Postfix SMTP Authentication

http://linux.about.com/od/ubusrv_doc/a/ubusg29t05.htm
http://www.jimmy.co.at/weblog/?p=52

apt-get install sasl2-bin libsasl2-2 libsasl2-modules

Configure Postfix to do SMTP AUTH using SASL (saslauthd):

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' > /etc/postfix/sasl/smtpd.conf

cd ~
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
mv smtpd.key /etc/ssl/private/
mv smtpd.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

/etc/default/saslauthd

START=yes
MECHANISMS="pam"

/etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

/etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

/etc/init.d/postfix restart
/etc/init.d/saslauthd start

Finally we test it using telnet. We need perl to generate the string for the SASL authentication:
perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
e.g.
perl -MMIME::Base64 -e 'print encode_base64("jimmy\0jimmy\0real-secret");'
amltbXkAamltbXkAcmVhbC1zZWNyZXQ=

jimmy@reptile:~$ telnet jimmy.co.at 25
Trying 80.237.145.96...
Connected to jimmy.co.at.
Escape character is '^]'.
220 kitana.jimmy.co.at ESMTP Mailserver
ehlo reptile.g-tec.co.at
250-kitana.jimmy.co.at
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
AUTH PLAIN amltbXkAamltbXkAcmVhbC1zZWNyZXQ=
235 Authentication successful

Or you can test SASL authentication using this command:

testsaslauthd -u username -p password

Print Friendly, PDF & Email