Differences between revisions 10 and 11
Revision 10 as of 2004-12-26 23:33:10
Size: 2807
Editor: anonymous
Comment:
Revision 11 as of 2005-03-21 19:11:11
Size: 2885
Editor: anonymous
Comment:
Deletions are marked like this. Additions are marked like this.
Line 13: Line 13:
3) Run saslauthd with /etc/init.d/saslauthd start 3) Run saslauthd with {{{invoke-rc.d saslauthd start}}} or {{{/etc/init.d/saslauthd start}}}
Line 18: Line 18:
  smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
Line 21: Line 20:

And modify {{{smtpd_recipient_restrictions}}} to include:{{{
 permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
}}}

The following steps are required to setup Postfix 2.1 with SMTP-AUTH over ["SASL2"] with authentication against PAM in a chroot() environment:

0) Install libsasl2-modules, postfix, postfix-tls, sasl2-bin

1) Create a file /etc/postfix/sasl/smtpd.conf:

  pwcheck_method: saslauthd
  mech_list: PLAIN LOGIN

2) Edit /etc/default/saslauthd and enable saslauthd by setting:

  START=yes

3) Run saslauthd with invoke-rc.d saslauthd start or /etc/init.d/saslauthd start

4) Edit /etc/postfix/main.cf and add:

  smtpd_sasl_local_domain = $myhostname
  smtpd_sasl_auth_enable = yes
  broken_sasl_auth_clients = yes

And modify smtpd_recipient_restrictions to include:

 permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

5) Add the user "postfix" to the group "sasl":

  adduser postfix sasl

6) Create a bind mount so that the the unix socket of saslauthd is available in the chroot() environment and the normal system. For doing it, edit /etc/fstab and add:

  /var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind bind 0 0

7) Activate the previously created fstab entry:

  cd /var/spool/postfix
  mkdir -p var/run/saslauthd
  mount /var/spool/postfix/var/run/saslauthd

8) (Optionally) Create a new PAM fragment:

  cd /etc/pam.d
  cp other smtp

9) (Optionally) Now edit that PAM fragment and adjust it to your needs.

  editor /etc/pam.d/smtp

8) Restart (reloading is not enough) postfix with:

  /etc/init.d/postfix restart

That's it, you're done, everything should work fine now.

Instead of creating the bind mount you can disable chroot()ing by editing /etc/postfix/master.cf.

-- Lennart Poettering

Adding TLS

I'm adding tls info since you had to install postfix-tls to do SASL anyway and you're doing PLAIN and LOGIN for real local accounts so you should really use TLS if you can (set your mail clients to do TLS SMTP only for safety.) You may even want to disable password shell logins and only allow ssh key logins incase your users don't use TLS.

Modified for Debian from http://yocum.org/faqs/postfix-tls-sasl.html

 # tls config
 smtp_use_tls = yes
 smtpd_use_tls = yes 
 smtp_tls_note_starttls_offer = yes 
 smtpd_tls_key_file = /etc/ssl/certs/smtpd.pem
 smtpd_tls_cert_file = /etc/ssl/certs/smtpd.pem
 smtpd_tls_["CAfile"] = /etc/ssl/certs/smtpd.pem
 smtpd_tls_loglevel = 1
 smtpd_tls_received_header = yes
 smtpd_tls_session_cache_timeout = 3600s
 tls_random_source = dev:/dev/urandom

Things to note:

If you are going to be handling a lot of clients you may want some sort of entropy gathering hardware for random. If you are handling a few clients and want better entropy, use /dev/random.

My smtpd.pem file is a symbolic link to the same certificate I am using for imapd in the same directory.