Postfix SMTP-AUTH 4 DUMMIES

 written by Luca Gibelli (nervous at nervous.it)


About this document

This document is released under the Creative Commons, Attribution - No commercial - NoDerivs 2.5 licence.

You can always download the latest version at: http://www.nervous.it/txt/Postfix-SMTP-AUTH-4-DUMMIES.html


Abstract

The present document describes my experience with enabling SMTP-AUTH on Postfix using the latest Debian stable (sarge) packages.

Scenario

You are running Debian Sarge 3.1 .
Your mail server is hosting multiple domains as described in http://www.postfix.org/VIRTUAL_README.html . You are using MySQL as a backend for user authentication as described in http://www.postfix.org/MYSQL_README.html

Your users can authenticate on your pop3/imap server as:

user test@test.com
pass test123

You want to allow them to authenticate with SMTP-AUTH using the very same credentials.
The passwords of your users' pop3/imap accounts are stored in the database in encrypted form (md5 in this example). You want to authenticate on a secure channel (TLS).

You want to run Postfix's "smtp" service chroot'ed, i.e. you have a line like this in /etc/postfix/master.cf:

smtp inet n - - - - smtpd

What you need


Install the following packages: 

# apt-get install postfix-tls sasl2-bin libsasl2 libsasl2-modules libpam-mysql openssl

How to set up the whole thing


Create the file /etc/pam.d/smtp with the following content: 
auth required pam_mysql.so user=postfix passwd=yourpass host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1
account sufficient pam_mysql.so user=postfix passwd=yourpass host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1

Change "yourpass" to match your grant table.

Create /etc/postfix/sasl/smtpd.conf with the following content: 

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
log_level: 5

Edit the file /etc/default/saslauthd, change START to "yes" and MECHANISMS to "pam".

Edit the file /etc/init.d/saslauthd and add the "-r" flag to PARAMS, like this:

PARAMS="${PARAMS} -a ${MECHANISMS} -r"

Move saslauthd's socket dir inside Postfix's chroot and create a link to keep everybody happy: 

# mv /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
# ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

Add the postfix user to the sasl group: 

# adduser postfix sasl

Add the following lines to /etc/postfix/main.cf: 

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = 
broken_sasl_auth_clients = yes

Also remember to add "permit_sasl_authenticated" under "smtpd_recipient_restrictions".

Open /etc/init.d/postfix, search for the FILES variable and add etc/postfix/sasl/smtpd.conf to the list: 

FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
                etc/nsswitch.conf etc/postfix/sasl/smtpd.conf"

Restart Postfix and start saslauthd: 

# /etc/init.d/postfix restart
# /etc/init.d/saslauthd start

Enable TLS

Finally create the SSL certificate needed by TLS: 

# mkdir /etc/postfix/tls
# cd /etc/postfix/tls
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
# openssl req -new -key smtpd.key -out smtpd.csr

Note: leave "challenge password" empty.

# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

# openssl rsa -in smtpd.key -out smtpd.key.unencrypted

# mv -f smtpd.key.unencrypted smtpd.key

# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Then add the following lines to /etc/postfix/main.cf: 

smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart Postfix: 

# /etc/init.d/postfix restart

Random thoughts

Q.: Can Postfix query the MySQL db directly?
A.: No.

Q.: Why do you use libpam-mysql? saslauthd natively supports SQL.
A.: Because saslauthd only supports unencrypted password if you use a sql db as an authentication backend. That's the reason for interfacing saslauthd with PAM. PAM, in turn, can use just anything.

Q.: My friend told me that /etc/postfix/sasl/smtpd.conf should contain

 "pwcheck_method: pam"

A.: That was true for SASL < 2.x. Now you have to use saslauthd.

Q.: Why do you run saslauthd with the -r flag?
A.: Because my users authenticate as "user@domain", not "user". If you are in trouble check /var/log/auth.log .

Q.: Why did you move saslauthd's socket to 

    /var/spool/postfix/var/run/saslauthd
?

A.: Because the smtp service runs chroot'ed.

Q.: Why did you add etc/postfix/sasl/smtpd.conf to the FILES variable?
A.: Because Postfix needs to access that file from inside the chroot. The init.d script copies the latest copy of that file inside the chroot at every restart.

Q.: How does the authentication chain work?
A.: Postfix connects to saslauthd via socket, which in turn asks PAM to authenticate the user which in turn queries the relevant MySQL table.

Q.: Are there any alternatives to libpam-mysql?
A.: Perhaps it's possible to use authdaemon from the Courier package.

Q.: Why do you use 127.0.0.1 instead of localhost?
A.: In order to use a TCP socket instead of a unix socket. This way we don't have to put MySQL's unix socket inside Postfix's chroot.

Similar documents:

RedHat/CentOS version of this HOWTO provided by Sebastien Wains (http://www.wains.be/?p=157)

Thanks to:

SASL2: BJ Dierkes (http://lists.debian.org/debian-user/2005/07/msg01010.html)

TLS: Falko Timme (http://www.projektfarm.com/en/support/howto/postfix_smtp_auth_tls.html)