Difference between revisions of "Postfix with SASL"

From ArchWiki
Jump to: navigation, search
m (rm spam, spammer:Xtrinityluvx)
m
(16 intermediate revisions by 14 users not shown)
Line 1: Line 1:
[[Category:Network]]
+
[[Category:Mail Server]]
'''Postfix with sasl support howto'''  ( Justin Smithies - justin AT smithies.me.uk || formfixed by Pablo Bitreras - dexodvz AT vtr . net)
+
  
First you will need to install srcpac :
+
The {{pkg|postfix}} package in [extra] is compiled with SASL support:
<pre>
+
pacman -Sy srcpac
+
</pre>
+
  
Then type edit the <code>/etc/srcpac.conf</code> file and add the following :
+
pacman -S postfix cyrus-sasl
<pre>
+
# postfix sasl
+
conf''postfix<code>('#source</code>(ftp://ftp.porcupine.org#source=(ftp://ftp.aet.tu-cottbus.de/pub/postfix''tls/pfixtls-0.8.18-2.1.3-0.9.7d.tar.gz ftp://ftp.porcupine.org#'
+
'#cd \$startdir/src/\$pkgname-\$pkgver#cd \$startdir/src/\$pkgname-\$pkgver\npatch -p1 < ../pfixtls-0.8.18-2.1.3-0.9.7d/pfixtls.diff#'
+
'#make OPT#make CCARGS<code>\\"-DUSE''SASL''AUTH -I/usr/include/sasl -DUSE_SSL -I/usr/include/openssl\\" AUXLIBS</code>\\"-L/usr/lib -R/usr/lib -lsasl2 -lssl -lcrypto\\" OPT#')
+
</pre>
+
  
Save the above then type :
+
To enable SASL for accepting mail from other users, open the [http://tools.ietf.org/html/rfc6409 "Message submission"] port (TCP 587) in {{ic|/etc/postfix/master.cf}}, by uncommenting these lines (which are there by default, just commented):
<pre>
+
srcpac -Sb postfix
+
</pre>
+
  
This will download and build '''Postfix''' with '''SASL''' support.
+
{{bc|<nowiki>
 +
submission inet n      -      n      -      -      smtpd
 +
  -o syslog_name=postfix/submission
 +
  -o smtpd_tls_security_level=encrypt
 +
  -o smtpd_sasl_auth_enable=yes
 +
  -o smtpd_reject_unlisted_recipient=no
 +
#  -o smtpd_client_restrictions=$mua_client_restrictions
 +
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
 +
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
 +
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 +
  -o milter_macro_daemon_name=ORIGINATING
 +
</nowiki>}}
  
An example line for the <code>/etc/postfix/main.cf</code> file to enable the SASL is below.
+
Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.
<pre>
+
mydestination = $myhostname, localhost.$mydomain, $mydomain
+
myorigin = $mydomain
+
smtpd''sasl''auth_enable = yes
+
smtpd''sasl''security_options = noanonymous
+
smtpd''sasl''tls''security''options = $smtpd''sasl''security_options
+
smtpd''tls''auth_only = no
+
smtpd''sasl''local_domain = $mydomain
+
smtpd''recipient''restrictions = permit''mynetworks,permit''sasl''authenticated,reject''unauth_destination,permit
+
broken''sasl''auth_clients = yes
+
relay_domains = *
+
</pre>
+
  
You might want to change various options to suit your needs though.
+
The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.
Setup Postfix as you normally would and start it with :
+
<pre>
+
/etc/rc.d/postfix start
+
</pre>
+
  
or add it to your <code>/etc/rc.conf</code> file so Postfix starts each reboot.
+
Setup Postfix as you normally would and [[Daemons#Starting_manually|start]] it.
 +
If you want to start it at boot time see [[Daemons#Starting_on_boot]].
  
Hopefully you should be able to telnet to your Postfix server with :
+
SASL can use different authentication methods. The default one is PAM (as configured in {{ic|/etc/conf.d/saslauthd}}), but to set it up properly you have to create {{ic|/usr/lib/sasl2/smtpd.conf}}:
  
<pre>
+
{{bc|
telnet localhost 25
+
pwcheck_method: saslauthd
 +
mech_list: plain
 +
log_level: 7
 +
}}
  
You should then type :
+
To read about other authentication methods please refer to http://www.postfix.org/SASL_README.html
  
EHLO test.com
+
To start all the daemons:
 +
 
 +
systemctl start postfix saslauthd
 +
 
 +
Hopefully you should be able to telnet to your Postfix server with:
 +
 
 +
{{ic|telnet localhost 587}}
 +
 
 +
You should then type:
 +
 
 +
{{ic|EHLO test.com}}
  
This is roughly what you should see :
+
This is roughly what you should see:
  
 +
{{bc|
 
Trying 127.0.0.1...
 
Trying 127.0.0.1...
  
Line 68: Line 65:
 
250-ETRN
 
250-ETRN
 
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
 
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN OTP DIGEST-MD5 CRAM-MD5
 
 
250 8BITMIME
 
250 8BITMIME
</pre>
+
}}

Revision as of 12:28, 28 May 2013


The postfix package in [extra] is compiled with SASL support:

pacman -S postfix cyrus-sasl

To enable SASL for accepting mail from other users, open the "Message submission" port (TCP 587) in /etc/postfix/master.cf, by uncommenting these lines (which are there by default, just commented):

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.

The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.

Setup Postfix as you normally would and start it. If you want to start it at boot time see Daemons#Starting_on_boot.

SASL can use different authentication methods. The default one is PAM (as configured in /etc/conf.d/saslauthd), but to set it up properly you have to create /usr/lib/sasl2/smtpd.conf:

pwcheck_method: saslauthd
mech_list: plain
log_level: 7

To read about other authentication methods please refer to http://www.postfix.org/SASL_README.html

To start all the daemons:

systemctl start postfix saslauthd

Hopefully you should be able to telnet to your Postfix server with:

telnet localhost 587

You should then type:

EHLO test.com

This is roughly what you should see:

Trying 127.0.0.1...

Connected to localhost.localdomain
Escape character is '^]'

220 justin ESMTP Postfix
EHLO test.com
250-justin
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
250 8BITMIME