On 2004-12-21 @ 15:26:54 (week 52) Charles Read wrote:
> OK, so I got the postfix-tls package, didn't know about that thanks!
> But still cant find saslauthd... don't I need to start it? Now an ehlo
> over telnet shows AUTH and STARTTLS like expected and I created
> /usr/local/lib/sasl/smtpd.conf with the line 'pwcheck_method: pam'
> (although shouldn't it be pwcheck_method:saslauthd ?) but when I try to
> login via an MUA it rejects my system user passwords.... can you
> please help me with what this means?
Here's a recipy for getting SASL running with Postfix on a Sarge box.
Remember that by default the Debianized version of Postfix runs in a jail
and SASL is notoriously difficult to setup in a jail. That being said,
the following seems to work quite nicely.
Howto setup SASL for postfix under Debian Sarge
===============================================
1] Get SASL/TLS support for postfix:
$ apt-get install postfix-tls
2] Get the SASL Authentication daemon and SASL authentication modules:
$ apt-get install sasl2-bin libsasl2-modules
3] The Debian postfix runs its subprocesses chrooted, so we need to make sure
both postfix and saslauthd can access the necessary files:
$ mkdir -p /var/spool/postfix/var/run/saslauthd
$ chown root:sasl /var/spool/postfix/var/run/saslauthd
$ chmod 710 /var/spool/postfix/var/run/saslauthd
$ vi /etc/fstab
$ grep sasl /etc/fstab
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind bind 0 0
$ mount /var/spool/postfix/var/run/saslauthd
Thanks go to Lennart Poettering for this very useful piece of information!
4] Add postfix to the sasl group:
$ vigr
$ grep sasl /etc/group
sasl:x:45:postfix
5] Edit the saslauthd configuration file so that the daemon will be started
automatically at boot time and knows what authentication mechanisms to use:
$ vi /etc/default/saslauthd
$ cat /etc/default/saslauthd
# This needs to be uncommented before saslauthd will be run automatically
START=yes
# You must specify the authentication mechanisms you wish to use.
# This defaults to "pam" for PAM support, but may also include
# "shadow" or "sasldb", like this:
# MECHANISMS="pam shadow"
MECHANISMS="sasldb"
# You can only use one mechanism at a time even though a lot of examples
# suggest otherwise. Trying "/usr/sbin/saslauthd -a sasldb -a pam" or
# "/usr/sbin/saslauthd -a "pam sasldb" will result in an error message.
6] Start the saslauthd daemon, verify it is up and has all the mechanisms:
$ /etc/init.d/saslauthd start
$ ps wax | grep saslauthd
14523 ? Ss 0:00 /usr/sbin/saslauthd -a sasldb
14524 ? S 0:00 /usr/sbin/saslauthd -a sasldb
14525 ? S 0:00 /usr/sbin/saslauthd -a sasldb
14526 ? S 0:00 /usr/sbin/saslauthd -a sasldb
14527 ? S 0:00 /usr/sbin/saslauthd -a sasldb
$ saslauthd -v
saslauthd 2.1.19
authentication mechanisms: sasldb getpwent kerberos4 kerberos5 pam rimap
shadow ldap
7] Let postfix know that you want to use saslauthd for authentication:
$ mkdir /etc/postfix/sasl
$ vi /etc/postfix/sasl/smtpd.conf
$ cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
$ ls -l /etc/postfix/sasl/smtpd.conf
-rw-r----- 1 root root 50 Oct 31 15:14 /etc/postfix/sasl/smtpd.conf
8] Instead of running saslauthd with sasldb as an authentication mechanism it
is
nowadays recommended to use the "auxprop" plugin. For that skip steps 3, 5,
6 and 7 and do this:
$ mkdir /etc/postfix/sasl
$ vi /etc/postfix/sasl/smtpd.conf
$ cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: auxprop
mech_list: plain login
$ ls -l /etc/postfix/sasl/smtpd.conf
-rw-r----- 1 root root 50 Oct 31 15:14 /etc/postfix/sasl/smtpd.conf
Remember that testsaslauthd will not work if saslauthd is not running!
9] Create a PAM file for postfix and add it to the jail (only needed if PAM is
used with saslauthd):
$ cp /etc/pam.d/other /etc/pam.d/smtp
$ chmod 644 /etc/pam.d/smtp
$ chown root:root /etc/pam.d/smtp
$ vi /etc/pam.d/smtp
$ cat /etc/pam.d/smtp
@include common-auth
@include common-account
@include common-session
$ mkdir -p /var/spool/postfix/etc/pam.d/
$ cp /etc/pam.d/smtp /var/spool/postfix/etc/pam.d/
Postfix will warn in /var/log/mail.warn if these files differ.
10] Setup a SASL test account (remember the jail):
$ saslpasswd2 -c -u `postconf -h myhostname` -a smtpauth testuser
$ ls -l /etc/sasldb2
-rw-r----- 1 root sasl 12288 Oct 31 14:22 /etc/sasldb2
$ cp /etc/sasldb2 /var/spool/postfix/etc/sasdb2
Postfix will warn in /var/log/mail.warn if these files differ.
Use this to remove the same user from sasldb2:
$ saslpasswd2 -d -u `postconf -h myhostname` testuser
11] Verify that "testuser" was added correctly:
$ sasldblistusers2
[EMAIL PROTECTED] userPassword
12] Check if authentication through SASL is functioning:
testsaslauthd -u testuser -p testpasswd
0: NO "authentication failed"
testsaslauthd -u testuser -p testpasswd -r `postconf -h myhostname`
0: OK "Success."
13] Edit /etc/postfix/main.cf to add SASL support:
$ vi /etc/postfix/main.cf
$ grep sasl /etc/postfix/main.cf
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
$ postfix reload
$ postfix check
14] Test it over SMTP (remember to use base64 encoding):
$ perl -MMIME::Base64 -e 'print
encode_base64("testuser\0testuser\0testpasswd");'
dGVzdHVzZXIAdGVzdHVzZXIAdGVzdHBhc3N3ZA==
$ telnet mailhost 25
Trying 192.168.1.1...
Connected to mailhost.organization.org.
Escape character is '^]'.
220 mailhost.organization.org ESMTP Postfix (Debian/GNU)
auth plain dGVzdHVzZXIAdGVzdHVzZXIAdGVzdHBhc3N3ZA==
235 Authentication successful
quit
221 Bye
Connection closed by foreign host.
15] Send a test message from a remote host and try to read it:
$ echo "Tested at `date` from `hostname -f`" | mail -s "mail test from
`hostname` - `date`" postmaster
I'd recommend to setup TLS too to protect the data in transit. Here's another
recipy to do that.
How to setup TLS for postfix under Debian
=========================================
1] Install openSSL if its not yet on the machine:
$ apt-get install openssl
2] Edit the openSSL configuration file
$ vi /etc/ssl/openssl.cnf
$ grep '^[a-zA-Z0-9.]\+_default' /etc/ssl/openssl.cnf
countryName_default = Country
stateOrProvinceName_default = State
localityName_default = City
0.organizationName_default = Organization
3] Generate a certificate for the local CA:
$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
........++++++
................................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [Country]:
State or Province Name (full name) [State]:
Locality Name (eg, city) [City]:
Organization Name (eg, company) [Organization]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Organizational CA
Email Address []:[EMAIL PROTECTED]
4] Adjust /usr/lib/ssl/misc/CA.sh so it can create passwordless certificates:
$ cp /usr/lib/ssl/misc/CA.sh /etc/ssl/CA-nodes.sh
$ vi /etc/ssl/CA-nodes.sh
$ grep -n nodes /etc/ssl/CA-nodes.sh
52: $REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS
58: $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
[NOTE] This is not necessary anymore, instead use the command:
/usr/lib/ssl/misc/CA.pl -newreq-nodes
5] Generate a server certificate for postfix:
$ cd /etc/ssl
$ ./CA-nodes.sh -newreq
Generating a 1024 bit RSA private key
............................++++++
.............................++++++
writing new private key to 'newreq.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [Country]:
State or Province Name (full name) [State]:
Locality Name (eg, city) [City]:
Organization Name (eg, company) [Organization]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mail.organization.org
Email Address []:[EMAIL PROTECTED]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
6] Sign the certificate
$ ./CA-nodes.sh -sign
Enter the correct passphrase, check the listed certificate details and
confirm that you want to sign it
7] Move the certificate and private key to their stores:
$ cp newreq.pem /etc/ssl/private/postfix-key.pem
$ cp newcert.pem /etc/ssl/certs/postfix-cert.pem
$ cp demoCA/cacert.pem /etc/ssl/certs/ca-cert.pem
8] Protect the private key:
$ chmod 600 /etc/ssl/private/postfix-key.pem
9] Add the propper settings to main.cf:
$ vi /etc/postfix/main.cf
$ grep tls /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/private/postfix-key.pem
smtpd_tls_cert_file = /etc/ssl/certs/postfix-cert.pem
smtpd_tls_CAfile = /etc/ssl/certs/ca-cert.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#smtpd_tls_loglevel = 3
$ postfix reload
$ postfix check
10] Test it over SMTP:
$ telnet mailhost 25
Trying 192.168.1.1...
Connected to mailhost.organization.org.
Escape character is '^]'.
220 mailhost.organization.org ESMTP Postfix (Debian/GNU)
STARTTLS
220 Ready to start TLS
Stunnel provides for a better way of doing this:
$ cat > /tmp/smtp_sasl_session << EOM
> EHLO mjollnir
> AUTH PLAIN dGVzdHVzZXIAdGVzdHVzZXIAdGVzdHBhc3N3ZA==
> NOOP
> NOOP
> QUIT
> EOM
$ stunnel -c -f -n smtp -r mailhost.organization.org:25 -D0 <
/tmp/smtp_sasl_session
220 mailhost.organization.org ESMTP Postfix (Debian/GNU)
250-mailhost.organization.org
250-PIPELINING
250-SIZE 26214400
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
235 Authentication successful
250 Ok
250 Ok
221 Bye
I've been thinking of putting this mini-howto online, as this question pops up
quite often. But I'd probably need to clean it up a bit before I do
that though...
Grx HdV
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
