Topic: Postfix SASL - Client and Server setups

SMTP authentication seems to be becoming more common. This RTFM shows you how to configure SASL auth on Postfix. Though primarily for NetBSD, only the installation and use of pkgsrc should be NetBSD specific.

It's important to note that there are infact two parts of postfix sasl:

smtpd - Server
this is the postfix daemon itself. "smtpd" refers to the dameon receiving mail - therefore any connection on port 25 of the box will face AUTH.

smtp - Client
This is where the postfix daemon needs to auth itself to another server - a good example being your relayhost expecting authentication.

Installing Postfix with SASL
In order to build postfix with SASL an option in pkgsrc needs to be set. Add the following to /etc/mk.conf

PKG_OPTIONS.postfix+=sasl

then build postfix as root:

$ cd /usr/pkgsrc/mail/postfix
$ make install clean clean-depends

you then need to run a command to ensure the config file is up-to-date:

$ /usr/pkg/sbin/postfix upgrade-configuration

Next, the desired Auth modules need to be installed. If you are doing the "client" version, you can find out which AUTH modules are use by your relayhost by asking it, in the following manor:

$ telnet relayhost.foo.bar 25
220 relayhost.foo.bar
EHLO
250-relayhost.foo.bar
250-AUTH LOGIN PLAIN XYMCOOKIE
250-PIPELINING
250 8BITMIME
quit
221 relayhost.foo.bar

In this example we can see that the server accepts the LOGIN and PLAIN auth formats. You should decide which modules you wish to install, on NetBSD the modules are found in /usr/pkgsrc/security all beginning with "cy2-"; for example the LOGIN module (/usr/pkgsrc/security/cy2-login) can be installed like this:

$ cd /usr/pkgsrc/security/cy2-login
$ make install clean clean-depends

SMTPD setup (Server)
The following lines need to be added to /usr/pkg/etc/postfix/main.cf to enable the smtpd version of sasl:

smtpd_sasl_auth_enable = yes
smtpd_sasl_application_name = smtpd
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains

SMTP setup (Client)

The client version uses a lookup table to find the required username/password for the server it is connecting to. If using a relayhost all the time, then the only entry will be your relayhost; however, there is no limit to the number of entries you can add.

Postfix first looks up the server hostname; if no entry is found, then Postfix looks up the destination domain name (usually, the right-hand part of an email address).

Add the following to main.cf to enable the client (the sasl_password map can be any location):

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/pkg/etc/postfix/sasl_passwd

Now, to create the sasl_passwd map itself. A sample layout would be:

relayhost.foo.bar   username:password
foo.com             username:password
bar.com             username

As with normal "hash" entries in main.cf, sasl_passwd needs to be created into a hash DB file for postfix to actually use. This can be done with the following command:

/usr/pkg/sbin/postmap hash:/usr/pkg/etc/postfix/sasl_passwd

Note: some SMTP servers support PLAIN or LOGIN authentication only. By default, the Postfix SMTP client does not use authentication methods that send plaintext passwords, and defers delivery with the following error message:

Authentication failed: cannot SASL authenticate to server".

To enable plaintext authentication add the following to main.cf:

smtp_sasl_security_options =

The SASL client password file is opened before the SMTP server enters the optional chroot jail, so you can keep the file in /etc/postfix.

Last edited by WIntellect (2006-01-18 11:28:11)

"UBER" means I don't drink the coffee... I chew the beans instead
             -- Copyright BSDnexus

Re: Postfix SASL - Client and Server setups

Thanks smile

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue

Re: Postfix SASL - Client and Server setups

thx:)

Re: Postfix SASL - Client and Server setups

Just wondering, any ideas on making it work with SASL2 authenticated by AuthDeamon.

Re: Postfix SASL - Client and Server setups

Enforcer wrote:

Just wondering, any ideas on making it work with SASL2 authenticated by AuthDeamon.

Never tried it

"UBER" means I don't drink the coffee... I chew the beans instead
             -- Copyright BSDnexus

6

Re: Postfix SASL - Client and Server setups

Good work, WIntellect smile

Re: Postfix SASL - Client and Server setups

Thanks, WIntellect, I'm just setting up a server for the first time.

Re: Postfix SASL - Client and Server setups

Didn't you forget to say something about rc.d ? Dunno why I never said it but you have to replace /etc/rc.d/postfix to make the new version take control.

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue

Re: Postfix SASL - Client and Server setups

Well I had a new problem with this. mailer.conf !
You have to add or modify the lines so they say "/usr/pkg/sbin/sendmail" or it's reading userland config.

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue

Re: Postfix SASL - Client and Server setups

Sorry I forgot to mention that dynek - my bad  sad

"UBER" means I don't drink the coffee... I chew the beans instead
             -- Copyright BSDnexus

Re: Postfix SASL - Client and Server setups

oups sorry. forgot to svn commit my change smile

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue

Re: Postfix SASL - Client and Server setups

is cyrus-login a plaintext auth ?

cause my smtp return login when I throw EHLO but I had to add the line to allow plaintext login....

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue

Re: Postfix SASL - Client and Server setups

no idea, perhaps it is

"UBER" means I don't drink the coffee... I chew the beans instead
             -- Copyright BSDnexus

Re: Postfix SASL - Client and Server setups

Well I didnt have the time until now to check if login was a plaintext auth method. So yes it is!

5.2.3. LOGIN

Authentication data is transmitted plaintext. LOGIN imposes the same security risk as described in PLAIN. The same solution applies if you want to get rid of the problem.

The LOGIN mechanism exists parallel with PLAIN, simply because there are Mail clients (e.g. Outlook Express, Outlook) that do not implement the RFC-standard when seeking authentication. Cyrus-SASL supports LOGIN, but there is no support to users by the makers of Cyrus-SASL.

How come a provider only provides LOGIN as auth method. Isn't a bit unsecure ?!
I think I'm better checking for TLS support.

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue

Re: Postfix SASL - Client and Server setups

in theory you could always create an SSH tunnel to the box so that the data is sent encrypted

"UBER" means I don't drink the coffee... I chew the beans instead
             -- Copyright BSDnexus

Re: Postfix SASL - Client and Server setups

Yeah why not write an email to a provider and ask for a ssh access big_smile

<wintellect> NetBSD users are smart enough to accept that there's no 3D support tongue