Search:  
Gentoo Wiki

Complete_Virtual_Mail_Server/SMTP_Authentication


Please format this article according to the guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article


Complete Virtual Mail Server


Getting Started


Basic Mail Setup


Enhanced Mail Services


Anti-Spam Configuration


Anti-Virus Configuration


Log Analyzer


Wrapping it Up

edit

SMTP Authentication

To reduce the potential of having your mail server abused, we will set it up now so that it requires password verification before it will allow a user to send mail. We will use Cyrus-sasl to provide a library we need to connect to the Postgres database for SMTP Authentication.

Where the courier-imap service uses courier-authlib as authentication service, postfix can only use sasl. Yes this means that you need two authetication services because courier-imap cannot work with sasl and postfix can not work (directly) with courier-authlib. There is no way around this limitation at the moment. So the setup will look like this.

  courier-imap -> courier-authlib --\
                                     +--> postgresql 
  postfix ------> cyrus-sasl -------/


However, from courier-authlib there is a plugin for cyrus-sasl that makes sasl use authlib as authentication source. This way sasl becomes a sort of connector that links postfix to courier-authlib for smtp authentication. For this to work you need to emerge cyrus-sasl with the authdaemond use flag.

  courier-imap -----------\
                           +-> courier-authlib -> postgresql
  postfix -> cyrus-sasl --/


Note: NOTE: for both methods postfix must be compiled with sasl support


Cyrus-sasl to PostgreSQL

On our mail server, we will start by emerging cyrus-sasl. Be sure as a minimum to include crypt in your USE flags or it will not work. I blocked the other items simply because they were not needed.


Code: emerge cyrus-sasl
 
# echo "dev-libs/cyrus-sasl -mysql crypt" >> /etc/portage/package.use
  


Next, edit /etc/sasl2/smtpd.conf so that we can connect to the postgres database for smtp authorization.


File: /etc/sasl2/smtpd.conf for connecting to postgresql
 
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: pgsql
srp_mda: md5
password_format: crypt
mech_list: login plain
#mech_list: CRAM-MD5 DIGEST-MD5
#log_level: 3

sql_engine: pgsql
sql_hostnames: $dbhostname
sql_database: postfix
sql_user: postfix
sql_passwd: $password
# Depending on how you let your users log in, using a username or an email address, pick one:
# sql_select: SELECT password FROM mailbox WHERE username='%u'
sql_select: SELECT password FROM mailbox WHERE email='%u@%r'
sql_usessl: no 
  


It is important to turn off auth methods not being used as they may cause problems for some mail clients. You typically want to comment out the log_level parameter in production mode, however if you are having problems you can uncomment this to assist in debugging some of the problems.


Cyrus-sasl to Courier-authlib to PostgreSQL

It maybe be wise to skip this step to verify everything is working, or even better, move this step after the next one when we know sasl with direct postgres access actually works.

In the previous step we already set up courier-authlib to retrieve authentication information from postgresql, so here we assume that that is already working.

First we need to emerge cyrus-sasl with support for courier-authlib. Note that we disable postgres as we no longer connect to it directly. Also make sure that postfix is added to the mail group.


Code: emerge cyrus-sasl
 
# echo "dev-libs/cyrus-sasl -mysql -postgres authdaemond crypt" >> /etc/portage/package.use
# emerge cyrus-sasl
# gpasswd -a postfix mail
  


Next, edit /etc/sasl2/smtpd.conf so that we can connect to courier-authlib for smtp authorization.


File: /etc/sasl2/smtpd.conf for connecting to courier-authlib
 
log-level: 3
pwcheck_method: authdaemond
mech_list: plain login
authdaemond_path: /var/lib/courier/authdaemon/socket
  


It is important to turn off auth methods not being used as they may cause problems for some mail clients. You typically want to comment out the log_level parameter in production mode, however if you are having problems you can uncomment this to assist in debugging some of the problems.

Sasl and realms

The sasl protocol uses the concept of realms. When some service uses sasl to handle authentication information it tells sasl in what realm to do the authentication. This way different services can have different user lists. There is a bit more to this, but for that see the cyrus-sasl documentation, for example here: http://www.sendmail.org/~ca/email/cyrus/sysadmin.html.

The reason why this is important is that postfix has a parameter in which you can specify the realm that it will tell cyrus-sasl to use. By default this parameter is null, so no realm is specified. However, if a realm is specified, sasl will apend '@<your realm specification>' behind the username for authentication. If no realm is specified, sasl will just look up the plain username.

When you have set up courier-authlib to do authentication on plain usernames in stead of email addresses and want sasl to use authlib as source it is important to leave the realm empty.

The postfix parameter that controls this is smtpd_sasl_local_domain.

Postfix to Cyrus-sasl

Having setup one of the above options, sasl should be ready to authenticate smtp clients for postfix. Now we have to tell postfix to use sasl for this.

Note: If you had the pam use flag disabled while emerging cyrus-sasl you may need to fix /etc/conf.d/saslauthd in order to make it start properly. As 'shadow' is a build in mechanism, this should do fine for us. The '-V' is just to increase verbosity and you may want to disable it when you start running in production mode.


File: /etc/conf.d/saslauthd when emerged without pam useflag
 
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam"
SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a shadow -V"
  


This is another good time to test that things are still working, so start cyrus-sasl and restart postfix to pick up the latest changes.

File: /etc/postfix/main.cf
 
Add the following to the main.cf to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
# Next line is disabled as we do not want to specify a realm for sasl.
#smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated
        ,reject_unauth_destination
  


Note: The smtp_client_restrictions are parsed front to back, so if you only want to allow authenticated users to send mail you start with 'permit_sasl_authenticated', then 'reject_unauth_destination'. If you allow unauthenticated clients from the local network, you could use 'permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'. It may be best to disallow unauthenticated clients at all as otherwise worms on infected machines on the internal network can still abuse your server. The 'reject_unauth_destination' option is important if you want to receive mail from the outside to the domains you are hosting (this setting replaces the now deprecated 'check_relay_domains', see also http://www.postfix.org/postconf.5.html#reject_unauth_destination).


Note: A note on 'smtpd_sasl_local_domain' and sasl to courier-authlib setup: Depending on how you let your users authenticate and how consistent you are in this you may want to set this option. In the case where your users log in with a username only (thus not the complete email address) you will leave this option unset. Then in courier-authlib you will match the specified username with the usename column of your table in stead of the email column. When you want users to log in with their email address, but also alow them to use the short name for smtp client access you can match agains the email field and set the realm to the domain part of the email (the part after the '@' in the email address). As a general rule, if you want the logins to be with usernames only, then leave this option blank and let courier-authlib match the specified username with the username column of the database table.


First we need to start the cyrus-sasl service:

Code: starting sasl
 
# /etc/init.d/saslauthd start
  


Next we restart postfix to pick up the new configuration:

Code: Restart postfix
 
# /etc/init.d/postfix restart
  


First, use a telnet session to connect to your server and verify that the AUTH and AUTH= lines shown below are displayed.

Code: Verifying sasl support
 
# telnet mail.example.com 25

220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME

telnet> quit  

Note: If you have smtpd_tls_auth_only = yes don't be surprised if the above example won't work. you need to at least temporarily disable smtpd_tls_auth_only to see whether your AUTH is in place, and working.

You can also test with Mozilla-Thunderbird, there you need to toggle on the 'Use name and password' for the 'Outgoing server settings' and also fill in a valid username! When sending, Thunderbird will promt you for a password.

SSL Support

Again, SSL is not necessary, but is a good idea and easy to offer so we might as well. First step is to create the ssl certificates postfix will require. To make this a little easier, we will set some of the key default values used when generating a certificate. If any of the variables are missing, just go ahead and add them in a sensible place.


File: /etc/ssl/openssl.cnf
 
// Change the following default values for your domain:
countryName_default		= CA
stateOrProvinceName_default	= Ontario
localityName_default		= Toronto
organizationName_default	= ACME Inc
commonName_default		= ACME
emailAddress_default		= postmaster@example.com
  


Now, lets create the certificates and put them in the right directory for postfix to pick them up.


Code: SSL Certificates
 
# cd /etc/postfix
		
# /etc/ssl/misc/CA.pl -newca
# /etc/ssl/misc/CA.pl -newreq-nodes
# /etc/ssl/misc/CA.pl -sign
  


Finally we need to go back to main.cf so we can configure postfix to use these new certificates. The following parameters will need to be added to the bottom of the file. Please be careful writing the smtpd_* options; it seems to be a common mistake to forget the d, because many of the smtpd options also exist for postfix as a client (when relaying to other servers, etc..)


File: /etc/postfix/main.cf
 
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/demoCA/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
   


Code: Restarting postfix
 
# /etc/init.d/postfix reload
   


We will use telnet again to test that this is working,


Code: Verifying sasl Support
 
# telnet mail.example.com 25

220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME

telnet> quit
  


Note that this time the AUTH entries did not show up. That is because we have not established a TLS connection. With the smtpd_tls_auth_only parameter set to yes, postfix will not offer the authentication method until a TLS (SSL) connection has been established.

You can test with Mozilla-Thunderbird, there you need to toggle on the 'Use name and password' for the 'Outgoing server settings' and also fill in a valid username just like before. Also, you need to select TLS for 'Use secure connection'.


Tip: Some clients have problems using TLS, for these you can also allow the somwhat older SSL option where the secure smtp server will typically be running on port 465. In thunderbird you select the SSL option for 'Use secure connection'. You will need to prepare postfix for this as well and uncomment some lines in /etc/postfix/master.cf in order to turn on the smtps server. Of course, restart postfix to let this take effect.


File: /etc/postfix/master.cf: enabling postfix' smtps server on port 456
 
smtps     inet  n       -       n       -       -       smtpd -v
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
  


Tip: You can get free signed certificates using the CA-Cert.org service. This is a free service that can sign your certificates. See http://www.cacert.org for more information


FIXME: Luud Heck: I kept the old stuff from this page below here. This should be removed in the near future.


WARNING:

THIS CANT WORK: "sql_select: SELECT password FROM mailbox WHERE username='%u@%r'"
BECAUSE IT DOES NOT MATCH AGAINST:

  Mailbox Table
  username:    username
  email:       user@example.com
  Password:  	$1$.2213700$AOdx3nlEm3dKANLVkAjim0
  Name:	Users Name
  uid:		1000
  gid:		1000
  maildir:   	example.com/user/
  homedir:   	/home/vmail
  Quota:     	0
  Domain:    	example.com
  Created:   	now()
  Modified:  	now()
  Active:    	true

IN "Postfix to Postgres"!!!
--212.100.55.90 18:07, 7 March 2006 (GMT)
Well.. Here's a work-around if you will.. As long as your courier-auth is using Postgres on the backend this should work. SASL without a patch simply won't handle the same encrypted password format as Cyrus.

pwcheck_method: authdaemond
authdaemond_path: /var/lib/courier/authdaemon/socket

Note : There are other ways to accomplish this such as using Pam or LDAP, but figure out what works best for you.

Codestrom


For the authdaemond method above to work, you must emerge sasl with the authdaemond use flag, and add postfix to mail group

Code: Configure authdaemond
 
# echo "dev-libs/cyrus-sasl -mysql -postgres crypt authdaemond" >> /etc/portage/package.use
# emerge cyrus-sasl
# gpasswd -a postfix mail
# nano -w /etc/sasl2/smtpd.conf

mech_list: LOGIN PLAIN
pwcheck_method: authdaemond
authdaemond_path: /var/lib/courier/authdaemon/socket
  

I think this is a much cleaner way to setup SASL as you already have authdaemond configured and running for your setup. Configuring SASL to access the database directly just adds more room for misconfiguration.



By the way I tried with authdaemond and it didn't help me, so I have rewritten that sql string, and this should work for this case


Code: /etc/sasl2/smtpd.conf
 
#replace sql_select:... with string

sql_select: SELECT password FROM mailbox WHERE username='%u' and domain='%r'
  

This one is DIRTY-HACK! Pointer 09.04.2006, Riga Note: This won't work for me or anybody using virtual domains (what this article was about), because the domain will always be the machine we connect to (by /etc/hosts). Just drop the 'and ...' pat and everything works fine if you auth against users. Another idea might be 'WHERE username='%u' or email='%u' so that users can auth both with their username say 'john51343' or 'john@smith.com'.

Good concept, but these both miss the point, the password is encrypted using two different systems and neither program can read the other's encrypted password.


For those who wish to use Postfix Admin, there is a better way to configure Postfix : just configure sasl like originally mentioned on this page and change the occurrences of the `email' field in the maps described in Postfix to Postgres for `username'. That's how Postfix Admin expects things to be and it can't hurt to use the complete email adress as a username. JD - 22.07.2006



It is important to turn off auth methods not being used as they may cause problems for some mail clients. I have also commented out the log_level parameter however if you are having problems you can uncomment this to assist in debugging some of the problems.

This is another good time to test that things are still working, so start cyrus-sasl and restart postfix to pick up the latest changes.

Code: Start Configure PostFix
 
Add the following to the main.cf to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        check_relay_domains
  


Code: Start cyrus-sasl
 
# /etc/init.d/saslauthd start

# /etc/init.d/postfix restart
  

First, use a telnet session to connect to your server and verify that the AUTH and AUTH= lines shown below are displayed.


Code: Verifying sasl support
 
# telnet mail.example.com 25

220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME

telnet> quit  

Note: If you have smtpd_tls_auth_only = yes don't be surprised if the above example won't work. you need to at least temporarily disable smtpd_tls_auth_only to see whether your AUTH is in place, and working.


I also tested with MS Outlook, setting it up to use my userid and password (same on as for incoming mail) on outgoing mail. Most popular mail clients should be suitable for this testing.

SSL Support

Note: content code moved up

Final testing was done with Outlook again. I setup my mail account and confirmed that I could send a message if SSL for outgoing mail was set, but the message would get rejected if I turned SSL off.

{{ added on 09.01.07 it was problem with certificates. i don't know how realy secure is this way but for it was enough with apache openssl

  mkdir /etc/postfix/ssl
  cd /etc/postfix/ssl
  openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

then modify /etc/postfix/main.cf

  smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
  smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
  smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem

Have read it on some few years old manual. Maybe something wrong with it. But i couldn't fix ssl thing any other way.}}

Retrieved from "http://www.gentoo-wiki.info/Complete_Virtual_Mail_Server/SMTP_Authentication"

Last modified: Fri, 03 Oct 2008 12:01:00 +0000 Hits: 24,503