Difference between revisions of "PostFix Howto With SASL"

From ArchWiki
Jump to: navigation, search
m
(2 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
[[Category:Mail Server]]
 
[[Category:Mail Server]]
The postfix package in [extra] is compiled with sasl support:
+
 
 +
The {{pkg|postfix}} package in [extra] is compiled with SASL support:
 +
 
 
  pacman -S postfix cyrus-sasl
 
  pacman -S postfix cyrus-sasl
  
An example line for the {{ic|/etc/postfix/main.cf}} file to enable the SASL is below.
+
To enable SASL for accepting mail from other users, open the [http://tools.ietf.org/html/rfc6409 "Message submission"] port (TCP 587) in {{ic|/etc/postfix/master.cf}}, by uncommenting these lines (which are there by default, just commented):
 +
 
 
{{bc|<nowiki>
 
{{bc|<nowiki>
mydestination = $myhostname, localhost.$mydomain, $mydomain
+
submission inet n      -      n      -      -      smtpd
myorigin = $mydomain
+
  -o syslog_name=postfix/submission
smtpd_sasl_auth_enable = yes
+
  -o smtpd_tls_security_level=encrypt
smtpd_sasl_security_options = noanonymous
+
  -o smtpd_sasl_auth_enable=yes
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
+
  -o smtpd_reject_unlisted_recipient=no
smtpd_tls_auth_only = no
+
#  -o smtpd_client_restrictions=$mua_client_restrictions
smtpd_sasl_local_domain = $mydomain
+
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,permit
+
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
broken_sasl_auth_clients = yes
+
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
relay_domains = *</nowiki>
+
  -o milter_macro_daemon_name=ORIGINATING
}}
+
</nowiki>}}
 +
 
 +
Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.
 +
 
 +
The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.
  
You might want to change various options to suit your needs though.
 
 
Setup Postfix as you normally would and [[Daemons#Starting_manually|start]] it.
 
Setup Postfix as you normally would and [[Daemons#Starting_manually|start]] it.
 
If you want to start it at boot time see [[Daemons#Starting_on_boot]].
 
If you want to start it at boot time see [[Daemons#Starting_on_boot]].
Line 25: Line 31:
 
{{bc|
 
{{bc|
 
pwcheck_method: saslauthd
 
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
+
mech_list: plain
mech_list: plain login
+
 
log_level: 7
 
log_level: 7
 
}}
 
}}
Line 33: Line 38:
  
 
To start all the daemons:
 
To start all the daemons:
{{ic|
 
systemctl start postfix
 
systemctl start saslauthd}}
 
  
Hopefully you should be able to telnet to your Postfix server with :
+
systemctl start postfix saslauthd
 +
 
 +
Hopefully you should be able to telnet to your Postfix server with:
  
{{ic|telnet localhost 25}}
+
{{ic|telnet localhost 587}}
  
You should then type :
+
You should then type:
  
 
{{ic|EHLO test.com}}
 
{{ic|EHLO test.com}}
  
This is roughly what you should see :
+
This is roughly what you should see:
  
 
{{bc|
 
{{bc|
Line 61: Line 65:
 
250-ETRN
 
250-ETRN
 
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
 
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
250-AUTH<nowiki>=</nowiki>PLAIN OTP DIGEST-MD5 CRAM-MD5
 
 
250 8BITMIME
 
250 8BITMIME
 
}}
 
}}

Revision as of 12:28, 28 May 2013


The postfix package in [extra] is compiled with SASL support:

pacman -S postfix cyrus-sasl

To enable SASL for accepting mail from other users, open the "Message submission" port (TCP 587) in /etc/postfix/master.cf, by uncommenting these lines (which are there by default, just commented):

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.

The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.

Setup Postfix as you normally would and start it. If you want to start it at boot time see Daemons#Starting_on_boot.

SASL can use different authentication methods. The default one is PAM (as configured in /etc/conf.d/saslauthd), but to set it up properly you have to create /usr/lib/sasl2/smtpd.conf:

pwcheck_method: saslauthd
mech_list: plain
log_level: 7

To read about other authentication methods please refer to http://www.postfix.org/SASL_README.html

To start all the daemons:

systemctl start postfix saslauthd

Hopefully you should be able to telnet to your Postfix server with:

telnet localhost 587

You should then type:

EHLO test.com

This is roughly what you should see:

Trying 127.0.0.1...

Connected to localhost.localdomain
Escape character is '^]'

220 justin ESMTP Postfix
EHLO test.com
250-justin
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
250 8BITMIME