Friday, December 29. 2006
SMTP AUTH with Postfix on Debian Etch
I finally wanted to enable my users to relay mails via my own MTA, as it’s quite comfortable to be able to use the same outgoing mail server no matter what computing device you currently use or where you currently are. About three years ago there were no solutions enabling SMTP AUTH for Postfix without recompiling packages, so I had to wait until today where such features are now officially available within Debian. I found several HOWTOs about configuring SMTP AUTH with Postfix on Debian Woody or Debian Sarge, but things have changed (or will change, as Etch hasn’t been released yet). The Postfix version in Sarge is 2.1, whereas in Etch it’s 2.3. This is how I did it:
First, note that you don’t have to patch or (re-)compile anything. Etch’s Postfix package already supports TLS! First, I cared about configuring authentication with SASL, and after that I restricted authentication to TLS only. This makes debugging easier during the process. Because encryption already happens at the TLS-layer, I don’t need MD5 authentication and can stay PLAIN.
Besides postfix and libsasl2-2, which I already had installed, install sasl2-bin and the libsasl2-modules —the first package includes the saslauthd, and the second one the authentication modules. Edit /etc/default/saslauthd such that the daemon is started automatically. Note that Postfix runs chroot’ed in Debian, therefore the socket of saslauthd has to be located in a directory somewhere under /var/spool/postfix, say, var/run/saslauthd, which you have to create first. You should now have something like:
You may now start saslauthd.
I’m not sure if you really have to add the user postfix to the group sasl, but I did it as mentioned in the HOWTOs. Now I created /etc/postfix/sasl/smtpd.conf with the following content:
In /etc/init.d/postfix, search for the variable FILES and add the string etc/postfix/sasl/smtpd.conf to the list.
Then I edited /etc/postfix/main.cf to contain
I didn’t configure any realm, i.e., users don’t have to hand over username@domain but only their username. In the smtpd_recipient_restrictions, place permit_sasl_authenticated right before permit_mynetworks —now, SASL-authenticated users may relay their mail. You don’t need a file /etc/pam.d/smtp as mentioned in the HOWTOs. You can already test your configuration by talking plain SMTP to your mailserver by issuing
After saying
to your server you should get a response containing the lines
I tested it via Evolution: On the “Sending Email”-tab of your account configuration disable encryption and click on “Check for supported types”. The drop-down list should now have all options disallowed except PLAIN and LOGIN. You can already relay your mail with this. But your password is not yet safe!
For TLS you’ll need a certificate. I was already using one for Courier-IMAP which should now also be used for Postfix. I had created it via
To activate TLS in Postfix, I added the following to /etc/postfix/main.cf:
The second line hides the authentication options until the client initiates a TLS-session, where they become available again. You can test it with Evolution as before, you’ll see that it will only work with TLS encryption selected (and not with SSL). That’s it!
If you want to enable a whole Postfix-installation to always relay mail via SMTP AUTH to that MTA you’ve just configured, you’ll step over a tiny problem: As there are no authentication options offered before a TLS-session is initiated, your Postfix-client simply won’t use authentication. But first, place a valid username/password-combination into /etc/postfix/sasl_passwd like
then chmod 600 and postmap it. You need the following lines in your client’s /etc/postfix/main.cf:
Note that you actually don’t need the second line, as it’s for smtpd, whereas the third line forces the smtp-client to first start a TLS-session by which the authentication options become available. Your client’s Postfix will now relay its mails via SMTP AUTH to your server’s Postfix. Have fun!
Categories
Follow me
