- Previous message: Noel Jones: "Re: ASSP security with Postfix?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
|
|
|
From: Kevin Bailey (no email)
Date: Thu May 24 2007 - 09:20:15 EDT
Hi,
I have set up a fresh Debian Etch server to run Postfix and all has been
fine with hosting a domain.
However the users can not send email via the server by default - and I
could not find anywhere which explained easily how to do acheive this.
So after a couple of days reasearch here are my notes. This has been
successfully implemented and works fine.
It is actually quite easy to set this up- once you know how! The notes
here are a bit long bu I've tried to be thorough.
---+++ Setting up SMTP relaying access for users
We want to enable users to be able to send email via the server from any
location. For this we will enable SMTP AUTH - this will enable the
users to use the server to relay mail providing they provide their
username and password.
The server which has an public IP address and is located in a server
farm is set up to handle a single domain and each user has a
corresponding unix account on the server.
Most of the following steps were taken from 'The Book of Postfix' from
No Starch Press.
Postfix can use SASL as an authentication mechanism - and SASL can in
turn use the local accounts to verify credentials.
The basic SASL libraries are installed when Postfix is installed on
Debian Etch - it is necessary to add the libsasl2-modules package to
enble SASL to authenticate using the main methods. Postfix has SASL
support built in by default.
SASL can authenticate as a command line program - but if it is called by
Postfix then SASL will not be able to authenticate against /etc/passwd
because Postfix does not run as root. Therefore we will install
sasl2-bin and this will install the saslauthd daemon which runs as
root. Therefore, Postfix can query the saslauthd daemon which it turn
queries the local account database.
After installing libsasl2-modules and sasl2-bin...
Edited /etc/default/saslauthd and set START=yes.
Then started the daemon with /etc/init.d/sasldauthd restart.
Then followed instructions which came with sasl2-bin in the DEBIAN doc
file. See
# most /usr/share/doc/sasl2-bin/README.Debian
NB - Postfix is installed chrooted by default on Debian Etch - see the
Postfix Debian doc. This means that the following steps need to be taken.
These are the instructions:
<verbatim>
If you run a chrooted server such as Postfix and wish to use saslauthd, you
must place the saslauthd socket ("mux") inside the Postfix chroot. You must
also set correct overrides for the run directory inside the chroot, using
dpkg-statoverride. Finally, you must add the postfix user to the sasl
group.
These steps ensure that the Debian subsystems know how you want things
to be
laid out.
To place the saslauthd socket inside the Postfix chroot, edit
/etc/default/saslauthd and set OPTIONS like this (you may omit -c):
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
To set the run directory using dpkg-statoverride, run this command as root:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
Finally, to add the postfix user to the sasl group:
adduser postfix sasl
The init script will automatically create the run directory with the
permissions you have set using dpkg-statoverride. Please note that you must
also configure Postfix correctly. There are many options related to
SASL. See
the Postfix documentation for how to do this.
</verbatim>
Then restarted saslauthd.
Then tested that authentication is working with
<verbatim>
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username
-p password
</verbatim>
and
<verbatim>
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username
-p badpassword
</verbatim>
The first should be ok and the second should fail.
This shows that SASL is authenticating against a backend (which is
currently set to use PAM). This seems to check against the local user
accounts which is what is required.
Now we need to get Postfix to authenticate SMTP connections against SASL
- more specifically against saslauthd.
The following parameters were added to /etc/postfix/main.cf.
<verbatim>
# Setting up SMTP authentication.
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
</verbatim>
The file /etc/postfix/sasl/smtpd.conf needed to be created with the
following contents. This is actually a configuration file for SASL - it
uses small config files specific for the programs using its services.
It also seems to dictate which authentication mechanisms get offered to
the clients by Postfix.
<verbatim>
# Global parameters
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
</verbatim>
The restarted Postfix and saslauthd.
It should now be possible for clients to send email using the server -
they can use TLS if required.
For extra security it is possible to force all users to use TLS when
connecting. This provides an encrypted tunnel for all traffic.
This following addition was made to main.cf to force all client
connections to use TLS.
# Forcing users to use TLS when connecting over SMTP,
smtpd_tls_auth_only = yes
This means that an online server can be set up to receive all email for
a domain - and that the users can use the same credentials to use the
server to send emails.
-- Kevin Bailey IT Consultant Email: Tel: 01752 268923 W: www.freewayprojects.com
|
|
|