Difference between revisions of "PostFix Howto With SASL"
From ArchWiki
(rm spam, spammer: Tictac) |
m |
||
| (30 intermediate revisions by 21 users not shown) | |||
| Line 1: | Line 1: | ||
| − | [[Category: | + | [[Category:Mail Server]] |
| − | + | ||
| − | + | The {{pkg|postfix}} package in [extra] is compiled with SASL support: | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | pacman -S postfix cyrus-sasl | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | To enable SASL for accepting mail from other users, open the [http://tools.ietf.org/html/rfc6409 "Message submission"] port (TCP 587) in {{ic|/etc/postfix/master.cf}}, by uncommenting these lines (which are there by default, just commented): | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | {{bc|<nowiki> | |
| + | submission inet n - n - - smtpd | ||
| + | -o syslog_name=postfix/submission | ||
| + | -o smtpd_tls_security_level=encrypt | ||
| + | -o smtpd_sasl_auth_enable=yes | ||
| + | -o smtpd_reject_unlisted_recipient=no | ||
| + | # -o smtpd_client_restrictions=$mua_client_restrictions | ||
| + | # -o smtpd_helo_restrictions=$mua_helo_restrictions | ||
| + | # -o smtpd_sender_restrictions=$mua_sender_restrictions | ||
| + | -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject | ||
| + | -o milter_macro_daemon_name=ORIGINATING | ||
| + | </nowiki>}} | ||
| − | + | Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users. | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | Setup Postfix as you normally would and [[Daemons#Starting_manually|start]] it. | |
| + | If you want to start it at boot time see [[Daemons#Starting_on_boot]]. | ||
| − | + | SASL can use different authentication methods. The default one is PAM (as configured in {{ic|/etc/conf.d/saslauthd}}), but to set it up properly you have to create {{ic|/usr/lib/sasl2/smtpd.conf}}: | |
| − | + | {{bc| | |
| − | + | pwcheck_method: saslauthd | |
| + | mech_list: plain | ||
| + | log_level: 7 | ||
| + | }} | ||
| − | + | To read about other authentication methods please refer to http://www.postfix.org/SASL_README.html | |
| − | EHLO test.com | + | To start all the daemons: |
| + | |||
| + | systemctl start postfix saslauthd | ||
| + | |||
| + | Hopefully you should be able to telnet to your Postfix server with: | ||
| + | |||
| + | {{ic|telnet localhost 587}} | ||
| + | |||
| + | You should then type: | ||
| + | |||
| + | {{ic|EHLO test.com}} | ||
| − | This is roughly what you should see : | + | This is roughly what you should see: |
| + | {{bc| | ||
Trying 127.0.0.1... | Trying 127.0.0.1... | ||
| Line 68: | Line 65: | ||
250-ETRN | 250-ETRN | ||
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5 | 250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5 | ||
| − | |||
250 8BITMIME | 250 8BITMIME | ||
| − | + | }} | |
Revision as of 12:28, 28 May 2013
The postfix package in [extra] is compiled with SASL support:
pacman -S postfix cyrus-sasl
To enable SASL for accepting mail from other users, open the "Message submission" port (TCP 587) in /etc/postfix/master.cf, by uncommenting these lines (which are there by default, just commented):
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.
The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.
Setup Postfix as you normally would and start it. If you want to start it at boot time see Daemons#Starting_on_boot.
SASL can use different authentication methods. The default one is PAM (as configured in /etc/conf.d/saslauthd), but to set it up properly you have to create /usr/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd mech_list: plain log_level: 7
To read about other authentication methods please refer to http://www.postfix.org/SASL_README.html
To start all the daemons:
systemctl start postfix saslauthd
Hopefully you should be able to telnet to your Postfix server with:
telnet localhost 587
You should then type:
EHLO test.com
This is roughly what you should see:
Trying 127.0.0.1... Connected to localhost.localdomain Escape character is '^]' 220 justin ESMTP Postfix EHLO test.com 250-justin 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5 250 8BITMIME