Differences between revisions 14 and 15
Revision 14 as of 2006-05-09 18:57:02
Size: 4956
Editor: ?hildeb
Comment: typos, formatting, minor textual changes
Revision 15 as of 2008-01-17 04:10:11
Size: 5069
Comment: Link to alternative method using Dovecot.
Deletions are marked like this. Additions are marked like this.
Line 95: Line 95:

= Alternative implementation using Dovecot =

See also: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

The following steps are required to setup Postfix 2.1 with SMTP-AUTH over ["SASL2"] with authentication against PAM in a chroot() environment:

0) Install libsasl2-modules, postfix, postfix-tls, sasl2-bin

1) Create a file /etc/postfix/sasl/smtpd.conf:

  pwcheck_method: saslauthd
  mech_list: PLAIN LOGIN

2) Edit /etc/default/saslauthd and enable saslauthd by setting:

  START=yes

3) Run saslauthd with invoke-rc.d saslauthd start or /etc/init.d/saslauthd start

4) Edit /etc/postfix/main.cf and add:

  smtpd_sasl_local_domain = $myhostname
  smtpd_sasl_auth_enable = yes
  broken_sasl_auth_clients = yes

And modify smtpd_recipient_restrictions to include:

   permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

5) Add the user "postfix" to the group "sasl":

  adduser postfix sasl

6) Create a bind mount so that the the unix socket of saslauthd is available in the chroot() environment and the normal system. For doing it, edit /etc/fstab and add:

  /var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind bind 0 0

7) Activate the previously created fstab entry:

  cd /var/spool/postfix
  mkdir -p var/run/saslauthd
  mount /var/spool/postfix/var/run/saslauthd

8) (Optionally) Create a new PAM fragment:

  cd /etc/pam.d
  cp other smtp

9) (Optionally) Now edit that PAM fragment and adjust it to your needs.

  editor /etc/pam.d/smtp

8) Restart (reloading is not enough) postfix with:

  /etc/init.d/postfix restart

That's it, you're done, everything should work fine now.

Instead of creating the bind mount you can disable chroot()ing by editing the chroot columns in /etc/postfix/master.cf. -- Lennart Poettering

Adding TLS

I'm adding TLS info since you had to install postfix-tls to do SASL anyway and you're doing PLAIN and LOGIN for real local accounts so you should really use TLS if you can (set your mail clients to do TLS SMTP only for safety.) You may even want to disable password shell logins and only allow ssh key logins in case your users don't use TLS.

Modified for Debian from http://yocum.org/faqs/postfix-tls-sasl.html

 # tls config
 smtp_use_tls = yes
 smtpd_use_tls = yes 
 smtp_tls_note_starttls_offer = yes 
 smtpd_tls_key_file = /etc/ssl/certs/smtpd.pem
 smtpd_tls_cert_file = /etc/ssl/certs/smtpd.pem
 smtpd_tls_["CAfile"] = /etc/ssl/certs/smtpd.pem
 smtpd_tls_loglevel = 1
 smtpd_tls_received_header = yes

Things to note:

If you want better entropy, use /dev/random if you are handling only a few clients -- in some cases /dev/random cannot provide entropy as fast as required, in these cases Postfix will have to wait for enought entropy. If you are going to be handling a lot of clients and want better entropy than urandom, you may want some sort of entropy gathering hardware for random.

My smtpd.pem file is a symbolic link to the same certificate I am using for imapd in the same directory.

Alternate TLS/SSL Ports

You may be interested now in supporting the ssmtp and submission ports (see /etc/services) so that your mobile/remote users who may be on a system that blocks, filters or poorly proxies SMTP (port 25) traffic can still send mail through your server. Since these ports are not also used for MTA to MTA traffic, you can enforce extra restrictions such as requiring SSL/TLS. We do this by modifying the master.cf postfix file to run smtpd programs with special parameters on these ports.

The submission port (587), covered in RFC 2476, is reserved for mail user agents (MUA)/ mail submission agents (MSA) to send email to a mail transfer agent (MTA).

In this example we disallow ETRN, require TLS and enable SASL Auth on the submission port.

submission inet n      -       -       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_enforce_tls=yes 
        -o smtpd_sasl_auth_enable=yes

The ssmtp port (465) is the SMTP equivalent of https (SSL). The secure layer is expected from the get-go and not an optional negotiated parameter after connecting. You may need to use smtps or ssmtp depending on the contents of your /etc/services file. On Debian 3.1 (Sarge) I seem to be able to use either and it shows up as ssmtp on the output of netstat -tl. This port may be required to support clients who can do SSL but don't understand TLS.

This example is also disabling ETRN. It wraps the connection with 'SSL' (TLS) from the get-go and is enabling SASL Auth.

ssmtp      inet n      -       -       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_tls_wrappermode=yes 
        -o smtpd_sasl_auth_enable=yes

Alternative implementation using Dovecot

See also: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL