authenticated relay with postfix and sasl

Chris Peterman kyral at ubuntu.com
Thu Mar 2 00:51:40 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 1 Mar 2006 18:38:57 -0600
"Patrick Siglin" <poison at list.memphistw.org> wrote:

> I was struggling trying to get this to work for a couple of days. I
> am from a windows background so I expected this to work out of the
> box. This document I found helped me a lot and I wanted to share this
> with others that may also be struggling to figure this out.
> 
> --
> In order to install Postfix with SMTP-AUTH and TLS as well as a POP3
> server that also does POP3s (port 995) and an IMAP server that is
> also capable of IMAPs (port 993) do the following steps:
> 
> apt-get install postfix postfix-tls libsasl2 sasl2-bin
> libsasl2-modules ipopd- ssl uw-imapd-ssl (1 line!)
> 
> <- pop3 and pop3s
> <- No
> <- Internet Site
> <- NONE
> <- server1.example.com
> <- server1.example.com, localhost.example.com, localhost
> <- No
> 
> postconf -e 'smtpd_sasl_local_domain ='
> postconf -e 'smtpd_sasl_auth_enable = yes'
> postconf -e 'smtpd_sasl_security_options = noanonymous'
> postconf -e 'broken_sasl_auth_clients = yes'
> postconf -e 'smtpd_recipient_restrictions = 
> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
> postconf -e 'inet_interfaces = all'
> echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf
> echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
> 
> mkdir /etc/postfix/ssl
> cd /etc/postfix/ssl/
> openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
> chmod 600 smtpd.key
> openssl req -new -key smtpd.key -out smtpd.csr
> openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out
> smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted
> mv -f smtpd.key.unencrypted smtpd.key
> openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
> cacert.pem - days 3650
> 
> postconf -e 'smtpd_tls_auth_only = no'
> postconf -e 'smtp_use_tls = yes'
> postconf -e 'smtpd_use_tls = yes'
> postconf -e 'smtp_tls_note_starttls_offer = yes'
> postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
> postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
> postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
> postconf -e 'smtpd_tls_loglevel = 1'
> postconf -e 'smtpd_tls_received_header = yes'
> postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
> postconf -e 'tls_random_source = dev:/dev/urandom'
> 
> The file /etc/postfix/main.cf should now look like this:
> 
> # See /usr/share/postfix/main.cf.dist for a commented, more complete
> version
> 
> smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> biff = no
> 
> # appending .domain is the MUA's job.
> append_dot_mydomain = no
> 
> # Uncomment the next line to generate "delayed mail" warnings
> #delay_warning_time = 4h
> 
> myhostname = server1.example.com
> alias_maps = hash:/etc/aliases
> alias_database = hash:/etc/aliases
> myorigin = /etc/mailname
> mydestination = server1.example.com, localhost.example.com, localhost
> relayhost =
> mynetworks = 127.0.0.0/8
> mailbox_command = procmail -a "$EXTENSION"
> mailbox_size_limit = 0
> recipient_delimiter =  
> inet_interfaces = all
> smtpd_sasl_local_domain = $myhostname
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> broken_sasl_auth_clients = yes
> smtpd_recipient_restrictions = 
> permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
> smtpd_tls_auth_only = no
> smtp_use_tls = yes
> smtpd_use_tls = yes
> smtp_tls_note_starttls_offer = yes
> smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
> smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
> smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> tls_random_source = dev:/dev/urandom
> 
> /etc/init.d/postfix restart
> 
> Authentication will be done by saslauthd. We have to change a few
> things to make it work properly. Because Postfix runs chrooted
> in /var/spool/postfix we have to do the following:
> 
> mkdir -p /var/spool/postfix/var/run/saslauthd
> rm -fr /var/run/saslauthd
> 
> Now we have to edit /etc/default/saslauthd in order to activate
> saslauthd. Remove # in front of START=yes and add the line PARAMS="-
> m /var/spool/postfix/var/run/saslauthd":
> 
> 
> --
> poison at list.memphistw.org
> 
> 

Howtoforge is indeed awesome :P

~ Chris "Kyral" Peterman
Computer Science Undergraduate
Clarkson University
Associate Member of the Free Software Foundation
Ubuntu Member
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFEBkGlX41hkg8aZjkRAtbmAJ0U2eK3+AzZYCSFxX430atdEISI7gCgnRhA
3evqJ3RetDXsA9LkPjLWfHY=
=SlIJ
-----END PGP SIGNATURE-----

More information about the ubuntu-users mailing list