Dec 102009
 

First of all, of course we need to compile postfix for supporting sasl.the easiest way is read tutorial how to compile postfix rpm source at Simon J Mudd’s website

Since i’m using mysql database for storing username/password, i’m gonna show you how to create smtp authentication/SASL.

Install pam_mysql:

# yum -y install pam_mysql

Edit /etc/pam.d/smtp file :

auth required pam_mysql.so user=postfix passwd=password host=localhost db=postfixdb table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1 sqlLog=0
account sufficient pam_mysql.so user=postfix passwd=password host=localhost db=postfixdb table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1 sqlLog=0

Note on some parameters

  • Since my postfix virtual mailbox created using postfixadmin with password encrypted format so crypt=1 md5=1

Edit /etc/sysconfig/saslauthd file like this :

SOCKETDIR=/var/run/saslauthd
MECH=pam
FLAGS=-r

Edit/create /usr/lib64/sasl2/smtpd.conf file like this :

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Note at lib64, i’m using x86_64 system so your mileage may vary

Start Saslauthd service

# chkconfig saslauthd on
# service saslauthd start

Test If SASL (Simple Authentication and Security Layer) realy work before putting it all together with postfix

# testsaslauthd -u hari.h@domain.com -p pass -s smtp
0: OK "Success."

Now the Postfix part :

Edit /etc/postfix/main.cf
Add these parameters to main.cf

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous

Usually people will put sasl along with postfix submission(port 587), in that case edit /etc/postfix/master.cf and comment out this parameters

submission inet n       -       n       -       -       smtpd
        -o smtpd_tls_security_level=encrypt
        -o smtpd_sasl_auth_enable=yes
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#       -o milter_macro_daemon_name=ORIGINATING
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

Reload postfix

# postfix reload

Test with telneting server port 25

# telnet smtp.domain.net 25
Trying 202.xxx.xx.xxx...
Connected to smtp.domain.net (202.xxx.xx.xxx).
Escape character is '^]'.
220 smtp.domain.net ESMTP Postfix (2.6.5-20090828)
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

The easiest way to test postfix sasl is using smtp-cli you can download it at http://www.logix.cz/michal/devel/smtp-cli/

After download smtp-cli :

# chmod +x smtp-cli

Note, smtp-cli created using perl, so you might have to install perl modules dependencies

Run test with smtp-cli

# ./smtp-cli --host=smtp.domain.net --port=587 --enable-auth --auth-plain --user=hari.h@domain.com --pass=password --verbose
[220] 'smtp.domain.net ESMTP Postfix (2.6.5-20090828)'
> EHLO localhost
[250] 'smtp.domain.net'
[250] 'PIPELINING'
[250] 'SIZE 52428800'
[250] 'ETRN'
[250] 'STARTTLS'
[250] 'ENHANCEDSTATUSCODES'
[250] '8BITMIME'
[250] 'DSN'
Starting TLS...
> STARTTLS
[220] '2.0.0 Ready to start TLS'
Using cipher: DHE-RSA-AES256-SHA
-- snipped --
-- snipped --
> EHLO localhost
[250] 'smtp.domain.net'
[250] 'PIPELINING'
[250] 'SIZE 52428800'
[250] 'ETRN'
[250] 'AUTH LOGIN PLAIN'
[250] 'AUTH=LOGIN PLAIN'
[250] 'ENHANCEDSTATUSCODES'
[250] '8BITMIME'
[250] 'DSN'
AUTH method (LOGIN PLAIN): using PLAIN
> AUTH PLAIN aGFyaS5oQGNvcnxxxxxxxxxxxxxxxxxxxxJpLmhAY29ycC4zZy1uZXQubmV0ADNtNGwxdDQ=
[235] '2.7.0 Authentication successful'
Authentication of hari.h@domain.com@domain.net succeeded
> QUIT
[221] '2.0.0 Bye'

Now we got postfix smtp authentication ready for action 🙂

NOte on STARTTLS I’m also using TLS encryption on submission, but in case you’re compiling postfix without TLS support, just change -o smtpd_tls_security_level=none in master.cf

submission inet n       -       n       -       -       smtpd
        -o smtpd_tls_security_level=none
        -o smtpd_sasl_auth_enable=yes
#       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#       -o milter_macro_daemon_name=ORIGINATING
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

It’s not recommended transmitting your base64 encoded password in clear text, so you’d better wrapped it with TLS.I’ll give how to setup postfix with TLS support on next tutorial

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.