Topic: Postfix SASL - Client and Server setups
SMTP authentication seems to be becoming more common. This RTFM shows you how to configure SASL auth on Postfix. Though primarily for NetBSD, only the installation and use of pkgsrc should be NetBSD specific.
It's important to note that there are infact two parts of postfix sasl:
smtpd - Server
this is the postfix daemon itself. "smtpd" refers to the dameon receiving mail - therefore any connection on port 25 of the box will face AUTH.
smtp - Client
This is where the postfix daemon needs to auth itself to another server - a good example being your relayhost expecting authentication.
Installing Postfix with SASL
In order to build postfix with SASL an option in pkgsrc needs to be set. Add the following to /etc/mk.conf
then build postfix as root:
$ cd /usr/pkgsrc/mail/postfix $ make install clean clean-depends
you then need to run a command to ensure the config file is up-to-date:
$ /usr/pkg/sbin/postfix upgrade-configuration
Next, the desired Auth modules need to be installed. If you are doing the "client" version, you can find out which AUTH modules are use by your relayhost by asking it, in the following manor:
$ telnet relayhost.foo.bar 25 220 relayhost.foo.bar EHLO 250-relayhost.foo.bar 250-AUTH LOGIN PLAIN XYMCOOKIE 250-PIPELINING 250 8BITMIME quit 221 relayhost.foo.bar
In this example we can see that the server accepts the LOGIN and PLAIN auth formats. You should decide which modules you wish to install, on NetBSD the modules are found in /usr/pkgsrc/security all beginning with "cy2-"; for example the LOGIN module (/usr/pkgsrc/security/cy2-login) can be installed like this:
$ cd /usr/pkgsrc/security/cy2-login $ make install clean clean-depends
SMTPD setup (Server)
The following lines need to be added to /usr/pkg/etc/postfix/main.cf to enable the smtpd version of sasl:
smtpd_sasl_auth_enable = yes smtpd_sasl_application_name = smtpd smtpd_sasl_local_domain = $myhostname broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
SMTP setup (Client)
The client version uses a lookup table to find the required username/password for the server it is connecting to. If using a relayhost all the time, then the only entry will be your relayhost; however, there is no limit to the number of entries you can add.
Postfix first looks up the server hostname; if no entry is found, then Postfix looks up the destination domain name (usually, the right-hand part of an email address).
Add the following to main.cf to enable the client (the sasl_password map can be any location):
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/usr/pkg/etc/postfix/sasl_passwd
Now, to create the sasl_passwd map itself. A sample layout would be:
relayhost.foo.bar username:password foo.com username:password bar.com username
As with normal "hash" entries in main.cf, sasl_passwd needs to be created into a hash DB file for postfix to actually use. This can be done with the following command:
Note: some SMTP servers support PLAIN or LOGIN authentication only. By default, the Postfix SMTP client does not use authentication methods that send plaintext passwords, and defers delivery with the following error message:
Authentication failed: cannot SASL authenticate to server".
To enable plaintext authentication add the following to main.cf:
The SASL client password file is opened before the SMTP server enters the optional chroot jail, so you can keep the file in /etc/postfix.
Last edited by WIntellect (2006-01-18 11:28:11)
-- Copyright BSDnexus