Is there a way to make Postfix and Courier IMAP authenticate using the same

MySQL database?  I found this but it is for Linux, so it uses PAM
http://www.howtoforge.com/virtual_postfix_mysql_quota_courier

I found this Howto which was written recently and is intended for OpenBSD

systems, so I am going to try it.
http://www.kernel-panic.it/openbsd/mail/mail3.html

Yes, of course.  Don't bother with HOWTOs though, learn how the applications work and configure them accordingly.  In my case, I use Courier's authdaemond with MySQL, and Cyrus SASL's support for authenticating against authdaemond.
I haven't read the link you posted, but just the idea of authenticating through PAM for mail service makes me want to puke.  If you really want to read some examples, there are plenty over at the Postfix site.
--

Jason Dixon

DixonGroup Consulting

http://www.dixongroup.net/

That's asking a lot.  Starting from a couple of how-to's and then

learning is a more efficient way.  The danger, though, is to not

bother learning if you manage to make the red light go on, if you know
[...]
I happen to do be doing exactly what you are but I don't understand

the revulsion you harbour towards PAM in an email context.  Can you

elaborate?
/juan

It's just as easy to learn offline.  You don't have to plug into the
PAM is an over-engineered piece of bloatware.  Why would you want to

abstract authentication when the bits you're using (Postfix/SASL,

Courier) already have native mechanisms (SASL smtpd->authdaemond,

Courier authdaemond) for talking to your backend store (MySQL)?
--

Jason Dixon

DixonGroup Consulting

http://www.dixongroup.net/

2008/6/2 Jason Dixon <jason@dixongroup.net>:
Thank you.  I did hear, however, that you need to use PAM in order to

have credentials encrypted (on the backend) in the scenario we're

describing.  It felt weird populating MySQL with cleartext usernames

and passwords.
/juan

Nope, you can store the md5-hashed passwords in MySQL.  Authdaemond

reads them fine.
--

Jason Dixon

DixonGroup Consulting

http://www.dixongroup.net/

Ah, md5.  Is that still considered 'encryption'?  No, I'm not a troll,

just wanting to learn.
What do you think of using cleartext in the backend?  Is that a

terrible mistake?
/juan

My password md5 is b58a34a2c0fd8eb9c5a193b2a60ecc60.  What's my password?

Ted, I think you are confusing matters.
md5 is a cryptographic hash, it surely transforms text into bit soup,

but that is not not the same a an encryption function. For an

encryption function, you want to have a corresponding computationally

feasable decryption function. For hashes you're better off if no such

function exists. Also, many texts have the same md5 output. For an

encryption function that would be a major problem. 
	-Otto

Indeed.  I interpreted the use of the word "still" to be a question

regarding the security or strength of MD5, not the nature of the

mechanism.

Oh, in that case I'd think md5 is still a reasonably good as a pasword hash,
	-Otto

No, it is terrible.  It is too fast.  You can screw around and wrap a bunch

of balony layers around it, but it is still going to be too fast.  If

you actually wanted to do things right, look at our bcrypt.   It was

designed.

If you're worried about someone reading md5 passwords out of your

database, you have bigger problems than the strength of your hashing
Yes, in so much as losing email passwords for virtual accounts is a

terrible mistake.  There are worse things to lose sleep over.
--

Jason Dixon

DixonGroup Consulting

http://www.dixongroup.net/

This is what I want to do and I might be able to do it now that I found a

Howto for OpenBSD mail servers, but I will need to install Postfix with sasl2

and mysql support and such a package is not available.

# cd /usr/ports/mail/postfix/snapshot

# FLAVOR='sasl2 mysql' make package
--

Jason Dixon

DixonGroup Consulting

http://www.dixongroup.net/

Thanks, I have tried this but although it compiled, it would not install.

I am going to remove my ports tree and get a new one, then I will try again.
I used something a bit different:
# env FLAVOR="sasl2 mysql" make install
I would rather make a package, though, so I will try your suggestion next

time.  Someone on IRC told me the install worked for them, so I suspect my

problem is my ports tree.

I cannot (and do not) speak for Jason, but as I have discovered for

myself, PAM epitomizes the general linux approach: "if it is critical

system component, don't simplify -- over-design!" yes, it is highly

configurable and very flexible/powerful/blah/blah... and I even came

across one instance where some of this power and flexibility was being

put to good use. BUT in the vast majority of cases it is not warranted.

Do you _really_ need a multi-layered gizmo with multitude of loadable

modules and innumerable configuration files just to do basic

authentication? How safe do you really feel when your system security

depends on a beast with so many points of failure? (here is a small

example: In all linux distros I've tried, the sshd_config file contains

the directives: 'PasswordAuthentication no' and 'UsePAM yes'. So guess

what happens when you try to ssh in with just a password? want to be

the first to write a HowTo for configuring PAM to require host-keys but

only for ssh? [I'm not being facetious -- I admin some systems that are

linux and cannot be converted to OpenBSD.])

Sure, it would be nice to learn how things work, but I don't want to have to 
I found another Howto and it does not use PAM.

If that's the case, then why are you building a {car | mail server} when

you could just buy one to {drive | use}?
If you want easy, then just download Zimbra or Exchange and

next-next-next.  If you want to learn something, then learn something.