Monday, September 15, 2003
Howto get Postfix and Sasl to play nice on Mandrake 9.1
Okay, so setting up postfix and sasl to do smtp authentication on mandrake 9.1 was a tad harder then I had than I expected. Mandrake 9.1 ships with a version of postfix that has sasl and tls support compiled in, which is a great start, but they kinda leave you hanging. I couldn't find any good howtos. There was a how to for mandrake 8.x and a more generic howto but neither quite covered the file layout that was used in 9.1. Maybe there are docs buried somewhere and I am guilty of breaking the rtfm rule, but here is my mini howto:
Start by making sure you have the right rpms:
I made the same mistake that apparently alot of people have been making which is not insalling the libsasl7-plug-* rpms. This results in the error:
fatal: no SASL authentication mechanisms
in /var/log/mail/errors and
Sep 15 14:07:56 xxxx postfix/master[xxxx]: warning: process /usr/lib/postfix/smtpd pid xxxx exit status 1
Sep 15 14:07:56 xxxx postfix/master[xxxx]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
in /var/log/mail/warnings. The plug rpms provide the mechanisms that its complaining so loudly about.
Once the rpms are installed, edit /etc/postfix/main.cf and add:
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mail.xxx.com
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains
smtpd_sasl_security_options = noanonymous
Make sure the above lines don't wrap. (there should only be four lines, each starting with smtpd).
Now comes decision time. You can either user sasldb (which is a seperate user database from the passwd/shadow) or you can use saslauthd (which uses pam to access passwd/shadow unix passwords). I choose to use sasldb for several reasons: 1) saslauthd only lets you use the PLAIN text authentication method which means you are shooting your password in plaintext across the net. Granted you should also be using ssl (TLS) but you can't count on your users being smart enough to do that. sasldb lets you use MD5 challenge response passwords which are much safer imho; 2) I don't want just any user on the system to be able to send mail through my server remotely (call me a control freak? or maybe i just know that there are alot of dusty accounts on the system)
So I'm only going to give directions for sasldb here. Saslauthd isn't that much harder but can get tricky if you are setup to chroot jail your postfix (which you really should be doing, and i think thats the default installation in 9.1). Saslauthd uses /var/lib/sasl/mux to talk to clients (like postfix). With chroot jail, postfix can't access things outside of /var/spool/postfix. So you see the problem. (Hint: setup saslauthd to put its socket file under /var/spool/postfix, duh).
Next step is to tell postfix what to authenticate against. Edit /usr/lib/sasl/smtpd.conf (it might not exist) and add:
pwcheck_method: sasldb
Now its time to create your sasldb. Type:
saslpasswd -c username
It should prompt you for a password and create /etc/sasldb. It might complain about "saslpasswd: generic failure". Running it again a second time seemed to clear it right up for me. Now, since we are running postfix chroot jailed, you need to copy/move /etc/sasldb to /var/spool/postfix/etc/sasldb. Since I am only using sasl for postfix, I just:
mv /etc/sasldb /var/spool/postfix/etc/sasldb
ln -s /var/spool/postfix/etc/sasldb /etc/sasldb
Now, we need to make sure postfix can read the db. You can either do:
chmod 644 /var/spool/postfix/etc/sasldb
or
chown postfix.postfix /var/spool/postfix/etc/sasldb
If you are only going to be using sasl for postfix then i would go for the second option. Not sure the first option is a terribly great idea.
Next, double check your realm:
sasldblistusers
should spit out:
user: xxxx realm: mail.xxx.com mech: PLAIN
user: xxxx realm: mail.xxx.com mech: DIGEST-MD5
user: xxxx realm: mail.xxx.com mech: CRAM-MD5
Make sure that mail.xxx.com matches the smtpd_sasl_local_domain = mail.xxx.com line that you put in /etc/postfix/main.cf.
That should do it. Just restart postfix:
/etc/rc.d/init.d/postfix check
/etc/rc.d/init.d/postfix restart
To check to make sure its installed correctly:
telnet yourmailserver 25
then type
ehlo postfix
it should respond with a series of lines that start with 250. You should have one that looks like:
250-AUTH CRAM-MD5 DIGEST-MD5 PLAIN
depending on the libsasl7-plug-* rpms that you installed earlier.
Enjoy!
Start by making sure you have the right rpms:
I made the same mistake that apparently alot of people have been making which is not insalling the libsasl7-plug-* rpms. This results in the error:
fatal: no SASL authentication mechanisms
in /var/log/mail/errors and
Sep 15 14:07:56 xxxx postfix/master[xxxx]: warning: process /usr/lib/postfix/smtpd pid xxxx exit status 1
Sep 15 14:07:56 xxxx postfix/master[xxxx]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling
in /var/log/mail/warnings. The plug rpms provide the mechanisms that its complaining so loudly about.
Once the rpms are installed, edit /etc/postfix/main.cf and add:
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = mail.xxx.com
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains
smtpd_sasl_security_options = noanonymous
Make sure the above lines don't wrap. (there should only be four lines, each starting with smtpd).
Now comes decision time. You can either user sasldb (which is a seperate user database from the passwd/shadow) or you can use saslauthd (which uses pam to access passwd/shadow unix passwords). I choose to use sasldb for several reasons: 1) saslauthd only lets you use the PLAIN text authentication method which means you are shooting your password in plaintext across the net. Granted you should also be using ssl (TLS) but you can't count on your users being smart enough to do that. sasldb lets you use MD5 challenge response passwords which are much safer imho; 2) I don't want just any user on the system to be able to send mail through my server remotely (call me a control freak? or maybe i just know that there are alot of dusty accounts on the system)
So I'm only going to give directions for sasldb here. Saslauthd isn't that much harder but can get tricky if you are setup to chroot jail your postfix (which you really should be doing, and i think thats the default installation in 9.1). Saslauthd uses /var/lib/sasl/mux to talk to clients (like postfix). With chroot jail, postfix can't access things outside of /var/spool/postfix. So you see the problem. (Hint: setup saslauthd to put its socket file under /var/spool/postfix, duh).
Next step is to tell postfix what to authenticate against. Edit /usr/lib/sasl/smtpd.conf (it might not exist) and add:
pwcheck_method: sasldb
Now its time to create your sasldb. Type:
saslpasswd -c username
It should prompt you for a password and create /etc/sasldb. It might complain about "saslpasswd: generic failure". Running it again a second time seemed to clear it right up for me. Now, since we are running postfix chroot jailed, you need to copy/move /etc/sasldb to /var/spool/postfix/etc/sasldb. Since I am only using sasl for postfix, I just:
mv /etc/sasldb /var/spool/postfix/etc/sasldb
ln -s /var/spool/postfix/etc/sasldb /etc/sasldb
Now, we need to make sure postfix can read the db. You can either do:
chmod 644 /var/spool/postfix/etc/sasldb
or
chown postfix.postfix /var/spool/postfix/etc/sasldb
If you are only going to be using sasl for postfix then i would go for the second option. Not sure the first option is a terribly great idea.
Next, double check your realm:
sasldblistusers
should spit out:
user: xxxx realm: mail.xxx.com mech: PLAIN
user: xxxx realm: mail.xxx.com mech: DIGEST-MD5
user: xxxx realm: mail.xxx.com mech: CRAM-MD5
Make sure that mail.xxx.com matches the smtpd_sasl_local_domain = mail.xxx.com line that you put in /etc/postfix/main.cf.
That should do it. Just restart postfix:
/etc/rc.d/init.d/postfix check
/etc/rc.d/init.d/postfix restart
To check to make sure its installed correctly:
telnet yourmailserver 25
then type
ehlo postfix
it should respond with a series of lines that start with 250. You should have one that looks like:
250-AUTH CRAM-MD5 DIGEST-MD5 PLAIN
depending on the libsasl7-plug-* rpms that you installed earlier.
Enjoy!
