How to force SMTP authentication in postfix
in [Postfix]
|
Prev: Database setup - where are the actual emails stored
Next: script to delete mail to specific domain from mailq
From: mohamed.zabiulla on 21 Jul 2007 01:24 Dear All, I am using Dovecot + Postfix + webmin for my mail server. I have implemented SMTP auth mail:~ # telnet mail.ofinetblr.com 25 Trying 10.0.0.93... Connected to mail.ofinetblr.com. Escape character is '^]'. 220 mail.ofinetblr.com ESMTP Postfix EHLO mail.ofinetblr.com 250-mail.ofinetblr.com 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250 8BITMIME auth login 334 VXNlcm5hbWU6 421 mail.ofinetblr.com Error: timeout exceeded Connection closed by foreign host. mail:~ # telnet mail.ofinetblr.com 25 Trying 10.0.0.93... Connected to mail.ofinetblr.com. Escape character is '^]'. 220 mail.ofinetblr.com ESMTP Postfix EHLO mail.ofinetblr.com 250-mail.ofinetblr.com 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250 8BITMIME auth login 334 VXNlcm5hbWU6 bW9oYW1lZC56YWJpdWxsYQ== 334 UGFzc3dvcmQ6 bW9oYW1lZA== 235 Authentication successful The issue is that without using auth login, the user is able to send mail. The authentication test is successful. I WANT TO FORCE THE USER TO LOGIN ONLY IF HE IS AUTHENTICATED whereas the user is able to send mails with and without authentication Is there anyone that can help me..??? Thanks in advance Regards, zabi
From: kevin bailey on 21 Jul 2007 08:27 mohamed.zabiulla(a)gmail.com wrote: > Dear All, > > I am using Dovecot + Postfix + webmin for my mail server. > I have implemented SMTP auth > > mail:~ # telnet mail.ofinetblr.com 25 > Trying 10.0.0.93... > Connected to mail.ofinetblr.com. > Escape character is '^]'. > 220 mail.ofinetblr.com ESMTP Postfix > EHLO mail.ofinetblr.com > 250-mail.ofinetblr.com > 250-PIPELINING > 250-SIZE 10240000 > 250-ETRN > 250-AUTH PLAIN LOGIN > 250-AUTH=PLAIN LOGIN > 250 8BITMIME > auth login > 334 VXNlcm5hbWU6 > 421 mail.ofinetblr.com Error: timeout exceeded > Connection closed by foreign host. > mail:~ # telnet mail.ofinetblr.com 25 > Trying 10.0.0.93... > Connected to mail.ofinetblr.com. > Escape character is '^]'. > 220 mail.ofinetblr.com ESMTP Postfix > EHLO mail.ofinetblr.com > 250-mail.ofinetblr.com > 250-PIPELINING > 250-SIZE 10240000 > 250-ETRN > 250-AUTH PLAIN LOGIN > 250-AUTH=PLAIN LOGIN > 250 8BITMIME > auth login > 334 VXNlcm5hbWU6 > bW9oYW1lZC56YWJpdWxsYQ== > 334 UGFzc3dvcmQ6 > bW9oYW1lZA== > 235 Authentication successful > > The issue is that without using auth login, the user is able to send > mail. > The authentication test is successful. > I WANT TO FORCE THE USER TO LOGIN ONLY IF HE IS AUTHENTICATED > whereas the user is able to send mails with and without authentication > > Is there anyone that can help me..??? > > Thanks in advance > > Regards, > zabi Hi, Not sure if it will help but I've pasted on my notes from setting up SASL AUTH on a Debian Etch box. Setting up authenticated SMTP access We want to enable users to be able to send email via the server from any location. For this we will enable SMTP AUTH - this will enable the users to use the server to relay mail providing they provide their username and password. Most of the following steps were taken from 'The Book of Postfix' from No Starch Press. Postfix can use SASL as an authentication mechanism - and SASL can in turn use the local accounts to verify credentials. The basic SASL libraries are installed when Postfix is installed on Debian Etch - it is necessary to add the libsasl2-modules package to enble SASL to authenticate using the main methods. Postfix has SASL support built in by default. SASL can authenticate as a command line program - but if it is called by Postfix then SASL will not be able to authenticate against /etc/passwd because Postfix does not run as root. Therefore we will install sasl2-bin and this will install the saslauthd daemon which runs as root. Therefore, Postfix can query the saslauthd daemon which it turn queries the local account database. After installing libsasl2-modules and sasl2-bin... Edited /etc/default/saslauthd and set START=yes. Then started the daemon with /etc/init.d/sasldauthd restart. Then followed instructions which came with sasl2-bin in the DEBIAN doc file. See # most /usr/share/doc/sasl2-bin/README.Debian NB - Postfix is installed chrooted by default on Debian Etch - see the Postfix Debian doc. This means that the following steps need to be taken. These are the instructions: If you run a chrooted server such as Postfix and wish to use saslauthd, you must place the saslauthd socket ("mux") inside the Postfix chroot. You must also set correct overrides for the run directory inside the chroot, using dpkg-statoverride. Finally, you must add the postfix user to the sasl group. These steps ensure that the Debian subsystems know how you want things to be laid out. To place the saslauthd socket inside the Postfix chroot, edit /etc/default/saslauthd and set OPTIONS like this (you may omit -c): OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" To set the run directory using dpkg-statoverride, run this command as root: dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd Finally, to add the postfix user to the sasl group: adduser postfix sasl The init script will automatically create the run directory with the permissions you have set using dpkg-statoverride. Please note that you must also configure Postfix correctly. There are many options related to SASL. See the Postfix documentation for how to do this. Then restarted saslauthd - this seemed to take a while to restart but eventually gets restarted. Then tested that authentication is working with # testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username -p password and # testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username -p badpassword The first should be ok and the second should fail. This shows that SASL is authenticating against a backend (which is currently set to use PAM). This seems to check against the local user accounts which is what is required. Now we need to get Postfix to authenticate SMTP connections against SASL - more specifically against saslauthd. The following parameters were added to /etc/postfix/main.cf. # Setting up SMTP authentication. smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination The file /etc/postfix/sasl/smtpd.conf needed to be created with the following contents. This is actually a configuration file for SASL - it uses small config files specific for the programs using its services. It also seems to dictate which authentication mechanisms get offered to the clients by Postfix. # Global parameters pwcheck_method: saslauthd mech_list: PLAIN LOGIN The restarted Postfix and saslauthd. It should now be possible for clients to send email using the server - they can use TLS if required. For extra security it is possible to force all users to use TLS when connecting. This provides an encrypted tunnel for all traffic. This means that the users can use their email account credentials to use the server to send emails.
From: mohamed.zabiulla on 23 Jul 2007 23:55
Thanks for the detailed reply.I am newbie to mail server. I am using a SUSE SLES 10.0 on my machine. I tried the steps suggested by you. I am not able to find dpkg-statoverride function. Are the steps suggested by you applicable for SLES 10.0, if not is there any way out??? Thanks in advance. Regards, zabi. |