Table of Contents
SMTP authentication and Postfix
Introduction
The original idea of this page was a quick and dirty howto on how to setup SMTP authentication on Postfix. However, it turned out that there was no quick way to achieve what I wanted (encrypted passwords over an unencrypted link, using Courier IMAP as the password database). It also turned out that I was running a non-standard Postfix (it wasn't chrooted). Therefore, as SMTP AUTH and SASL have always been something of a black art to me, I have written a few things down that I have discovered, as well as a quick and dirty howto on setting up a basic SASL database.
The first thing I should recommend is that one of the easiest way to achieve SMTP authentication is to authenticate against an IMAP server, and that Dovecot (or so I have read) is the easiest way to get up and running. As it is, I am running Courier, and didn't have the time to migrate, although I will certainly consider it in the future.
If you can't do the above, read on!
SASL comes in 2 flavours: an authentication daemon (saslauthd) that can authenticate against a variety of sources (including IMAP and a passwd file) and a library that can be used to authenticate against a single file database. My aim was to setup the daemon to authenticate against my IMAP server (which was easy to set up, see below), but it transpired that saslauthd does not support either CRAM-MD5 or DIGEST-MD5, meaning that the authentication from a client would be done in near-as plain text over the internet, which is far from ideal. I therefore opted for the sasldb2 database, which again was fairly easy to setup, but requires its own set of users to be created.
Sasldb2 database
Quick and dirty instructions on setting up Postfix authentication against a SASL database.
Install SASL libraries:
apt-get install libsasl2 apt-get install sasl2-bin (is this needed?)
Edit /etc/postfix/main.cf and add the following lines:
smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname
- Add
permit_sasl_authenticated
tosmtpd_recipient_restrictions
- You will also need to add
permit_sasl_authenticated
tosmtpd_client_restrictions
if using a DNS blacklist (otherwise the client sending will be rejected regardless if sending from a dialup network).
Edit /etc/postfix/sasl/smtpd.conf:
pwcheck_method: auxprop mech_list: CRAM-MD5 DIGEST-MD5
Setup the SASL database file, changing realm.domain.com to $myhostname in the postfix main.cf:
saslpasswd2 -c -u realm.domain.com -a smtpauth username
Allow postfix to access the database:
chown postfix.sasl /etc/sasldb2
Reload postfix and test!
postfix reload
saslauthd and IMAP authentication
Quick and dirty instructions on setting up Postfix authentication against the SASL daemon. Note that this will not work for CRAM-MD5 or DIGEST-MD5 (you will get the cryptic error message “SASL authentication failure: no secret in database”).
Install SASL libraries and auth daemon:
apt-get install libsasl2-2 apt-get install sasl2-bin
Edit /etc/postfix/main.cf and add the following lines:
smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $myhostname
- Add
permit_sasl_authenticated
tosmtpd_recipient_restrictions
, or if it doesn't exist, addsmtpd_recipient_restrictions
=
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
Edit /etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd mech_list: PLAIN LOGIN
Edit /etc/default/saslauthd (rimap means authenticate against an imap server, see man
saslauthd
for other options):
START=yes MECHANISMS="rimap" MECH_OPTIONS="localhost"
- If you are running postfix in a chroot (default for Debian) see /usr/share/doc/sasl2-bin/README.Debian
Allow postfix to access the SASL socket:
adduser postfix sasl
Start saslauthd:
/etc/init.d/saslauthd start
Reload postfix and test!
postfix reload
Debugging
- Use the following to test the saslauthd method:
- Use the telnet method as described in the second reference below
- Use
testsaslauthd
-u
username
-p
password
to test the daemon
- Use
sasldblistusers2
to test the SASL database