Difference between revisions of "PostFix Howto With SASL"

From ArchWiki
Jump to: navigation, search
(flagged broken section links (interactive))
(Tag: wiki-scripts)
 
(11 intermediate revisions by 6 users not shown)
Line 1: Line 1:
[[Category:Mail Server]]
+
[[Category:Mail server]]
The postfix package in [extra] is compiled with sasl support:
+
[[ja:Postfix と SASL]]
pacman -S postfix cyrus-sasl
+
{{Related articles start}}
 +
{{Related|Postfix}}
 +
{{Related|Dovecot}}
 +
{{Related articles end}}
 +
 
 +
From [http://www.postfix.org/SASL_README.html Postfix's site]:
 +
:''People who go to the trouble of installing Postfix may have the expectation that Postfix is more secure than some other mailers. The Cyrus SASL library contains a lot of code. With this, Postfix becomes as secure as other mail systems that use the Cyrus SASL library. Dovecot provides an alternative that may be worth considering.''
 +
 
 +
== Introduction ==
 +
 
 +
In this article you will learn how to setup SASL authentication for [[Postfix]].
 +
 
 +
Once Postfix is up and running you can add SASL authentication to avoid relaying. Only authenticated and trusted users will be able to send emails. This will avoid anonymous users to make spamming.
 +
 
 +
Since {{pkg|postfix}} package in [extra] is already compiled with SASL support, to enable SASL authentication you have two choices:
 +
* Use {{pkg|cyrus-sasl}} package.
 +
* Or enable your already configured [[Dovecot]] to handle Postfix authentication (as well as its own).
 +
 
 +
== Configuration with cyrus-sasl package ==
 +
 
 +
[[Install]] {{pkg|cyrus-sasl}} from the [[official repositories]].
 +
 
 +
To enable SASL for accepting mail from other users, open the [http://tools.ietf.org/html/rfc6409 "Message submission"] port (TCP 587) in {{ic|/etc/postfix/master.cf}}, by uncommenting these lines (which are there by default, just commented):
  
An example line for the {{ic|/etc/postfix/main.cf}} file to enable the SASL is below.
 
 
{{bc|<nowiki>
 
{{bc|<nowiki>
mydestination = $myhostname, localhost.$mydomain, $mydomain
+
submission inet n      -      n      -      -      smtpd
myorigin = $mydomain
+
  -o syslog_name=postfix/submission
smtpd_sasl_auth_enable = yes
+
  -o smtpd_tls_security_level=encrypt
smtpd_sasl_security_options = noanonymous
+
  -o smtpd_sasl_auth_enable=yes
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
+
  -o smtpd_reject_unlisted_recipient=no
smtpd_tls_auth_only = no
+
#  -o smtpd_client_restrictions=$mua_client_restrictions
smtpd_sasl_local_domain = $mydomain
+
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,permit
+
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
broken_sasl_auth_clients = yes
+
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
relay_domains = *</nowiki>
+
  -o milter_macro_daemon_name=ORIGINATING
}}
+
</nowiki>}}
 +
 
 +
Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.
 +
 
 +
The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.
  
You might want to change various options to suit your needs though.
+
Setup Postfix as you normally would and [[Daemons#Starting_manually|start]]{{Broken section link}} it.
Setup Postfix as you normally would and [[Daemons#Starting_manually|start]] it.
+
If you want to start it at boot time see [[Daemons#Starting on boot]]{{Broken section link}}.
If you want to start it at boot time see [[Daemons#Starting_on_boot]].
+
  
 
SASL can use different authentication methods. The default one is PAM (as configured in {{ic|/etc/conf.d/saslauthd}}), but to set it up properly you have to create {{ic|/usr/lib/sasl2/smtpd.conf}}:
 
SASL can use different authentication methods. The default one is PAM (as configured in {{ic|/etc/conf.d/saslauthd}}), but to set it up properly you have to create {{ic|/usr/lib/sasl2/smtpd.conf}}:
Line 25: Line 49:
 
{{bc|
 
{{bc|
 
pwcheck_method: saslauthd
 
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
+
mech_list: plain
mech_list: plain login
+
 
log_level: 7
 
log_level: 7
 
}}
 
}}
  
To read about other authentication methods please refer to http://www.postfix.org/SASL_README.html
+
Now [[restart]] postfix and saslauthd services.
  
To start all the daemons:
+
Hopefully you should be able to telnet to your Postfix server with:
systemctl start postfix
+
systemctl start saslauthd
+
  
Hopefully you should be able to telnet to your Postfix server with :
+
{{ic|telnet localhost 587}}
  
{{ic|telnet localhost 25}}
+
You should then type:
 
+
You should then type :
+
  
 
{{ic|EHLO test.com}}
 
{{ic|EHLO test.com}}
  
This is roughly what you should see :
+
This is roughly what you should see:
  
 
{{bc|
 
{{bc|
Line 60: Line 79:
 
250-ETRN
 
250-ETRN
 
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
 
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
250-AUTH<nowiki>=</nowiki>PLAIN OTP DIGEST-MD5 CRAM-MD5
 
 
250 8BITMIME
 
250 8BITMIME
 
}}
 
}}
 +
 +
== Configuration with Dovecot ==
 +
 +
If you are using [[Dovecot]] as your IMAP or POP mail server and your users already authenticate (with PAM maybe), then there is no need to configure another package.
 +
 +
Simply edit {{ic|/etc/postfix/master.cf}} and add the following lines under the {{ic|submission}} or {{ic|smtp}} section (depending on what you are using):
 +
 +
{{bc|<nowiki>
 +
  # SASL authentication with dovecot
 +
  -o smtpd_tls_security_level=encrypt
 +
  -o smtpd_sasl_auth_enable=yes
 +
  -o smtpd_sasl_type=dovecot
 +
  -o smtpd_sasl_path=private/auth
 +
  -o smtpd_sasl_security_options=noanonymous
 +
  -o smtpd_sasl_local_domain=$myhostname
 +
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
 +
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
 +
</nowiki>}}
 +
 +
Using this configuration implies that only authenticated users can send mails. You can see this from {{ic|smtpd_client_restrictions}} option.
 +
 +
Now add the following to Dovecot configuration file in {{ic|/etc/dovecot/dovecot.conf}}:
 +
 +
{{bc|<nowiki>
 +
service auth {
 +
  unix_listener /var/spool/postfix/private/auth {
 +
    group = postfix
 +
    mode = 0660
 +
    user = postfix
 +
  }
 +
  user = root
 +
}
 +
</nowiki>}}
 +
 +
As you can see a unix socket is created in {{ic|/var/spool/postfix/private/auth}}, the same specified in {{ic|smtpd_sasl_path}} option of {{ic|master.cf}}
 +
 +
Finally [[restart]] both postfix and dovecot services.
 +
 +
== See also ==
 +
 +
* [http://www.postfix.org/SASL_README.html Postfix SASL readme] in Postfix official documentation.
 +
 +
* [http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL SASL authentication with Dovecot] in Dovecot official documentation.
 +
 +
* [http://wiki.centos.org/HowTos/postfix_sasl Centos Howto Postfix SASL]

Latest revision as of 10:50, 7 August 2016

Related articles

From Postfix's site:

People who go to the trouble of installing Postfix may have the expectation that Postfix is more secure than some other mailers. The Cyrus SASL library contains a lot of code. With this, Postfix becomes as secure as other mail systems that use the Cyrus SASL library. Dovecot provides an alternative that may be worth considering.

Introduction

In this article you will learn how to setup SASL authentication for Postfix.

Once Postfix is up and running you can add SASL authentication to avoid relaying. Only authenticated and trusted users will be able to send emails. This will avoid anonymous users to make spamming.

Since postfix package in [extra] is already compiled with SASL support, to enable SASL authentication you have two choices:

  • Use cyrus-sasl package.
  • Or enable your already configured Dovecot to handle Postfix authentication (as well as its own).

Configuration with cyrus-sasl package

Install cyrus-sasl from the official repositories.

To enable SASL for accepting mail from other users, open the "Message submission" port (TCP 587) in /etc/postfix/master.cf, by uncommenting these lines (which are there by default, just commented):

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.

The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.

Setup Postfix as you normally would and start[broken link: invalid section] it. If you want to start it at boot time see Daemons#Starting on boot[broken link: invalid section].

SASL can use different authentication methods. The default one is PAM (as configured in /etc/conf.d/saslauthd), but to set it up properly you have to create /usr/lib/sasl2/smtpd.conf:

pwcheck_method: saslauthd
mech_list: plain
log_level: 7

Now restart postfix and saslauthd services.

Hopefully you should be able to telnet to your Postfix server with:

telnet localhost 587

You should then type:

EHLO test.com

This is roughly what you should see:

Trying 127.0.0.1...

Connected to localhost.localdomain
Escape character is '^]'

220 justin ESMTP Postfix
EHLO test.com
250-justin
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
250 8BITMIME

Configuration with Dovecot

If you are using Dovecot as your IMAP or POP mail server and your users already authenticate (with PAM maybe), then there is no need to configure another package.

Simply edit /etc/postfix/master.cf and add the following lines under the submission or smtp section (depending on what you are using):

  # SASL authentication with dovecot
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

Using this configuration implies that only authenticated users can send mails. You can see this from smtpd_client_restrictions option.

Now add the following to Dovecot configuration file in /etc/dovecot/dovecot.conf:

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = root
}

As you can see a unix socket is created in /var/spool/postfix/private/auth, the same specified in smtpd_sasl_path option of master.cf

Finally restart both postfix and dovecot services.

See also