Postfix and SMTP-AUTH
Disclaimer
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies, that could be damage your system. Proceed with caution, and although this is highly unlikely, the author do not take any responsibility. All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
This is a short HowTo to configure postfix as an smarthost-mail-relay-daemon on a "always" reachable server and a postfix-daemon for road-warriors with dynamic ip's e. g. on a notebook. I've tested the descriped configuration on debian sarge/etch/lenny (Postfix-versions 2.3.7-3~bpo.1/2.3.8-2+b1/2.4.6-3), but the postfix-part should also work on other distributions. Please have a look at your sasl-capabilities.
Configure the smarthost
First step is to install the nessesary packages and accept the dependencies. I use debian etch on my smarthost.
aptitude install libsasl2 libsasl2-2 libsasl2-modules sasl2-bin
Now, create a saslconfig-file under /etc/postfix/sasl/ with the same name as the daemon. I only provide CRAM-MD5 and DIGEST-MD5 (see http://www.ietf.org/rfc/rfc2195.txt and http://www.ietf.org/rfc/rfc2831.txt) and auxprop as password-method. My clients always use DIGEST-MD5. The passwords are stored in a sasldb independend from real accounts on the machine.
vi /etc/postfix/sasl/smtpd.conf
log_level: 3 pwcheck_method: auxprop mech_list: CRAM-MD5 DIGEST-MD5 auxprop_plugin: sasldb
Edit your saslauthd-config file. Here is the patch:
diff -u /etc/default/saslauthd /etc/default/saslauthd-orig
+++ /etc/default/saslauthd 2007-05-23 11:43:44.000000000 +0200 --- /etc/default/saslauthd-orig 2006-12-13 22:23:00.000000000 +0100 @@ -20,7 +20,7 @@ # for more information. # # Example: MECHANISMS="pam" -MECHANISMS="pam" +MECHANISMS="sasldb" # Additional options for this mechanism. (default: none) # See the saslauthd man page for information about mech-specific options. @@ -35,4 +35,4 @@ # # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" # Note: See /usr/share/doc/sasl2-bin/README.Debian -OPTIONS="-c" +OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
And now, prepare Postfix and saslauthd for chroot:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd adduser postfix sasl /etc/init.d/saslauthd restart
Create and test a smtp-auth-user and set the right permissons (cleartext passwords!).
touch /etc/sasldb2 chown 600 /etc/sasldb2 saslpasswd2 -c -u `postconf -h myhostname` <relayuser> > Password: > Again (for verification): sasldblistusers2 > <relayuser>@<myhostname>: userPassword cp /etc/sasldb2 var/spool/postfix/etc/ chmod 640 /var/spool/postfix/etc/sasldb2 chgrp postfix /var/spool/postfix/etc/sasldb2 testsaslauthd -u <relayuser> -r <myhostname>(realm) -p <password> -f /var/spool/postfix/var/run/saslauthd/mux > 0: OK "Success."
On the smarthost: Edit the main.cf:
smtpd_recipient_restrictions = ... permit_sasl_authenticated permit_mynetworks check_sender_access hash:/etc/postfix/disallow_my_domain ... # sasl smtpd_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous, noplaintext
Your smarthost is ready now.
Postfix as client
First install:
apt-get install libsasl2 libsasl2-modules
Edit the main.cf:
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
Edit (and postmap) the /etc/postfix/transport:
localhost local: ... * smtp:<your smarthost>:25
Edit (and postmap) the /etc/postfix/smtp_auth and set restrictive permissons:
<your smarthost> <username>:<passsword> chmod 600 /etc/postfix/smtp_auth postfix reload
The following SMTP-conversation shows a client-server-connection between my postfix-client and my postfix-smarthost:
220 mail.d7031.de ESMTP Postfix (Debian/GNU) EHLO spock.d7031.de 250-mail.d7031.de 250-PIPELINING 250-SIZE 31457280 250-VRFY 250-AUTH DIGEST-MD5 CRAM-MD5 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH DIGEST-MD5 334 bm9uY2U9IjF1b2dZTG1abG13UVNsVkVLbDNlR2pHOFM...... 334 cnNwYXV0aD1hNjZjNDU4Nm..... 235 2.0.0 Authentication successful MAIL FROM:<tom@d7031.de> SIZE=575 AUTH=<> RCPT TO:<Tom.Geissler@d7031.de> ORCPT=rfc822;Tom.Geissler@d7031.de DATA 250 2.1.0 Ok 250 2.1.5 Ok 354 End data with <CR><LF>.<CR><LF> Received: by spock.d7031.de (Postfix, from userid 1000) .id 01BE33B930; Thu, 31 May 2007 20:29:40 +0200 (CEST) Date: Thu, 31 May 2007 20:29:40 +0200 From: Tom Geissler <tom@d7031.de> To: Tom Geissler <Tom.Geissler@d7031.de> Subject: Testmail Message-ID: <20070531182940.GA2617@d7031.de> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline X-Url: <http://www.gnu.org/> X-Operating-System: Debian GNU/Linux X-message-flag: Please send plain text messages only. Thank you. User-Agent: Mutt/1.5.13 (2006-08-11) Test . QUIT 250 2.0.0 Ok: queued as 3DBC21319440 221 2.0.0 Bye
The interesting parts are the lines beginnig with 334. They are base64 encoded. The first line should look like this, when it's decoded:
nonce="1uogYL.........",realm="mail.d7031.de",qop="auth",charset=utf-8,algorithm=md5-sess
The second line contains the answer.
That's all. :-)
Copyright and License
This document, Postfix and SMTP-AUTH, is copyrighted (c) by Tom Geißler,.
last change: 17.03.2008
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html.
