====== SMTP authentication and Postfix ======

====== Introduction ======

The original idea of this page was a quick and dirty howto on how to setup SMTP authentication on Postfix. However, it turned out that there was no quick way to achieve what I wanted (encrypted passwords over an unencrypted link, using Courier IMAP as the password database). It also turned out that I was running a non-standard Postfix (it wasn't chrooted). Therefore, as SMTP AUTH and SASL have always been something of a black art to me, I have written a few things down that I have discovered, as well as a quick and dirty howto on setting up a basic SASL database.

The first thing I should recommend is that one of the easiest way to achieve SMTP authentication is to authenticate against an IMAP server, and that Dovecot (or so I have read) is the easiest way to get up and running. As it is, I am running Courier, and didn't have the time to migrate, although I will certainly consider it in the future.

If you can't do the above, read on!

SASL comes in 2 flavours: an authentication daemon (saslauthd) that can authenticate against a variety of sources (including IMAP and a passwd file) and a library that can be used to authenticate against a single file database. My aim was to setup the daemon to authenticate against my IMAP server (which was easy to set up, see below), but it transpired that saslauthd does not support either CRAM-MD5 or DIGEST-MD5, meaning that the authentication from a client would be done in near-as plain text over the internet, which is far from ideal. I therefore opted for the sasldb2 database, which again was fairly easy to setup, but requires its own set of users to be created.

====== Sasldb2 database ======

Quick and dirty instructions on setting up Postfix authentication against a SASL database.

Install SASL libraries:

<code>
apt-get install libsasl2
apt-get install sasl2-bin (is this needed?)
</code>

Edit /etc/postfix/main.cf and add the following lines:

<code>
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
</code>

  * Add ''%%permit_sasl_authenticated%%'' to ''%%smtpd_recipient_restrictions%%''

  * You will also need to add ''%%permit_sasl_authenticated%%'' to ''%%smtpd_client_restrictions%%'' if using a DNS blacklist (otherwise the client sending will be rejected regardless if sending from a dialup network).

Edit /etc/postfix/sasl/smtpd.conf:

<code>
pwcheck_method: auxprop
mech_list: CRAM-MD5 DIGEST-MD5
</code>

Setup the SASL database file, changing realm.domain.com to $myhostname in the postfix main.cf:

<code>
saslpasswd2 -c -u realm.domain.com -a smtpauth username
</code>

Allow postfix to access the database:

<code>
chown postfix.sasl /etc/sasldb2
</code>

Reload postfix and test!

<code>
postfix reload
</code>

====== saslauthd and IMAP authentication ======

Quick and dirty instructions on setting up Postfix authentication against the SASL daemon. Note that this will not work for CRAM-MD5 or DIGEST-MD5 (you will get the cryptic error message "SASL authentication failure: no secret in database").

Install SASL libraries and auth daemon:

<code>
apt-get install libsasl2-2
apt-get install sasl2-bin
</code>

Edit /etc/postfix/main.cf and add the following lines:

<code>
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
</code>

  * Add ''%%permit_sasl_authenticated%%'' to ''%%smtpd_recipient_restrictions%%'', or if it doesn't exist, add ''%%smtpd_recipient_restrictions%%'' ''%%=%%'' ''%%permit_mynetworks,%%'' ''%%permit_sasl_authenticated,%%'' ''%%reject_unauth_destination%%''

Edit /etc/postfix/sasl/smtpd.conf:

<code>
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
</code>

Edit /etc/default/saslauthd (rimap means authenticate against an imap server, see ''%%man%%'' ''%%saslauthd%%'' for other options):
<code>
START=yes
MECHANISMS="rimap"
MECH_OPTIONS="localhost"
</code>

  * If you are running postfix in a chroot (default for Debian) see /usr/share/doc/sasl2-bin/README.Debian

Allow postfix to access the SASL socket:

<code>
adduser postfix sasl
</code>


Start saslauthd:

<code>
/etc/init.d/saslauthd  start
</code>

Reload postfix and test!
<code>
postfix reload
</code>


====== Debugging ======

  * Use the following to test the saslauthd method:

  - Use the telnet method as described in the second reference below
  - Use ''%%testsaslauthd%%'' ''%%-u%%'' ''%%username%%'' ''%%-p%%'' ''%%password%%'' to test the daemon

  * Use ''%%sasldblistusers2%%'' to test the SASL database

====== References ======

I found all the following pages useful:

http://postfix.state-of-mind.de/patrick.koetter/smtpauth/

http://www.postfix.org/SASL_README.html

http://www.jimmy.co.at/weblog/?p=52

http://www.rmacd.com/howto/saslauthd-postfix-debian-etch-configuration.php