SQL Authentication Howto

NOTE: This page is a work in progress, and has not been tested. It may or may not be of any use, may contain numerous errors, and may turn your tongue a strange color. Use at your own risk.

First, install and configure MySQL (root user and password, access rules, firewall rules, etc) following the directions found on numerous web sites on the internet. This will be operating system dependent, and vary based on your needs.

Next, install Horde and IMP, following directions found elsewhere on this wiki. Specific instructions vary by operating system and your access to the system.

Then, install dovecot, following the instructions on http://wiki.dovecot.org/ and configure dovecot to use MySQL as per the directions at http://wiki.dovecot.org/AuthDatabase/SQL

We will assume that dovecot's SQL database is setup like the example at http://wiki.dovecot.org/AuthDatabase/SQL:

CREATE TABLE users (
    userid VARCHAR(128) NOT NULL,
    domain VARCHAR(128) NOT NULL,
    password VARCHAR(64) NOT NULL,
    home VARCHAR(255) NOT NULL,
    uid INTEGER NOT NULL,
    gid INTEGER NOT NULL
);

Now, configure IMP:

Edit/Create horde/imp/config/servers.local.php and set 'hordeauth' => 'full' so users only need to login once (Horde passes authentication data to IMP)

Now, configure Horde:

Backup your horde/config/conf.php file
Backup any relevant MySQL databases, if they have live/important data in them
Log in to Horde as an administrative user
Navigate: Administration -> Setup -> Horde, and select the Authentication tab.
Switch the authentication backend driver to "SQL authentication w/custom-made queries"
Set the phptype setting to "MySQL"
Set the protocol values appropriately for your situation.
Set the username and password parameters to the SQL database username and password you set when creating the database.
Set the database field to the name of the database that contains the credential data - in this example, "users".
Choose the appropriate encryption algorithm for your authentication data. This obviously should match the algorithm that was used to create any existing credentials.

If you are not using domains, then use the following queries:

For query_auth, enter: SELECT * FROM users WHERE userid = \L AND password = \P
For query_add, enter: INSERT INTO users (userid, password, home) VALUES (\L, \P), concat('/home/', \L)) NB: You may need to change the "home" value to point to their home directory or file space; This value is not needed/used by Horde.
For query_getpw, enter: SELECT password FROM users WHERE userid = \L
For query_update, enter: UPDATE users SET userid = \L WHERE userid = \O
For query_resetpassword, enter: UPDATE users SET password = \P WHERE userid = \L
For query_remove, enter: DELETE FROM users WHERE userid = \L
For query_list, enter: SELECT * FROM users
For query_exists, enter: SELECT 1 FROM users WHERE userid = \L

If you are using domains, then use the following queries:

For query_auth, enter: SELECT * FROM users WHERE userid = SUBSTRING_INDEX(\L, '@', 1) AND domain = SUBSTRING_INDEX(\L, '@', -1) AND password = \P
For query_add, enter: INSERT INTO users (domain, userid, password, home) VALUES ( SUBSTRING_INDEX(\L, '@', -1), SUBSTRING_INDEX(\L, '@', 1), \P, '/home/\L')
For query_getpw, enter: SELECT password FROM users WHERE userid = SUBSTRING_INDEX(\L, '@', 1) AND domain = SUBSTRING_INDEX(\L, '@', -1)
For query_update, enter: UPDATE users SET userid = SUBSTRING_INDEX(\L, '@', 1) AND domain = SUBSTRING_INDEX(\L, '@', -1) WHERE userid = SUBSTRING_INDEX(\O, '@', 1) AND domain = SUBSTRING_INDEX(\O, '@', -1);
For query_resetpassword, enter: UPDATE users SET password = \P WHERE userid = SUBSTRING_INDEX(\L, '@', 1) AND domain = SUBSTRING_INDEX(\L, '@', -1)
For query_remove, enter: DELETE FROM users WHERE userid = SUBSTRING_INDEX(\L, '@', 1) AND domain = SUBSTRING_INDEX(\L, '@', -1)
For query_list, enter: SELECT * FROM users
For query_exists, enter: SELECT 1 FROM users WHERE SUBSTRING_INDEX(\L, '@', 1) AND domain = SUBSTRING_INDEX(\L, '@', -1)

NB: We do not (in this wiki page) use the uid/gid fields. If you need these fields, you will need to modify the queries to include them, as appropriate. In the same vain, you could add additional fields as well, if needed or desired.

If you need to use multiple virtual domains, you might see the web page http://wiki.vpslink.com/HOWTO:_ISP-style_Email_Server_with_Debian-Etch_and_Postfix_2.3 which could provide much inspiration for the sql database setup.

Comment from another user: You can also do it the other way - let Dovecot authenticate against the Horde users table, like I do:

1. Add a dovecot user to the SQL server (I use PostgreSQL).
2. Amend permissions for the the 'horde_users' table to give the 'dovecot' user read (SELECT) permission.
3. Use the following (amend as needed - the example assumes you are using PostgreSQL) in /etc/dovecot/dovecot-sql.conf:

#/etc/dovecot/dovecot-sql.conf
driver = pgsql
connect = host=localhost dbname=horde user=dovecot password=
default_pass_scheme = MD5-CRYPT
password_query = SELECT user_uid AS username, user_pass AS password FROM horde_users WHERE user_uid = '%u'
iterate_query = SELECT user_uid AS username FROM users

4. I use a static user database in Dovecot, so I didn't need the "user_query"
5. Add the following to /etc/dovecot/dovecot.conf:

userdb {
args = uid=vmail gid=vmail home=/srv/dovecot/%u
driver = static
}

passdb {
driver = sql
args = /etc/dovecot/dovecot-sql.conf
}

Amend the above to suit your setup. Don't forget to set MD5-CRYPT as password encryption in Horde as well. One advantage of doing things this way is that passwords can be changed and new users added through Horde - and they will apply to Dovecot as well.

Comment from Deny Dias <deny at macpress dot com dot br>: Integrating Horde to ViMbAdmin

From http://www.vimbadmin.net/:

"The ViMbAdmin project (vim-be-admin) provides a web based virtual mailbox administration system allowing mail administrators to manage domains, mailboxes and aliases."

To integrate ViMbAdmin as an authentication backend to Horde, you can follow this quite simple steps. Pay attention that this method DO NOT take into account multiple virtual domains. It also do not provides the functions to UPDATE and DELETE users at ViMbAdmin database as this may extend vulnerability surface. Just count on ViMbAdmin for the regular user management (CRUD).

1. In your database, grant to the horde user just the minimal set of required permissions at ViMbAdmin mailbox table:

GRANT SELECT (`username`, `password`, `active`) ON `vimbadmin`.`mailbox` TO 'horde'@'localhost'; FLUSH PRIVILEGES;

2. Configure basic database access as shown above, but use the horde user credentials and prefer unix socket to database connection.

3. Add these queries to Horde configuration:

query_auth: SELECT username, password FROM mailbox WHERE username = \L AND password = \P AND active = 1
query_getpw: SELECT password FROM mailbox WHERE username = \L AND active = 1
query_list: SELECT username FROM mailbox WHERE active = 1
query_exists: SELECT 1 FROM mailbox WHERE username = \L AND active = 1

4. Leave query_add, query_update, query_resetpassword and query_remove blank.

5. Set [auth][params][encryption] to the algorithm that fit your needs.

Generate the new configuration file and you're done.