pam.d/smtp (Please replace “FROXLORPWD” with your correct password):
    auth required pam_mysql.so user=froxlor passwd=FROXLORPWD host=127.0.0.1 db=froxlor table=mail_users usercolumn=username passwdcolumn=password_enc crypt=1
    account sufficient pam_mysql.so user=froxlor passwd=FROXLORPWD host=127.0.0.1 db=froxlor table=mail_users usercolumn=username passwdcolumn=password_enc crypt=1
  8.  Add the Postfix-User to the sasl group:
    adduser postfix sasl
  9. Edit /etc/postfix/sasl/smtpd.conf (also replace the password):
    Note: now only login PLAIN is allowed so use SSL or STARTTLS!
    pwcheck_method: saslauthd
    mech_list: plain login
  10. Restart Postfix and saslauthd:
    service postfix restart
    service saslauthd restart

One thought on “Froxlor with hashed (encrypted) passwords and sasl

  1. Thanks for sharing this, Stefan! You definitely safed me some time investigating this issue.

    For my setup, I changed /etc/pam.d/smtp a bit:
    auth optional pam_mysql.so config_file=/etc/froxlor-pam-mysql.conf
    account required pam_mysql.so config_file=/etc/froxlor-pam-mysql.conf

    and /etc/froxlor-pam-mysql.conf is as follows:
    users.host = 127.0.0.1
    users.database = froxlor
    users.db_user = froxlor
    users.db_passwd = REPLACEME
    users.table = mail_users
    users.user_column = username
    users.password_column = password_enc
    users.password_crypt = 1

Leave a Reply

Your email address will not be published. Required fields are marked *