Writing a Cyrus SASL LDAP auxprop for Postfix (SMTP AUTH)

| | Comments (3) | TrackBacks (1)
[Update 2009/06/25] Due to a variable scope bug Cyrus timsieved() can crash. The issue is resolved in version 1.2.2.

In case you are using this plugin, please update your installation. The source package can be found here:


The md5 checksum is 636e8261198ea69372058e858fc496e9.
You will need Cyrus SASL 2.1.23 to compile it! Please update your SASL 2.1.22 installation, a security fix has been introduced.

[Update] Version 1.2.1 now accesses any attribute requested by SASL, so the use of cmusaslsecret* is possible. In this version the parameter "gl_attribute" has been omitted.

Downloadlinks in this article have been corrected to get the 1.2.1 version.

NOOOOO! Don't talk about saslauthd(8). Customer wanted CRAM-MD5 and DIGEST-MD5 as authentication mechanism for his Postfix authenticated SMTP service. No, not just PLAIN. So saslauthd is out of the game.

Customer has a "mail password" in cleartext in his LDAP structure [Update: he is using cmusaslsecretCRAM-MD5 now] - especially for this kind of thing. Is it possible to use Postfix with that?

First - this is not a postfix issue. Customer had Postfix linked with cyrus sasl. Not a bad idea - but to use these LDAP entries you have to have an appropriate cyrus sasl auxprop. Why?

CRAM-MD5 and DIGEST-MD5 are shared secret algorithms. The server MUST know the cleartext password or the mechanisms' secrets in order to validate the answer sent by the client.

At the first look, I saw a "ldapdb" auxprop plugin which should just do that - and it failed because we did not have a SASL enabled OpenLDAP so ldapdb authentication failed. "*cmusaslsecretCRAM-MD5" (in the case of CRAM-MD5, replace it with DIGEST-MD5 when using DIGEST-MD5) and userPassword are requested from the sasl auxprop.

So here it goes - I had to write my own ldap auxprop. You may use it if you want. I will expain the way to write SASL auxprops in the next days to come, but for now - here is the source.

Use syslogd(8) to get debug messages (loglevel debug, facility auth).

My auxprop code needs cleartext passwords in your LDAP server in whatever attribute defined in your schema. It is freely configurable. WARNING! Passwords are sent between your LDAP server and your Server using Cyrus SASL when retrieving the value of "userPassword". Use an SSL link (and OpenSSL enabled OpenLDAP libraries).

To build this auxprop, you have to have:

  • a complete cyrus sasl 2.1.22 source tree, already configured with all Makefiles present
  • OpenLDAP libraries and include files with OpenSSL support
  • OpenSSL
Unpack the source distribution and you will see these files:

-rwxr-xr-x   1 root     root         765 Jun 20 21:25 compile
-rw-r--r--   1 root     root        5523 Jun 20 20:15 giengerldap.c
-rw-r--r--   1 root     root         637 Jun 20 20:15 giengerldap_init.c
-rw-r--r--   1 root     root        1447 Jun 20 21:25 Makefile
-rw-r--r--   1 root     root         807 Jun 20 21:24 Makefile.tmpl

Edit the shell script "compile":

The first two lines are configurable:

LDAPLIBS="-llber -lldap -lcrypto -lssl"

CYRUSSASLPATH is the complete path to your cyrus sasl build tree. You have to have configured this source tree with "./configure" already and don't forget to set openldap-options.

LDAPLIBS are the libraries needed to link OpenLDAP. Use "-lcrypto -ssl" if you have OpenSSL enabled OpenLDAP libraries. This is recommended as passwords are sent through the wire!

After you did that, just type "./compile" or "sh compile". It should produce an output similar to that:

# ./compile
/var/home/pascal/src/cyrus-sasl-2.1.22/libtool --mode=compile gcc -Wall -W -g -O2 -c -I/var/home/pascal/src/cyrus-sasl-2.1.22/include -I/var/home/pascal/src/cyrus-sasl-2.1.22/lib -I/var/home/pascal/src/cyrus-sasl-2.1.22/sasldb -I/var/home/pascal/src/cyrus-sasl-2.1.22/plugins/include

[... rest omitted ...]
/var/home/pascal/src/cyrus-sasl-2.1.22/libtool --mode=link gcc -module -export-dynamic -rpath /usr/local/bastion/lib/sasl2 -L/usr/local/bastion/lib -R/usr/local/bastion/lib -L/usr/local/bastion/lib -L/usr/local/lib -L/usr/sfw/lib -R/usr/local/bastion/lib -R/usr/local/lib -R/usr/sfw/lib -llber -lldap -lcrypto -lssl -version-info 2:22:0 \
giengerldap.lo giengerldap_init.lo /var/home/pascal/src/cyrus-sasl-2.1.22/plugins/plugin_common.lo -o libgiengerldap.la
mkdir .libs
(cd . && ln -s giengerldap.lo giengerldap.o)
(cd . && ln -s giengerldap_init.lo giengerldap_init.o)
/usr/ccs/bin/ld -G -h libgiengerldap.so.2 -o .libs/libgiengerldap.so.2.0.22  giengerldap.lo giengerldap_init.lo /var/home/pascal/src/cyrus-sasl-2.1.22/plugins/plugin_common.lo  -L/usr/local/bastion/lib -L/usr/local/lib -L/usr/sfw/lib -llber -lldap -lcrypto -lssl -lc
(cd .libs && rm -f libgiengerldap.so.2 && ln -s libgiengerldap.so.2.0.22 libgiengerldap.so.2)
(cd .libs && rm -f libgiengerldap.so && ln -s libgiengerldap.so.2.0.22 libgiengerldap.so)
creating libgiengerldap.la
(cd .libs && rm -f libgiengerldap.la && ln -s ../libgiengerldap.la libgiengerldap.la)

Type "make install" to install the auxprop - it will put the plugin in your sasl2 plugins dir (you defined it by configuring your cyrus sasl source tree!).

To use this plugin with Postfix, go to your sasl2 plugin directory (where all the sasl2 modules are located, as libcrammd5.so, libdigestmd5.so, and our new ldap auxprop plugin, ...) and set up a file named "smtpd.conf":

auxprop_plugin: giengerldap
gl_uri: ldaps://mycuteldapserver.mydomain
gl_basedn: o=myorganization,c=DE
gl_binddn: cn=smtpauth,o=myorganization,c=DE
gl_bindpw: mysuperpassword
gl_search: (|(uid=%s)(mail=%s@southbrain.com))

  • gl_uri: The LDAP URI to your ldap server
  • gl_basedn: The base DN used for your search request
  • gl_binddn: The LDAP user you use to bind to the directory
  • gl_bindpw: the password for binding the user
  • gl_search: The RFC LDAP filter to select the approriate dn to get the password needed. %s will re replaced by the user name, %r by the user-supplied realm, %h by the serverFQDN of the server using SASL auth.

That's it! Enable sasl in your Postfix main.cf and you will be able to authenticate with CRAM-MD5 and DIGEST-MD5.

Source tarball: giengerldap_auxprop-1.2.2.tar.gz
MD5 checksum: 636e8261198ea69372058e858fc496e9

Use at your own risk!
Feel free to ask me whatever question you want and enjoy it.

1 TrackBacks

Listed below are links to blogs that reference this entry: Writing a Cyrus SASL LDAP auxprop for Postfix (SMTP AUTH).

TrackBack URL for this entry: http://southbrain.com/mt/mt-tb.cgi/36

I’ve found again, that simple things don’t get so simple in OpenSource world, and you have to do it yourself when you want something. That’s the difference, in the world of commercial software you have to, either pay big money or you ... Read More


Thank you for the plugin!
The one thing that is missing for me is %r (realm) support in gl_search (like in saslauthd config). Is it possible to add this? Or just please give me a hint on how to obtain realm in giengerldap_auxprop_lookup() and I will do the rest.

Thank you.

I have included your suggestion. It is in 1.2.1.

%s will be replaced by the username, %r by the realm the user supplied and %h by the server name.

Hi, good soft. But, whats the license ?-)

December 2015

Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    


This blog is owned by:

Pascal Gienger
J├Ągerstrasse 77
8406 Winterthur

Google+: Profile
YouTube Channel: pascalgienger