Fellow PLUGgers, (cc Postfix mailing list) After much hair-pulling and searching on the Internet, I've finally gotten Postfix SMTP AUTH with TLS to work. I'd like to share my experiences for those who may be in a similar situation of hair-pulling as I was.
I hope the cross-post to the main Postfix list will be tolerated. I'm
doing this in the hopes if this message being more "findable" through
Google searches for future individuals who may benefit from the
information.
A brief overview of my setup:
- Debian GNU/Linux Unstable (Sid)
- Postfix 2.0.13
- PAM Authentication
The Postfix SMTP AUTH and TLS HOWTO[1] by Patrick Koetter was a very big
help, but because it is RedHat-centric, there are certain nuances of the
way the Debian Postfix package does things that were not covered.
Nontheless it's a great starting point and covers a lot of the basics.
The first thing to do is to install the needed packages.
# apt-get install postfix postfix-tls sasl2-bin
The postfix-tls package contains the necessary libraries to do SASL and
TLS, and the sasl2-bin package contains, among others, the saslauthd
program that we need to do PAM authentication.
Configuring saslauthd on Debian involves the following steps:
- edit /etc/default/saslauthd and uncomment "START=yes"
- MECHANISMS="pam" should be enough for our needs
Because by default Postfix on Debian seems like it chroots, we need to
make saslauthd's socket file accessible to both the chrooted Postfix and
saslauthd. This seemed to make sense over turning off chroot, since I
wanted to take the path of "minimal resistance" with respect to the way
the Debian packages do their work.
- create var/run in the Postfix chroot:
# mkdir -p /var/spool/postfix/var/run
- move the saslauthd directory from /var/run to ~postfix/var/run
- make /var/run/saslauthd by a symlink of ~postfix/var/run/saslauthd
- because the ~postfix/var/run/saslauthd directory is readable only
by root and the sasl group, add the postfix user to the sasl
group (hint: use 'vigr')
The above steps seem to make more sense than making
/var/spool/postfix/var/run/saslauthd/mux a hardlink to
/var/run/saslauthd/mux every time saslauthd starts.
Start saslauthd using
# /etc/init.d/saslauthd start
The next step involves setting up Postfix to do SASL:
- create or edit /etc/postfix/sasl/smtpd.conf. It should contain:
mech_list: PLAIN
minimum_layer: 0
pwcheck_method: saslauthd
auto_transition: no
(Note that HOWTOs only recommend the pwcheck_method directive, I
added the rest from a Cyrus setup I have here and they seem to
work fine. I only know how to test AUTH PLAIN so I don't want
other MUAs using other authentication mechanisms and possibly
failing, so...)
- create or edit /etc/pam.d/smtp to contain your usual PAM stuff,
for my PAM-LDAP setup, I have the following:
auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass
account sufficient pam_ldap.so
account required pam_unix.so use_first_pass
password sufficient pam_ldap.so
password required pam_unix.so use_first_pass
session required pam_unix.so
- copy /etc/pam.d/smtp to the directory /var/spool/postfix/etc/pam.d
(which should be created if needed).
- edit /etc/postfix/main.cf do have the following:
# SASL SUPPORT FOR CLIENTS
# The following options set parameters needed by Postfix to enable
# Cyrus-SASL support for authentication of mail clients.
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/ssl/tls.pem
smtpd_tls_cert_file = /etc/postfix/ssl/tls.pem
smtpd_tls_CAfile = /etc/postfix/ssl/tls.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_relay_domains
The tls.pem file will need to be created. I noted that if you have
a POP3-SSL and/or IMAP-SSL server sharing the same hostname as the
SMTP AUTH server all three need to share the same key and cert
file (key and cert may be separated, of course). Otherwise clients
will croak. More information on the above directives is available
in the HOWTO linked to previously.
Reload Postfix and you should be off. Connections will be available
through port 25 using TLS, and through port 425 for SMTP over SSL.
In hindsight I think the main "kicker" as far as the linked HOWTO and
other available stuff I found online are concerned was the need to make
the saslauthd socket file and the pam.d configuration file available to
the chrooted Postfix process.
Aside from a PAM-LDAP setup, I've also set up a PAM-PostgreSQL setup
using similar guidelines, modifying only the /etc/pam.d/smtp and
~postfix/etc/pam.d/smtp files as necessary.
I hope this document helps those trying to setup SMTP AUTH with Postfix
using SASL. Enhancements from those with more experience will be more
than welcome.
--> Jijo
[1] http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
--
Federico Sevilla III : http://jijo.free.net.ph : When we speak of free
Network Administrator : The Leather Collection, Inc. : software we refer to
GnuPG Key ID : 0x93B746BE : freedom, not price.
pgp00000.pgp
Description: PGP signature
-- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
