Home // Postfix Guides // SASL TLS

SASL TLS

GENERAL NOTES:
This document is intended for people who want to set up Postfix using SASL2 authentication and TLS encryption. It can also be used for one or the other by skipping to the section labeled with the appropriate software heading.

IMPORTANT NOTES:
Use these instructions at your own risk.
Never test things out in a production environment!

All of these instructions are based upon OpenBSD 3.2 with the default ports tree. OpenBSD comes with OpenSSL already installed, so if you are using a distribution or flavor of unix that doesn’t have OpenSSL, that should probably be your first package to install.

The OpenBSD 3.2 ports tree has cyrus-sasl-2.1.7 available to install by default. A simple make ; make install from the proper directory will take care of that for you.

The OpenBSD ports tree keeps up with postfix current and snapshot quite well. The options that you want to enable are snapshot,tls,sasl2. If you want to use ldap, pcre, or other options, just take a look in the Makefile, and enable what you want.

The package that will be used for the purposes of this guide is:
postfix-1.1.11-20020917.tls0.8.11a-sasl2-sasl2-tls which was created with the option for snapshot,tls,sasl2 in the makefile. Note that a later revision of the ports tree may have updated versions, and this implementation was specifically using 20020917. Note: These instructions have been tested with the snapshots of Postfix 20030424 and 20030717 without any problems.

SASL2 DETAILS:
First, make sure that SASL2 is installed properly and to your liking. In the sample configuration, files were located in /usr/local/lib/sasl2, and /usr/lib/sasl2 was symbolic linked to it. The files that were left in the directory are only the ones that are desired on the system. The rest were backed up to /use/local/lib/sasl2_backup.

The libraries used on the test system that were left in the directory were as follows.

libcrammd5
libdigestmd5
liblogin
libplain
libsasldb

Note that for this implementation of Postfix, we are only going to use liblogin and libplain, as there will be an SSL / TLS tunnel protecting the clear text logins (via cryptography). The libsasldb library would be useful if you are going to have a separate file with your usernames and passwords. The MD5 libraries are good for authenticating a session that is not protected by cryptography.

You will have to create a file in /usr/local/lib/sasl2 called smtpd.conf. This file should have permissions of 0644, and its contents should be as follows:

# This sets smtpd to authenticate using the saslauthd daemon.
pwcheck_method:saslauthd
# This allows only plain and login as the authentication mechanisms.
mech_list: plain login

Now that the SASL2 (standalone) configuration is complete, the daemon has to be started. In OpenBSD, the /etc/rc.local file is the best place to do this. You should add an entry in rc.local similar to the following:

# SASL2 Authentication Daemon
# This configuration sets saslauthd to use the system password file.
if [ -x /usr/local/sbin/saslauthd ]; then
/usr/local/sbin/saslauthd -a getpwent
fi

Now that SASL2 is ready to be used. Postfix has a few simple configuration adds/changes that need to be done in order to instruct it to use the new authentication system.

The file /etc/postfix/master.cf will control the settings for the smtpd daemon. In order to get this working (without making more changes), you will have to set smtpd to not chroot. Once you have confirmed that SASL is working without a chroot, re-enable the chroot and try to get it working in this more secure manner.

service type private unpriv chroot wakeup maxproc command
smtp inet n n n - - smtpd

Note that it is a VERY BAD idea to unchroot a process that can run chrooted unless it is absolutely necessary! In order to run smtpd chrooted, you will have to copy a series of files to the chrooted jail. This will include all of the relevant authentication files, and anything else that you add / modify that will cause Postfix to require a file outside the chrooted jail.

The file /etc/postfix/main.cf has to have a few additions in order to instruct it to use SASL2:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

Note: As per discussions on the Postfix users mailing list, there is a known issue in Postfix20020917/SASL2 where the smtpd_sasl_local_domain option must be left to an empty (null) value, otherwise SASL2 will not authenticate.

If you want to allow authenticated users to relay mail, then you will also have to add smtpd_recipient_restrictions = permit_sasl_authenticated to main.cf. The smtpd restrictions entry should be a lot longer, and should contain more restrictions, as in the following example:

smtpd_recipient_restrictions =
permit_mynetworks,
check_recipient_access hash:/etc/postfix/maps/access,
reject_maps_rbl,
reject_unknown_sender_domain,
reject_unauth_pipelining,
reject_unknown_recipient_domain,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_non_fqdn_hostname,
permit_sasl_authenticated,
check_relay_domains

Note that the entry for reject_maps_rbl should probably be in an earlier restrictions list, and as such would be redundant here. Also, the entry reject_non_fqdn_hostname will probably cause a lot of problems, as hosts are not always (or even often) configured with a fully qualified domain names.

For a more complete example of main.cf please see http://www.posluns.com/files/main.cf

TLS DETAILS:
One VERY important thing to consider is that users will now be authenticating in clear text. If you are going to implement TLS (encryption) within postfix, then you should probably add the following to your main.cf:

# This will only allow authentication of users once TLS has been
# started and information being transferred is encrypted.
smtpd_tls_auth_only = yes

In order to use TLS, your server must have a certificate in the pem format. Unless you are going to a certificate authority (who you have to pay), you will have to create a certificate on your own. The easiest type of certificate to use is a self signed .pem file which can be created using OpenSSL.

Note: A good set of instructions for making certificates can be found at http://www.eclectica.ca/howto/ssl-cert-howto.php.

Note: Another useful method for creating a self-signed .pem file is to use the mkimapdcert program that comes with courier-imap. This program will create a self signed certificate called imapd.pem. All you need to do it rename this to smtpd.pem, move it to /etc/postfix/ssl, and chmod it to 400.

In order to use your certificate, you will need to make the following additions to main.cf:

smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

FINAL DETAILS:
Restart postfix once all the above configurations have been completed, and you should now have a SASL2 authenticated and TLS enabled postfix server.

A Belorussian translation has been provided by Patric Conrad @ http://ucallweconn.net/be/postfix-sasltls-be.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>