First of all, of course we need to compile postfix for supporting sasl.the easiest way is read tutorial how to compile postfix rpm source at Simon J Mudd’s website
Since i’m using mysql database for storing username/password, i’m gonna show you how to create smtp authentication/SASL.
Install pam_mysql:
# yum -y install pam_mysql
Edit /etc/pam.d/smtp file :
auth required pam_mysql.so user=postfix passwd=password host=localhost db=postfixdb table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1 sqlLog=0 account sufficient pam_mysql.so user=postfix passwd=password host=localhost db=postfixdb table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1 sqlLog=0
Note on some parameters
- Since my postfix virtual mailbox created using postfixadmin with password encrypted format so crypt=1 md5=1
Edit /etc/sysconfig/saslauthd file like this :
SOCKETDIR=/var/run/saslauthd MECH=pam FLAGS=-r
Edit/create /usr/lib64/sasl2/smtpd.conf file like this :
pwcheck_method: saslauthd mech_list: PLAIN LOGIN
Note at lib64, i’m using x86_64 system so your mileage may vary
Start Saslauthd service
# chkconfig saslauthd on # service saslauthd start
Test If SASL (Simple Authentication and Security Layer) realy work before putting it all together with postfix
# testsaslauthd -u hari.h@domain.com -p pass -s smtp 0: OK "Success."
Now the Postfix part :
Edit /etc/postfix/main.cf
Add these parameters to main.cf
smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_security_options = noanonymous
Usually people will put sasl along with postfix submission(port 587), in that case edit /etc/postfix/master.cf and comment out this parameters
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
Reload postfix
# postfix reload
Test with telneting server port 25
# telnet smtp.domain.net 25 Trying 202.xxx.xx.xxx... Connected to smtp.domain.net (202.xxx.xx.xxx). Escape character is '^]'. 220 smtp.domain.net ESMTP Postfix (2.6.5-20090828) 250-PIPELINING 250-SIZE 52428800 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN quit 221 2.0.0 Bye Connection closed by foreign host.
The easiest way to test postfix sasl is using smtp-cli you can download it at http://www.logix.cz/michal/devel/smtp-cli/
After download smtp-cli :
# chmod +x smtp-cli
Note, smtp-cli created using perl, so you might have to install perl modules dependencies
Run test with smtp-cli
# ./smtp-cli --host=smtp.domain.net --port=587 --enable-auth --auth-plain --user=hari.h@domain.com --pass=password --verbose [220] 'smtp.domain.net ESMTP Postfix (2.6.5-20090828)' > EHLO localhost [250] 'smtp.domain.net' [250] 'PIPELINING' [250] 'SIZE 52428800' [250] 'ETRN' [250] 'STARTTLS' [250] 'ENHANCEDSTATUSCODES' [250] '8BITMIME' [250] 'DSN' Starting TLS... > STARTTLS [220] '2.0.0 Ready to start TLS' Using cipher: DHE-RSA-AES256-SHA -- snipped -- -- snipped -- > EHLO localhost [250] 'smtp.domain.net' [250] 'PIPELINING' [250] 'SIZE 52428800' [250] 'ETRN' [250] 'AUTH LOGIN PLAIN' [250] 'AUTH=LOGIN PLAIN' [250] 'ENHANCEDSTATUSCODES' [250] '8BITMIME' [250] 'DSN' AUTH method (LOGIN PLAIN): using PLAIN > AUTH PLAIN aGFyaS5oQGNvcnxxxxxxxxxxxxxxxxxxxxJpLmhAY29ycC4zZy1uZXQubmV0ADNtNGwxdDQ= [235] '2.7.0 Authentication successful' Authentication of hari.h@domain.com@domain.net succeeded > QUIT [221] '2.0.0 Bye'
Now we got postfix smtp authentication ready for action 🙂
NOte on STARTTLS I’m also using TLS encryption on submission, but in case you’re compiling postfix without TLS support, just change -o smtpd_tls_security_level=none in master.cf
submission inet n - n - - smtpd
-o smtpd_tls_security_level=none
-o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
It’s not recommended transmitting your base64 encoded password in clear text, so you’d better wrapped it with TLS.I’ll give how to setup postfix with TLS support on next tutorial