Hello, I'm building a Postfix+Cyrus+Mysql mail-system in Debian 4.0. The aim is to be secure, "hosting-friendly", debian-friendly and have a good performance, which simplifying a bit mean that I'd like: - R1: users' passwords to be encrypted with sha1 - R2: users' credentials in SQL database (mysql) - R3: use standard etch packages (so maintenance won't be a PITA) - R4: minimize number of sql queries and number of processes - R5: use of unix sockets for connection to mysql (since db is local), whenever is possible
Issues: 1.- I'm trying to avoid the saslauthd->pam->mysql trick for sasl authentication. Instead of that, I've configured auxprop + sql plug-in but it doesn't support encrypted passwords. Any ideas/alternatives? a) It seems the optimal alternative would be to apply: http://www.gergely.risko.hu/patches/0099_auxcrypt.dpatch It's simple to rebuild debian packages including the patch but them I'll have to maintain them (it breaks R3) Other ideas? I think that PAM supports crypt but I'm not sure about sha1... Is there another way to do it without PAM? 2) Auxprop->sql module is duplicating queries needed to perform "smtp authentication" (via SASL). In particular, I've observed that it launch two queries, where %p equals to: 'userPassword' and 'cmusaslsecretPLAIN'. Is it possible to fix that? (indeed it is common not to use %p variable at all) 3) In order to be compliant with R4, does Postfix have any option for caching (mysql-)table look-up results and/or reuse the sql connection to db? I've found that having virtual users, virtual alias, virtual domains, virtual relocated table, etc in different sql tables may be have certain cost in system resources (postfix generates several different connections to db server instead of reusing them, that implies several mysqld threads/processes...). 4) Last, a simple question (I hope...): is it possible to configure an access table to return a multi-line message (that means multiple 5.7.1 lines)? (please note that it's *not* the same as multiple lines in the access table config file, because then all of them are merged in *one* 5.7.1 message). Thank you. Cheers, -Roman
