[PREV] | [UP] | [NEXT]

SMTP SASL Authentication and TLS Support:

This is an optional configuration feature you can use if you want users to be able to use your SMTP server as a relay. The SMTP authentication service is based on SASL which provides an ldap interface to provide information for it's authentication mechanisms. On debian you can install the necessary SASL libraries, binaries and modules by entereing:
apt-get install libsasl2 libsasl2-modules sasl2-bin

Then, to make postfix interact with SASL a do the following:

  • add the user postfix to the group sasl
  • change the chroot flag for the smtpd in /etc/postfix/master.cf to n:
    smtp      inet  n       -       n       -       -       smtpd

    Now, create a subdirectory called sasl in /etc/postfix. It will contain our SASL configuration files. You get a startup script together with the SASL binaries (etc/init.d/saslauthd) which needs to be edited. Find the part where the mechanism checks are defined (for i in ${MECHANISMS}; do) and modify the config file path:
    PARAMS="${PARAMS} -a ${i} -O /etc/postfix/sasl/saslauthd.conf

    Now, edit the /etc/default/saslauthd file. It should contain the following lines:

    In the next step, we create a file in /etc/postfix/sasl/saslauthd.conf. It should contain the following lines:
    ldap_servers: ldap://
    ldap_bind_dn: uid=vmail,ou=system-users,dc=dot
    ldap_bind_pw: *******
    ldap_auth_method: bind
    ldap_search_base: dc=dot
    ldap_search_filter: (uid=%u)
    ldap_password_attr: userPassword
    ldap_verbose: 1
    With this you define which parameters saslauthd should use for authentication with the ldap mechanism. The directives are pretty straightforward. The search filter and result attribute are chosen to match the uid belonging to a sender address with the password.

    Then we also create a file /etc/postfix/sasl/smtpd.conf. This file is necessary for SASL to determine which facilities it is supposed to provide authentication for. The file only contains two directives:
    pwcheck_method: saslauthd
    mech_list: login
    With this we give SASL information to use it's authentication daemon and the login mechanism. SASL supports more sophisticated authentication mechanisms than login, but postfix does not. This is also why we want to use TLS for encryption of the authentication process.

    TLS setup

    To make sure that postfix has TLS support, install the package postfix-tls or compile postfix with ssl.

    Create your certificates for the SSL engine:

    We start by creating a certificate for our own local certificate authority to sign with. If you have openssl installed, then there should be a perl script called CA.pl in /usr/lib/ssl/misc or similar location. To create the certificate authority use the following command:
    CA.pl -newca
    Enter the correct information in the interactive dialogue.

    Proceed with making a certificate request for your mailhost:
    CA.pl -newreq

    Finally, sign your certificate request with your self-created certificate authority
    CA.pl -sign
    This will create a file called newcert.pem which is our signed server certificate.

    We need to strip the passphrase from it, otherwise postfix cannot verify non-interactively:
    openssl rsa -in newreq.pem -out key.pem

    Create a directory in /etc/postfix/cert and move the files cacert.pem, newcert.pem and key.pem into this directory (they were generated in your /usr/lib/ssl directory in the previous step). Now we can include the needed directives for TLS in postfix' main.cf file:
    # The following options set parameters needed by Postfix to enable
    # Cyrus-SASL support for authentication of mail clients.
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_local_domain = $myhostname
    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions =
    smtpd_use_tls = yes
    smtpd_tls_key_file = /etc/postfix/cert/key.pem
    smtpd_tls_cert_file = /etc/postfix/cert/newcert.pem
    smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    tls_random_source = dev:/dev/urandom
    smtpd_tls_auth_only = yes

    The last directive is the most crucial here. It determines, that smtp authentication will only be allowed via TLS, so nobody can inadvertedly authenticate with plaintext passwords. The paths to the key and certificate files are in accordance with our directory organization, you can put them elsewhere too. The rest of the directives are more or less up to you (random source, timeout loglevel etc.)

    Finishing up

    Create these two empty files to prevent constant not found error messages:
    touch /etc/opiekeys
    touch /etc/srvtab

    With this you have postfix fully configured for sasl/tls. Restart the postfix server and make sure the saslauthd is running.


  • http://postfix.state-of-mind.de/patrick.koetter/smtpauth/

    [PREV] | [UP] | [NEXT]