SMTP AUTH with Postfix on Debian Etch

Friday, December 29. 2006

SMTP AUTH with Postfix on Debian Etch

I finally wanted to enable my users to relay mails via my own MTA, as it’s quite comfortable to be able to use the same outgoing mail server no matter what computing device you currently use or where you currently are. About three years ago there were no solutions enabling SMTP AUTH for Postfix without recompiling packages, so I had to wait until today where such features are now officially available within Debian. I found several HOWTOs about configuring SMTP AUTH with Postfix on Debian Woody or Debian Sarge, but things have changed (or will change, as Etch hasn’t been released yet). The Postfix version in Sarge is 2.1, whereas in Etch it’s 2.3. This is how I did it:

First, note that you don’t have to patch or (re-)compile anything. Etch’s Postfix package already supports TLS! First, I cared about configuring authentication with SASL, and after that I restricted authentication to TLS only. This makes debugging easier during the process. Because encryption already happens at the TLS-layer, I don’t need MD5 authentication and can stay PLAIN.

Besides postfix and libsasl2-2, which I already had installed, install sasl2-bin and the libsasl2-modules —the first package includes the saslauthd, and the second one the authentication modules. Edit /etc/default/saslauthd such that the daemon is started automatically. Note that Postfix runs chroot’ed in Debian, therefore the socket of saslauthd has to be located in a directory somewhere under /var/spool/postfix, say, var/run/saslauthd, which you have to create first. You should now have something like:

START=yes OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

You may now start saslauthd.

I’m not sure if you really have to add the user postfix to the group sasl, but I did it as mentioned in the HOWTOs. Now I created /etc/postfix/sasl/smtpd.conf with the following content:

pwcheck_method: saslauthd mech_list: PLAIN LOGIN log_level: 1

In /etc/init.d/postfix, search for the variable FILES and add the string etc/postfix/sasl/smtpd.conf to the list.

Then I edited /etc/postfix/main.cf to contain

smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes

I didn’t configure any realm, i.e., users don’t have to hand over username@domain but only their username. In the smtpd_recipient_restrictions, place permit_sasl_authenticated right before permit_mynetworks —now, SASL-authenticated users may relay their mail. You don’t need a file /etc/pam.d/smtp as mentioned in the HOWTOs. You can already test your configuration by talking plain SMTP to your mailserver by issuing

$ telnet servername smtp

After saying

ehlo clientname

to your server you should get a response containing the lines

250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN

I tested it via Evolution: On the “Sending Email”-tab of your account configuration disable encryption and click on “Check for supported types”. The drop-down list should now have all options disallowed except PLAIN and LOGIN. You can already relay your mail with this. But your password is not yet safe!

For TLS you’ll need a certificate. I was already using one for Courier-IMAP which should now also be used for Postfix. I had created it via

/usr/bin/openssl req -new -x509 -days 730 -nodes \ -out /etc/courier/imapd.pem -keyout /etc/courier/imapd.pem

To activate TLS in Postfix, I added the following to /etc/postfix/main.cf:

smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/courier/imapd.pem smtpd_tls_cert_file = /etc/courier/imapd.pem smtpd_tls_CAfile = /etc/courier/imapd.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom

The second line hides the authentication options until the client initiates a TLS-session, where they become available again. You can test it with Evolution as before, you’ll see that it will only work with TLS encryption selected (and not with SSL). That’s it!

If you want to enable a whole Postfix-installation to always relay mail via SMTP AUTH to that MTA you’ve just configured, you’ll step over a tiny problem: As there are no authentication options offered before a TLS-session is initiated, your Postfix-client simply won’t use authentication. But first, place a valid username/password-combination into /etc/postfix/sasl_passwd like

servername username:password

then chmod 600 and postmap it. You need the following lines in your client’s /etc/postfix/main.cf:

relayhost = servername smtpd_use_tls = yes smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous

Note that you actually don’t need the second line, as it’s for smtpd, whereas the third line forces the smtp-client to first start a TLS-session by which the authentication options become available. Your client’s Postfix will now relay its mails via SMTP AUTH to your server’s Postfix. Have fun!

Posted by Stephan Paukner in GNU/Linux at 19:15 | Comments (0) | Trackbacks (0)

Defined tags for this entry: debian, postfix

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

No comments

Add Comment

Name
Email
Homepage
In reply to
Comment	Phone* What is zero plus zero? Enclosing asterisks marks text as bold (word), underscore are made via _word_. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above: BBCode format allowed
	Remember Information? Subscribe to this entry
Submitted comments will be subject to moderation before being displayed.