I apologize in advance for the long post. I started working for a small ISP
with around 3000 mailboxes and inherited a Postfix server that I've been
auditing. It's based on Ubuntu 8.04 LTS, Postfix 2.51, and runs Courier for
pop and imap authentication. It has encrypted passwords in a MySQL database.
Because the passwords are encrypted in MySQL it uses saslauthd and pam for
authentication. But since passwords are sent plaintext it really should
have an SSL connection for all client connections.
In the SASL_README a couple of Important notices makes me think it's not
been implemented correctly.
" Important
saslauthd sends IMAP login information unencrypted. Any IMAP session
leaving the local host should be protected by an additional security layer
such as an SSL tunnel.
................
Important
Do not specify any other mechanisms in mech_list than PLAIN or LOGIN
when using saslauthd! It can only handle these two mechanisms, and
authentication will fail if clients are allowed to choose other mechanisms.
"
I believe I need to setup SSL connections for securely passing
authentication information to authorize the smtp connection for local or
remote clients with virtual accounts wanting to send e-mail.
So I'm a bit stumped and confused. The TLS_README indicates I can use
STARTTLS for all clients. Those clients will be everything from Outlook
Express to Windows Live Mail, Thunderbird, Incredimail, etc... But without
the ability to use CRAM-MD5, DIGEST-MD5, NTLM, how can I use TLS to make the
connection and authorize the clients?
The clients are using SASL for IMAP and POP and appear to be authenticating
correctly. It's the smtp I'm having an issue with.
I tried implementing TLS but postfix fails SASL when started without
CRAM-MD5 included in the mech list:
I downloaded saslfinger and see the errors. I've removed a number of helo,
client, and sender restrictions that were previously in place and will add
them back in as I resolve the authorization issues.
BELOW ARE POSTCONF -n and SASLFINGER outputs
Thank you in advance. Dave
saslfinger -cs
saslfinger - postfix Cyrus sasl configuration Fri Aug 23 14:52:27 EDT 2013
version: 1.0.4
mode: client-side SMTP AUTH
-- basics --
Postfix: 2.5.1
System: Ubuntu 8.04.4 LTS \n \l
-- smtp is linked to --
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb74e3000)
-- active SMTP AUTH and TLS parameters for smtp --
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-- listing of /usr/lib/sasl2 --
total 800
drwxr-xr-x 2 root root 4096 2009-09-05 21:04 .
drwxr-xr-x 58 root root 20480 2013-05-04 10:35 ..
-rw-r--r-- 1 root root 13568 2009-06-23 15:14 libanonymous.a
-rw-r--r-- 1 root root 862 2009-06-23 15:14 libanonymous.la
-rw-r--r-- 1 root root 12984 2009-06-23 15:14 libanonymous.so
-rw-r--r-- 1 root root 12984 2009-06-23 15:14 libanonymous.so.2
-rw-r--r-- 1 root root 12984 2009-06-23 15:14 libanonymous.so.2.0.22
-rw-r--r-- 1 root root 15834 2009-06-23 15:14 libcrammd5.a
-rw-r--r-- 1 root root 848 2009-06-23 15:14 libcrammd5.la
-rw-r--r-- 1 root root 15320 2009-06-23 15:14 libcrammd5.so
-rw-r--r-- 1 root root 15320 2009-06-23 15:14 libcrammd5.so.2
-rw-r--r-- 1 root root 15320 2009-06-23 15:14 libcrammd5.so.2.0.22
-rw-r--r-- 1 root root 46332 2009-06-23 15:14 libdigestmd5.a
-rw-r--r-- 1 root root 871 2009-06-23 15:14 libdigestmd5.la
-rw-r--r-- 1 root root 43020 2009-06-23 15:14 libdigestmd5.so
-rw-r--r-- 1 root root 43020 2009-06-23 15:14 libdigestmd5.so.2
-rw-r--r-- 1 root root 43020 2009-06-23 15:14 libdigestmd5.so.2.0.22
-rw-r--r-- 1 root root 13574 2009-06-23 15:14 liblogin.a
-rw-r--r-- 1 root root 842 2009-06-23 15:14 liblogin.la
-rw-r--r-- 1 root root 13268 2009-06-23 15:14 liblogin.so
-rw-r--r-- 1 root root 13268 2009-06-23 15:14 liblogin.so.2
-rw-r--r-- 1 root root 13268 2009-06-23 15:14 liblogin.so.2.0.22
-rw-r--r-- 1 root root 30016 2009-06-23 15:14 libntlm.a
-rw-r--r-- 1 root root 836 2009-06-23 15:14 libntlm.la
-rw-r--r-- 1 root root 29236 2009-06-23 15:14 libntlm.so
-rw-r--r-- 1 root root 29236 2009-06-23 15:14 libntlm.so.2
-rw-r--r-- 1 root root 29236 2009-06-23 15:14 libntlm.so.2.0.22
-rw-r--r-- 1 root root 13798 2009-06-23 15:14 libplain.a
-rw-r--r-- 1 root root 842 2009-06-23 15:14 libplain.la
-rw-r--r-- 1 root root 13396 2009-06-23 15:14 libplain.so
-rw-r--r-- 1 root root 13396 2009-06-23 15:14 libplain.so.2
-rw-r--r-- 1 root root 13396 2009-06-23 15:14 libplain.so.2.0.22
-rw-r--r-- 1 root root 22126 2009-06-23 15:14 libsasldb.a
-rw-r--r-- 1 root root 873 2009-06-23 15:14 libsasldb.la
-rw-r--r-- 1 root root 18080 2009-06-23 15:14 libsasldb.so
-rw-r--r-- 1 root root 18080 2009-06-23 15:14 libsasldb.so.2
-rw-r--r-- 1 root root 18080 2009-06-23 15:14 libsasldb.so.2.0.22
-rw-r--r-- 1 root root 23696 2009-06-23 15:14 libsql.a
-rw-r--r-- 1 root root 971 2009-06-23 15:14 libsql.la
-rw-r--r-- 1 root root 23140 2009-06-23 15:14 libsql.so
-rw-r--r-- 1 root root 23140 2009-06-23 15:14 libsql.so.2
-rw-r--r-- 1 root root 23140 2009-06-23 15:14 libsql.so.2.0.22
-- listing of /etc/postfix/sasl --
total 20
drwxr-xr-x 2 root root 4096 2013-08-22 16:49 .
drwxr-xr-x 3 root root 4096 2013-08-22 09:27 ..
-rw-r--r-- 1 root root 253 2013-08-22 16:51 smtpd.conf
-rw-r--r-- 1 root root 253 2013-08-22 16:49 smtpd.conf.md5
-rw-r--r-- 1 root root 243 2013-08-22 16:48 smtpd.conf.nomd5
Cannot find the smtp_sasl_password_maps parameter in main.cf.
Client-side SMTP AUTH cannot work without this parameter!
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_rate_time_unit = 3600
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 50000000
mydestination = mail.example.com, localhost, localhost.localdomain
myhostname = mail.example.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
$virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = remoteclientserver.com
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 300
smtpd_client_connection_rate_limit = 300
smtpd_client_message_rate_limit = 300
smtpd_client_recipient_rate_limit = 300
smtpd_helo_required = yes
smtpd_recipient_restrictions = reject_unauth_pipelining,
permit_sasl_authenticated, reject_non_fqdn_recipient,
reject_non_fqdn_sender, reject_unknown_sender_domain,
reject_unknown_recipient_domain, permit_mynetworks,
reject_unauth_destination, reject_multi_recipient_bounce,
reject_non_fqdn_hostname, reject_invalid_hostname, check_recipient_access
hash:/etc/postfix/roleaccount_exceptions, check_policy_service
inet:127.0.0.1:60000
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_uid_maps = static:5000
Thank you, Dave
