Differences between revisions 25 and 26
Revision 25 as of 2015-01-11 19:48:27
Size: 7004
Editor: ?marka
Comment: Prepare to update information about TLS-only connections to postfix/smtpd
Revision 26 as of 2015-01-13 06:11:20
Size: 7551
Editor: ?marka
Comment: Add information about separate saslauthd process for Postfix. Rearrange paragraphs.
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
The following steps are required to setup Postfix with SMTP-AUTH over SASL2 with authentication against PAM in a chroot() environment: The following steps are required to setup Postfix with SMTP-AUTH over SASL2 with authentication against PAM in a chroot() environment.
Line 7: Line 7:
 1. Install DebianPkg:libsasl2-modules, DebianPkg:postfix, DebianPkg:sasl2-bin  * Note: The following steps have been carried out and verified on a Debian 7.1 system (Jan. 2015).

 * Note: SASL2 (saslauthd) creates a socket in its working directory. Postfix (smtpd) needs access to this socket. If smtpd is running chroot()ed (what is standard on Debian) saslauthd must run within this chroot()-environment also (though not being chrooted itself). While this is fine for smtpd there are other services (Cyrus-imapd for example) which expect saslauthd's socket at its "regular" location (''/var/run/saslauthd'').
 .
 The recommended way to solve this is to run separate saslauthd processes for Postfix and for others. Alternatively a symlink-trick can be used. See below.
 Or you can disable chroot()ing by editing the {{{chroot}}} columns in {{{/etc/postfix/master.cf}}}.

----

 1. Install DebianPkg:libsasl2-modules, DebianPkg:postfix, DebianPkg:sasl2-bin
Line 12: Line 22:
 1. Edit {{{/etc/default/saslauthd}}}, enable saslauthd and choose the right options according to chroot()ing or non-chroot()ing postfix by settings: {{{  1. Setup a separate saslauthd process to be used from Postfix:

  Create a copy of saslauthd's config file {{{
~# cp /etc/default/saslauthd /etc/default/saslauthd-postfix
  }}}
  and edit it {{{
Line 14: Line 29:
DESC="SASL Auth. Daemon for Postfix"
NAME="saslauthd-postf" # max. 15 char.
# Option -m sets working dir for saslauthd (contains socket)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" # postfix/smtp in chroot()
}}}
  (See [[http://lists.debian.org/debian-user-german/2012/09/msg00244.html | /usr/share/doc/sasl2-bin/README.Debian.gz]])
Line 15: Line 36:
# Option -m sets working dir for saslauthd (contains socket)
#OPTIONS="-c -m /var/run/saslauthd" # postfix/smtp not in chroot()
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" # postfix/smtp in chroot()
}}} Note:

 postfix/smtp needs to have access to saslauthd's socket. Group membership and/or access-bits must be set accordingly (see below).
 .
 If postfix/smtp is running chroot()ed (what is standard on Debian) saslauthd must run within this chroot()-environment also (though not being chrooted itself). While this is fine for postfix there are other services (cyrus/imapd for example) which expect saslauthd's socket at its "regular" location (''/var/run/saslauthd'', which is symlinked to ''/run/saslauthd'').
 .
 This problem can be solved by
 .
  a. replacing the directory ''/run/saslauthd'' with a symlink to ''/var/spool/postfix/var/run/saslauthd''
  Alternatively you can replace the directory ''/run/saslauthd'' with a symlink to ''/var/spool/postfix/var/run/saslauthd''
Line 31: Line 41:
  (This is a quick-and-dirty hack, useful only for testing purposes. After the next reboot the contents of /run will be reset.)


  a. or by running distinct saslauthd processes for postfix and for others. Debian is prepared for this (see [[http://lists.debian.org/debian-user-german/2012/09/msg00244.html | /usr/share/doc/sasl2-bin/README.Debian.gz]])
  .
  TODO: Add relevant sections of /etc/default/saslauth* files.
  .
  This is a quick-and-dirty hack, useful only for testing purposes. After the next reboot the contents of /run will be reset.
Line 47: Line 50:
 1. Run saslauthd with {{{invoke-rc.d saslauthd start}}} or {{{/etc/init.d/saslauthd start}}}
 1. Edit {{{/etc/postfix/main.cf}}} and add: {{{
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes

 1. Restart saslauthd: {{{
~# service saslauthd restart
[ ok ] Stopping SASL Auth. Daemon: saslauthd.
[ ok ] Starting SASL Auth. Daemon: saslauthd.
[ ok ] Starting SASL Auth. Daemon for Postfix: saslauthd-postf.
Line 53: Line 57:
 And modify {{{smtpd_recipient_restrictions}}} to include: {{{
permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

 1. Edit Postfix configuration: {{{
~# postconf -e 'smtpd_sasl_local_domain = $myhostname'
~# postconf -e 'smtpd_sasl_auth_enable = yes'
~# postconf -e 'broken_sasl_auth_clients = yes'
~# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
Line 56: Line 64:
 1. (Optionally) Create a new PAM fragment: {{{
cd /etc/pam.d
cp other smtp

1. (Optionally) Create a new PAM fragment and adjust it to your needs: {{{
~# cd /etc/pam.d
~# cp other smtp
~# editor /etc/pam.d/smtp
Line 60: Line 70:
 1. (Optionally) Now edit that PAM fragment and adjust it to your needs. {{{
editor /etc/pam.d/smtp
}}}

 1. Restart (reloading is not enough) postfix with: {{{
/etc/init.d/postfix restart

 1. Restart (reloading is not enough) postfix: {{{
~# service postfix restart
Line 69: Line 77:
You can disable chroot()ing by editing the {{{chroot}}} columns in {{{/etc/postfix/master.cf}}}. -- Lennart Poettering '''Troubleshooting tip'''
Line 71: Line 79:
=== Adding TLS === If something goes wrong (cannot connect to server, authentification fails) try to see what is happening befind the scenes. Connect your server via {{{
~# telnet server 25
}}}

Can smtpd be connected? Enter a "ehlo xxx" command. What does smtpd respond?
For more information see [[http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html | Check for SMTP AUTH support ]]

----

= Adding TLS =

Translation(s): none


The following steps are required to setup Postfix with SMTP-AUTH over SASL2 with authentication against PAM in a chroot() environment.

  • Note: The following steps have been carried out and verified on a Debian 7.1 system (Jan. 2015).
  • Note: SASL2 (saslauthd) creates a socket in its working directory. Postfix (smtpd) needs access to this socket. If smtpd is running chroot()ed (what is standard on Debian) saslauthd must run within this chroot()-environment also (though not being chrooted itself). While this is fine for smtpd there are other services (Cyrus-imapd for example) which expect saslauthd's socket at its "regular" location (/var/run/saslauthd).

  • The recommended way to solve this is to run separate saslauthd processes for Postfix and for others. Alternatively a symlink-trick can be used. See below.

    Or you can disable chroot()ing by editing the chroot columns in /etc/postfix/master.cf.


  1. Install libsasl2-modules, postfix, sasl2-bin

  2. Create a file /etc/postfix/sasl/smtpd.conf:

    pwcheck_method: saslauthd
    mech_list: PLAIN LOGIN
  3. Setup a separate saslauthd process to be used from Postfix:
    • Create a copy of saslauthd's config file

      ~# cp /etc/default/saslauthd /etc/default/saslauthd-postfix

      and edit it

      START=yes
      DESC="SASL Auth. Daemon for Postfix"
      NAME="saslauthd-postf"      # max. 15 char.
      # Option -m sets working dir for saslauthd (contains socket)
      OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"        # postfix/smtp in chroot()

      (See /usr/share/doc/sasl2-bin/README.Debian.gz)

      Alternatively you can replace the directory /run/saslauthd with a symlink to /var/spool/postfix/var/run/saslauthd

      ~# rm -rf /run/saslauthd
      ~# ln -s /var/spool/postfix/var/run/saslauthd   /run/saslauthd
      This is a quick-and-dirty hack, useful only for testing purposes. After the next reboot the contents of /run will be reset.
  4. Create required subdirectories in postfix chroot directory:

    dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
  5. Add the user "postfix" to the group "sasl":

    adduser postfix sasl
  6. Restart saslauthd:

    ~# service saslauthd  restart
    [ ok ] Stopping SASL Auth. Daemon: saslauthd.
    [ ok ] Starting SASL Auth. Daemon: saslauthd.
    [ ok ] Starting SASL Auth. Daemon for Postfix: saslauthd-postf.
  7. Edit Postfix configuration:

    ~# postconf -e 'smtpd_sasl_local_domain = $myhostname'
    ~# postconf -e 'smtpd_sasl_auth_enable = yes'
    ~# postconf -e 'broken_sasl_auth_clients = yes'
    ~# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
  8. (Optionally) Create a new PAM fragment and adjust it to your needs:

    ~# cd /etc/pam.d
    ~# cp other smtp
    ~# editor /etc/pam.d/smtp
  9. Restart (reloading is not enough) postfix:

    ~# service postfix restart

That's it, you're done, everything should work fine now.

Troubleshooting tip

If something goes wrong (cannot connect to server, authentification fails) try to see what is happening befind the scenes. Connect your server via

~# telnet server 25

Can smtpd be connected? Enter a "ehlo xxx" command. What does smtpd respond? For more information see Check for SMTP AUTH support


Adding TLS

--- Note: The text below seems to be rather outdated: The link to yocum.org is dead. And Debian 3.1 is mentioned. And the presented settings for "tls config" are more less the same as for SuSE 9.3. And recent postfix documentation says some of the settings have been superseeded by new ones (see smtpd_tls_security_level).

I will provide my configuration settings for TLS-only connections to postfix/smtpd as soon I have verified they do what I have intended.

[M.A. 2015-01-11] ---

I'm adding TLS info since you had to install postfix to do SASL anyway and you're doing PLAIN and LOGIN for real local accounts so you should really use TLS if you can (set your mail clients to do TLS SMTP only for safety.) You may even want to disable password shell logins and only allow ssh key logins in case your users don't use TLS.

Modified for Debian from http://yocum.org/faqs/postfix-tls-sasl.html

 # tls config
 smtp_use_tls = yes
 smtpd_use_tls = yes 
 smtp_tls_note_starttls_offer = yes 
 smtpd_tls_key_file = /etc/ssl/certs/smtpd.pem
 smtpd_tls_cert_file = /etc/ssl/certs/smtpd.pem
 smtpd_tls_["CAfile"] = /etc/ssl/certs/smtpd.pem
 smtpd_tls_loglevel = 1
 smtpd_tls_received_header = yes

Things to note:

If you want better entropy, use /dev/random if you are handling only a few clients -- in some cases /dev/random cannot provide entropy as fast as required, in these cases Postfix will have to wait for enough entropy. If you are going to be handling a lot of clients and want better entropy than urandom, you may want some sort of entropy gathering hardware for random.

My smtpd.pem file is a symbolic link to the same certificate I am using for imapd in the same directory.

Alternate TLS/SSL Ports

You may be interested now in supporting the ssmtp and submission ports (see /etc/services) so that your mobile/remote users who may be on a system that blocks, filters or poorly proxies SMTP (port 25) traffic can still send mail through your server. Since these ports are not also used for MTA to MTA traffic, you can enforce extra restrictions such as requiring SSL/TLS. We do this by modifying the master.cf postfix file to run smtpd programs with special parameters on these ports.

The submission port (587), covered in RFC 2476, is reserved for mail user agents (MUA)/ mail submission agents (MSA) to send email to a mail transfer agent (MTA).

In this example we disallow ETRN, require TLS and enable SASL Auth on the submission port.

submission inet n      -       -       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_enforce_tls=yes 
        -o smtpd_sasl_auth_enable=yes

The ssmtp port (465) is the SMTP equivalent of https (SSL). The secure layer is expected from the get-go and not an optional negotiated parameter after connecting. You may need to use smtps or ssmtp depending on the contents of your /etc/services file. On Debian 3.1 (Sarge) I seem to be able to use either and it shows up as ssmtp on the output of netstat -tl. This port may be required to support clients who can do SSL but don't understand TLS.

This example is also disabling ETRN. It wraps the connection with 'SSL' (TLS) from the get-go and is enabling SASL Auth.

ssmtp      inet n      -       -       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_tls_wrappermode=yes 
        -o smtpd_sasl_auth_enable=yes

Alternative implementation using Dovecot

See also: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL