Keywords: debian woody postfix smtp auth I'm posting this here in case anyone is interested in this sort of thing, plus this way Google will find it. There's lots of help on getting Postfix+SMTP AUTH working on Sid, but the stuff that I was able to find concerning Woody was fragmentary and incomplete.
This document tells how to set up authenticated SMTP using Debian Woody 3.0. I did this since I have a mail server sitting at home plus another machine that travels around a bit, and I got sick of trying to figure out which SMTP server to use for outbound mail at each place I went to. I don't say much about encryption; the existing documentation on that is pretty good. Here's how you do it: 0) Back up your config files in case stuff breaks. 1) Put the following lines in your main.cf: smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains The first line tells postfix to offer authentication. The second turns off anonymous authentication, since anonymous authentication lets anyone in and effectively turns your machine into an open relay. (Boo!) The third sets the realm for SASL authentication. As far as I can see, this can be just about any nonempty string. The fourth line allows users of broken mail clients (like some from those folk in Redmond) to use authentication too. This can be set to "no" if none of your users run Redmond-ware. The fifth line allows both local (on $mynetworks) and authenticated users to relay mail through your mail server. 2) Set up SASL. Postfix uses SASL to authenticate users. The file /etc/postfix/sasl/smtpd.conf contains the SASL settings for smtpd. Mine looks like this: pwcheck_method:pam auto_transition:no mech_list:PLAIN LOGIN minimum_layer:0 This uses PAM for authentication and allows the PLAIN and LOGIN methods of authentication. I don't have any password-hashing authentication methods in here since I wasn't sure how to make those work with PAM without storing users' passwords in the clear. Users like this since their password for sending mail is the same as the one for logging in. Fewer passwords => less hassle. However, since the password is sent across the network unencrypted, this should probably only be used when TLS is enabled. 3) Unchroot smtpd. I know that having smtpd in a chroot jail is good for security. The problem is that postfix needs to access /etc/shadow (or /etc/passwd) to check passwords, so you wind up putting the crown jewels in the chroot area anyway! If you'd like to do so, though, you can copy all the PAM and SASL libraries and the password files into Postfix's jail and then come up with some way to keep it all synchronized. If you're lazy like me, just change smtp inet n - - - - smtpd to smtp inet n - n - - smtpd in /etc/postfix/master.cf. 4) Add the postfix user to the shadow group. Use vigr and append "postfix" to the line starting with "shadow". If you don't do this, smtpd won't be able to read /etc/shadow and so authentication will always fail. 5) Restart postfix. # postfix stop; postfix start 6) Test it out. Telnet to your mailserver, port 25, and issue EHLO. You should see a line like 250-AUTH PLAIN LOGIN. If that's there, fire up a mail client and try to send a message using authentication. If it succeeds, there'll be a line like Oct 23 16:24:19 minimeat postfix/smtpd[23811]: 57C5A24090: client=somebox.example.com[10.20.30.40], sasl_method=PLAIN, sasl_username=someuser in /var/log/mail.info. If that works, you're good to go. However, I highly recommend getting TLS working, since this setup sends your password in the clear as part of every connection to the mail server. -- Samuel Merritt OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org.asc Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/
pgp00000.pgp
Description: PGP signature
