This is an optional configuration feature you can use if you want users to be able to use your SMTP server as a relay. The SMTP authentication service is based on SASL which provides an ldap interface to provide information for it's authentication mechanisms. On debian you can install the necessary SASL libraries, binaries and modules by entereing:
apt-get install libsasl2 libsasl2-modules sasl2-bin |
Then, to make postfix interact with SASL a do the following:
smtp inet n - n - - smtpd |
Now, create a subdirectory called sasl in /etc/postfix. It will contain our SASL configuration files. You get a startup script together with the SASL binaries (etc/init.d/saslauthd) which needs to be edited. Find the part where the mechanism checks are defined (for i in ${MECHANISMS}; do) and modify the config file path:
PARAMS="${PARAMS} -a ${i} -O /etc/postfix/sasl/saslauthd.conf
|
Now, edit the /etc/default/saslauthd file. It should contain the following lines:
START=yes MECHANISMS="ldap" |
In the next step, we create a file in /etc/postfix/sasl/saslauthd.conf. It should contain the following lines:
ldap_servers: ldap://127.0.0.1/ ldap_bind_dn: uid=vmail,ou=system-users,dc=dot ldap_bind_pw: ******* ldap_auth_method: bind ldap_search_base: dc=dot ldap_search_filter: (uid=%u) ldap_password_attr: userPassword ldap_verbose: 1 |
Then we also create a file /etc/postfix/sasl/smtpd.conf. This file is necessary for SASL to determine which facilities it is supposed to provide authentication for. The file only contains two directives:
pwcheck_method: saslauthd mech_list: login |
To make sure that postfix has TLS support, install the package postfix-tls or compile postfix with ssl.
We start by creating a certificate for our own local certificate authority to sign with. If you have openssl installed, then there should be a perl script called CA.pl in /usr/lib/ssl/misc or similar location. To create the certificate authority use the following command:
CA.pl -newca |
Proceed with making a certificate request for your mailhost:
CA.pl -newreq |
Finally, sign your certificate request with your self-created certificate authority
CA.pl -sign |
We need to strip the passphrase from it, otherwise postfix cannot verify non-interactively:
openssl rsa -in newreq.pem -out key.pem |
Create a directory in /etc/postfix/cert and move the files cacert.pem, newcert.pem and key.pem into this directory (they were generated in your /usr/lib/ssl directory in the previous step). Now we can include the needed directives for TLS in postfix' main.cf file:
# SASL SUPPORT FOR CLIENTS # # The following options set parameters needed by Postfix to enable # Cyrus-SASL support for authentication of mail clients. # smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_use_tls = yes smtpd_tls_key_file = /etc/postfix/cert/key.pem smtpd_tls_cert_file = /etc/postfix/cert/newcert.pem smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom smtpd_tls_auth_only = yes |
The last directive is the most crucial here. It determines, that smtp authentication will only be allowed via TLS, so nobody can inadvertedly authenticate with plaintext passwords. The paths to the key and certificate files are in accordance with our directory organization, you can put them elsewhere too. The rest of the directives are more or less up to you (random source, timeout loglevel etc.)
Create these two empty files to prevent constant not found error messages:
touch /etc/opiekeys touch /etc/srvtab |
With this you have postfix fully configured for sasl/tls. Restart the postfix server and make sure the saslauthd is running.
References: