HOWTO Email: A Complete Virtual System - SMTP Authentication

From Gentoo Linux Wiki

[edit] SMTP Authentication

To reduce the potential of having your mail server abused, we will set it up now so that it requires password verification before it will allow a user to send mail. We will use Cyrus-sasl to provide a library we need to connect to the Postgres database for SMTP Authentication.

Where the courier-imap service uses courier-authlib as authentication service, postfix can only use sasl. Yes this means that you need two authetication services because courier-imap cannot work with sasl and postfix can not work (directly) with courier-authlib. There is no way around this limitation at the moment. So the setup will look like this.

  courier-imap -> courier-authlib --\
                                     +--> postgresql 
  postfix ------> cyrus-sasl -------/

However, from courier-authlib there is a plugin for cyrus-sasl that makes sasl use authlib as authentication source. This way sasl becomes a sort of connector that links postfix to courier-authlib for smtp authentication. For this to work you need to emerge cyrus-sasl with the authdaemond use flag.

  courier-imap -----------\
                           +-> courier-authlib -> postgresql
  postfix -> cyrus-sasl --/

[edit] Cyrus-sasl to PostgreSQL

On our mail server, we will start by emerging cyrus-sasl. Be sure as a minimum to include crypt in your USE flags or it will not work. I blocked the other items simply because they were not needed.

 
# echo "dev-libs/cyrus-sasl -mysql crypt" >> /etc/portage/package.use
  

Next, edit /etc/sasl2/smtpd.conf so that we can connect to the postgres database for smtp authorization.

 
sasl_pwcheck_method: auxprop
sasl_auxprop_plugin: pgsql
srp_mda: md5
password_format: crypt
mech_list: login plain
#mech_list: CRAM-MD5 DIGEST-MD5
#log_level: 3

sql_engine: pgsql
sql_hostnames: $dbhostname
sql_database: postfix
sql_user: postfix
sql_passwd: $password
# Depending on how you let your users log in, using a username or an email address, pick one:
# sql_select: SELECT password FROM mailbox WHERE username='%u'
sql_select: SELECT password FROM mailbox WHERE email='%u@%r'
sql_usessl: no 
  

It is important to turn off auth methods not being used as they may cause problems for some mail clients. You typically want to comment out the log_level parameter in production mode, however if you are having problems you can uncomment this to assist in debugging some of the problems.

[edit] Cyrus-sasl to Courier-authlib to PostgreSQL

In the previous step we already set up courier-authlib to retrieve authentication information from postgresql, so here we assume that that is already working.

First we need to emerge cyrus-sasl with support for courier-authlib. Note that we disable postgres as we no longer connect to it directly. Also make sure that postfix is added to the mail group.

 
# echo "dev-libs/cyrus-sasl -mysql -postgres authdaemond crypt" >> /etc/portage/package.use
# emerge cyrus-sasl
# gpasswd -a postfix mail
  

Next, edit /etc/sasl2/smtpd.conf so that we can connect to courier-authlib for smtp authorization.

 
log-level: 3
pwcheck_method: authdaemond
mech_list: plain login
authdaemond_path: /var/lib/courier/authdaemon/socket
  

It is important to turn off auth methods not being used as they may cause problems for some mail clients. You typically want to comment out the log_level parameter in production mode, however if you are having problems you can uncomment this to assist in debugging some of the problems.

[edit] Sasl and realms

The sasl protocol uses the concept of realms. When some service uses sasl to handle authentication information it tells sasl in what realm to do the authentication. This way different services can have different user lists. There is a bit more to this, but for that see the cyrus-sasl documentation, for example here: http://www.sendmail.org/~ca/email/cyrus/sysadmin.html.

The reason why this is important is that postfix has a parameter in which you can specify the realm that it will tell cyrus-sasl to use. By default this parameter is null, so no realm is specified. However, if a realm is specified, sasl will apend '@<your realm specification>' behind the username for authentication. If no realm is specified, sasl will just look up the plain username.

When you have set up courier-authlib to do authentication on plain usernames in stead of email addresses and want sasl to use authlib as source it is important to leave the realm empty.

The postfix parameter that controls this is smtpd_sasl_local_domain.

[edit] Postfix to Cyrus-sasl

Having setup one of the above options, sasl should be ready to authenticate smtp clients for postfix. Now we have to tell postfix to use sasl for this.

 
#SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a pam"
SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a shadow -V"
  

This is another good time to test that things are still working, so start cyrus-sasl and restart postfix to pick up the latest changes.

 
Add the following to the main.cf to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
# Next line is disabled as we do not want to specify a realm for sasl.
#smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated
        ,reject_unauth_destination
  

First we need to start the cyrus-sasl service:

 
# /etc/init.d/saslauthd start
  

Next we restart postfix to pick up the new configuration:

 
# /etc/init.d/postfix restart
  

First, use a telnet session to connect to your server and verify that the AUTH and AUTH= lines shown below are displayed.

 
# telnet mail.example.com 25

220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME

telnet> quit  

Note: If you have smtpd_tls_auth_only = yes don't be surprised if the above example won't work. you need to at least temporarily disable smtpd_tls_auth_only to see whether your AUTH is in place, and working.

You can also test with Mozilla-Thunderbird, there you need to toggle on the 'Use name and password' for the 'Outgoing server settings' and also fill in a valid username! When sending, Thunderbird will promt you for a password.

[edit] SSL Support

Again, SSL is not necessary, but is a good idea and easy to offer so we might as well. First step is to create the ssl certificates postfix will require. To make this a little easier, we will set some of the key default values used when generating a certificate. If any of the variables are missing, just go ahead and add them in a sensible place.

 
// Change the following default values for your domain:
countryName_default		= CA
stateOrProvinceName_default	= Ontario
localityName_default		= Toronto
organizationName_default	= ACME Inc
commonName_default		= ACME
emailAddress_default		= postmaster@example.com
  

Now, lets create the certificates and put them in the right directory for postfix to pick them up.

 
# cd /etc/postfix
		
# /etc/ssl/misc/CA.pl -newca
# /etc/ssl/misc/CA.pl -newreq-nodes
# /etc/ssl/misc/CA.pl -sign
  

Finally we need to go back to main.cf so we can configure postfix to use these new certificates. The following parameters will need to be added to the bottom of the file. Please be careful writing the smtpd_* options; it seems to be a common mistake to forget the d, because many of the smtpd options also exist for postfix as a client (when relaying to other servers, etc..)

 
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/newkey.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/demoCA/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
   

 
# /etc/init.d/postfix reload
   

We will use telnet again to test that this is working,

 
# telnet mail.example.com 25

220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME

telnet> quit
  

Note that this time the AUTH entries did not show up. That is because we have not established a TLS connection. With the smtpd_tls_auth_only parameter set to yes, postfix will not offer the authentication method until a TLS (SSL) connection has been established.

You can test with Mozilla-Thunderbird, there you need to toggle on the 'Use name and password' for the 'Outgoing server settings' and also fill in a valid username just like before. Also, you need to select TLS for 'Use secure connection'.

 
smtps     inet  n       -       n       -       -       smtpd -v
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
  

[edit] WARNING:

THIS CANT WORK: "sql_select: SELECT password FROM mailbox WHERE username='%u@%r'"
BECAUSE IT DOES NOT MATCH AGAINST:

  Mailbox Table
  username:    username
  email:       user@example.com
  Password:  	$1$.2213700$AOdx3nlEm3dKANLVkAjim0
  Name:	Users Name
  uid:		1000
  gid:		1000
  maildir:   	example.com/user/
  homedir:   	/home/vmail
  Quota:     	0
  Domain:    	example.com
  Created:   	now()
  Modified:  	now()
  Active:    	true

IN "Postfix to Postgres"!!!
--212.100.55.90 18:07, 7 March 2006 (GMT)
Well.. Here's a work-around if you will.. As long as your courier-auth is using Postgres on the backend this should work. SASL without a patch simply won't handle the same encrypted password format as Cyrus.

pwcheck_method: authdaemond
authdaemond_path: /var/lib/courier/authdaemon/socket

Note : There are other ways to accomplish this such as using Pam or LDAP, but figure out what works best for you.

Codestrom

For the authdaemond method above to work, you must emerge sasl with the authdaemond use flag, and add postfix to mail group

 
# echo "dev-libs/cyrus-sasl -mysql -postgres crypt authdaemond" >> /etc/portage/package.use
# emerge cyrus-sasl
# gpasswd -a postfix mail
# nano -w /etc/sasl2/smtpd.conf

mech_list: LOGIN PLAIN
pwcheck_method: authdaemond
authdaemond_path: /var/lib/courier/authdaemon/socket
  

I think this is a much cleaner way to setup SASL as you already have authdaemond configured and running for your setup. Configuring SASL to access the database directly just adds more room for misconfiguration.

By the way I tried with authdaemond and it didn't help me, so I have rewritten that sql string, and this should work for this case

 
#replace sql_select:... with string

sql_select: SELECT password FROM mailbox WHERE username='%u' and domain='%r'
  

This one is DIRTY-HACK! Pointer 09.04.2006, Riga Note: This won't work for me or anybody using virtual domains (what this article was about), because the domain will always be the machine we connect to (by /etc/hosts). Just drop the 'and ...' pat and everything works fine if you auth against users. Another idea might be 'WHERE username='%u' or email='%u' so that users can auth both with their username say 'john51343' or 'john@smith.com'.

Good concept, but these both miss the point, the password is encrypted using two different systems and neither program can read the other's encrypted password.

For those who wish to use Postfix Admin, there is a better way to configure Postfix : just configure sasl like originally mentioned on this page and change the occurrences of the `email' field in the maps described in Postfix to Postgres for `username'. That's how Postfix Admin expects things to be and it can't hurt to use the complete email adress as a username. JD - 22.07.2006

It is important to turn off auth methods not being used as they may cause problems for some mail clients. I have also commented out the log_level parameter however if you are having problems you can uncomment this to assist in debugging some of the problems.

This is another good time to test that things are still working, so start cyrus-sasl and restart postfix to pick up the latest changes.

 
Add the following to the main.cf to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        check_relay_domains
  

 
# /etc/init.d/saslauthd start

# /etc/init.d/postfix restart
  

First, use a telnet session to connect to your server and verify that the AUTH and AUTH= lines shown below are displayed.

 
# telnet mail.example.com 25

220 mail.example.com ESMTP Postfix
EHLO example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME

telnet> quit  

Note: If you have smtpd_tls_auth_only = yes don't be surprised if the above example won't work. you need to at least temporarily disable smtpd_tls_auth_only to see whether your AUTH is in place, and working.

I also tested with MS Outlook, setting it up to use my userid and password (same on as for incoming mail) on outgoing mail. Most popular mail clients should be suitable for this testing.

[edit] SSL Support

Final testing was done with Outlook again. I setup my mail account and confirmed that I could send a message if SSL for outgoing mail was set, but the message would get rejected if I turned SSL off.

{{ added on 09.01.07 it was problem with certificates. i don't know how realy secure is this way but for it was enough with apache openssl

  mkdir /etc/postfix/ssl
  cd /etc/postfix/ssl
  openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

then modify /etc/postfix/main.cf

  smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
  smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
  smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem

Have read it on some few years old manual. Maybe something wrong with it. But i couldn't fix ssl thing any other way.}}