Difference between revisions of "Postfix with SASL"

From ArchWiki
Jump to: navigation, search
m
(10 intermediate revisions by 8 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]]
+
[[Category:Mail Server]]
[[Category:HOWTOs (English)]]
+
The postfix package in [extra] is compiled with sasl support:
+
pacman -Sy postfix
+
  
An example line for the <code>/etc/postfix/main.cf</code> file to enable the SASL is below.
+
The {{pkg|postfix}} package in [extra] is compiled with SASL support:
<pre>
+
mydestination = $myhostname, localhost.$mydomain, $mydomain
+
myorigin = $mydomain
+
smtpd_sasl_auth_enable = yes
+
smtpd_sasl_security_options = noanonymous
+
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
+
smtpd_tls_auth_only = no
+
smtpd_sasl_local_domain = $mydomain
+
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,permit
+
broken_sasl_auth_clients = yes
+
relay_domains = *
+
</pre>
+
  
You might want to change various options to suit your needs though.
+
pacman -S postfix cyrus-sasl
Setup Postfix as you normally would and start it with :
+
<pre>
+
/etc/rc.d/postfix start
+
</pre>
+
  
or add it to your <code>/etc/rc.conf</code> file so Postfix starts each reboot.
+
To enable SASL for accepting mail from other users, open the [http://tools.ietf.org/html/rfc6409 "Message submission"] port (TCP 587) in {{ic|/etc/postfix/master.cf}}, by uncommenting these lines (which are there by default, just commented):
  
SASL can use different authentication methods. The default one is PAM (as configured in <code>/etc/conf.d/saslauthd</code>), but to set it up properly you have to create <code>/usr/lib/sasl2/smtpd.conf</code>:
+
{{bc|<nowiki>
 +
submission inet n      -      n      -      -      smtpd
 +
  -o syslog_name=postfix/submission
 +
  -o smtpd_tls_security_level=encrypt
 +
  -o smtpd_sasl_auth_enable=yes
 +
  -o smtpd_reject_unlisted_recipient=no
 +
#  -o smtpd_client_restrictions=$mua_client_restrictions
 +
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
 +
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
 +
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
 +
  -o milter_macro_daemon_name=ORIGINATING
 +
</nowiki>}}
  
<pre>
+
Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.
 +
 
 +
The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.
 +
 
 +
Setup Postfix as you normally would and [[Daemons#Starting_manually|start]] it.
 +
If you want to start it at boot time see [[Daemons#Starting_on_boot]].
 +
 
 +
SASL can use different authentication methods. The default one is PAM (as configured in {{ic|/etc/conf.d/saslauthd}}), but to set it up properly you have to create {{ic|/usr/lib/sasl2/smtpd.conf}}:
 +
 
 +
{{bc|
 
pwcheck_method: saslauthd
 
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
+
mech_list: plain
mech_list: plain login
+
 
log_level: 7
 
log_level: 7
</pre>
+
}}
  
 
To read about other authentication methods please refer to http://www.postfix.org/SASL_README.html
 
To read about other authentication methods please refer to http://www.postfix.org/SASL_README.html
  
Hopefully you should be able to telnet to your Postfix server with :
+
To start all the daemons:
  
<pre>
+
systemctl start postfix saslauthd
telnet localhost 25
+
  
You should then type :
+
Hopefully you should be able to telnet to your Postfix server with:
  
EHLO test.com
+
{{ic|telnet localhost 587}}
 +
 
 +
You should then type:
 +
 
 +
{{ic|EHLO test.com}}
  
This is roughly what you should see :
+
This is roughly what you should see:
  
 +
{{bc|
 
Trying 127.0.0.1...
 
Trying 127.0.0.1...
  
Line 61: Line 65:
 
250-ETRN
 
250-ETRN
 
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
 
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
250-AUTH=PLAIN OTP DIGEST-MD5 CRAM-MD5
 
 
250 8BITMIME
 
250 8BITMIME
</pre>
+
}}

Revision as of 12:28, 28 May 2013


The postfix package in [extra] is compiled with SASL support:

pacman -S postfix cyrus-sasl

To enable SASL for accepting mail from other users, open the "Message submission" port (TCP 587) in /etc/postfix/master.cf, by uncommenting these lines (which are there by default, just commented):

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.

The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.

Setup Postfix as you normally would and start it. If you want to start it at boot time see Daemons#Starting_on_boot.

SASL can use different authentication methods. The default one is PAM (as configured in /etc/conf.d/saslauthd), but to set it up properly you have to create /usr/lib/sasl2/smtpd.conf:

pwcheck_method: saslauthd
mech_list: plain
log_level: 7

To read about other authentication methods please refer to http://www.postfix.org/SASL_README.html

To start all the daemons:

systemctl start postfix saslauthd

Hopefully you should be able to telnet to your Postfix server with:

telnet localhost 587

You should then type:

EHLO test.com

This is roughly what you should see:

Trying 127.0.0.1...

Connected to localhost.localdomain
Escape character is '^]'

220 justin ESMTP Postfix
EHLO test.com
250-justin
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
250 8BITMIME