authenticated relay with postfix and sasl

Patrick Siglin poison at list.memphistw.org
Thu Mar 2 01:02:15 UTC 2006 

Wonderful. I was close but this made it happen.

On Wed, 1 Mar 2006 19:51:40 -0500, Chris Peterman wrote
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Wed, 1 Mar 2006 18:38:57 -0600
> "Patrick Siglin" <poison at list.memphistw.org> wrote:
> 
> > I was struggling trying to get this to work for a couple of days. I
> > am from a windows background so I expected this to work out of the
> > box. This document I found helped me a lot and I wanted to share this
> > with others that may also be struggling to figure this out.
> > 
> > --
> > In order to install Postfix with SMTP-AUTH and TLS as well as a POP3
> > server that also does POP3s (port 995) and an IMAP server that is
> > also capable of IMAPs (port 993) do the following steps:
> > 
> > apt-get install postfix postfix-tls libsasl2 sasl2-bin
> > libsasl2-modules ipopd- ssl uw-imapd-ssl (1 line!)
> > 
> > <- pop3 and pop3s
> > <- No
> > <- Internet Site
> > <- NONE
> > <- server1.example.com
> > <- server1.example.com, localhost.example.com, localhost
> > <- No
> > 
> > postconf -e 'smtpd_sasl_local_domain ='
> > postconf -e 'smtpd_sasl_auth_enable = yes'
> > postconf -e 'smtpd_sasl_security_options = noanonymous'
> > postconf -e 'broken_sasl_auth_clients = yes'
> > postconf -e 'smtpd_recipient_restrictions = 
> > permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
> > postconf -e 'inet_interfaces = all'
> > echo 'pwcheck_method: saslauthd' > /etc/postfix/sasl/smtpd.conf
> > echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
> > 
> > mkdir /etc/postfix/ssl
> > cd /etc/postfix/ssl/
> > openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
> > chmod 600 smtpd.key
> > openssl req -new -key smtpd.key -out smtpd.csr
> > openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out
> > smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted
> > mv -f smtpd.key.unencrypted smtpd.key
> > openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
> > cacert.pem - days 3650
> > 
> > postconf -e 'smtpd_tls_auth_only = no'
> > postconf -e 'smtp_use_tls = yes'
> > postconf -e 'smtpd_use_tls = yes'
> > postconf -e 'smtp_tls_note_starttls_offer = yes'
> > postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
> > postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
> > postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
> > postconf -e 'smtpd_tls_loglevel = 1'
> > postconf -e 'smtpd_tls_received_header = yes'
> > postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
> > postconf -e 'tls_random_source = dev:/dev/urandom'
> > 
> > The file /etc/postfix/main.cf should now look like this:
> > 
> > # See /usr/share/postfix/main.cf.dist for a commented, more complete
> > version
> > 
> > smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
> > biff = no
> > 
> > # appending .domain is the MUA's job.
> > append_dot_mydomain = no
> > 
> > # Uncomment the next line to generate "delayed mail" warnings
> > #delay_warning_time = 4h
> > 
> > myhostname = server1.example.com
> > alias_maps = hash:/etc/aliases
> > alias_database = hash:/etc/aliases
> > myorigin = /etc/mailname
> > mydestination = server1.example.com, localhost.example.com, localhost
> > relayhost =
> > mynetworks = 127.0.0.0/8
> > mailbox_command = procmail -a "$EXTENSION"
> > mailbox_size_limit = 0
> > recipient_delimiter =  
> > inet_interfaces = all
> > smtpd_sasl_local_domain = $myhostname
> > smtpd_sasl_auth_enable = yes
> > smtpd_sasl_security_options = noanonymous
> > broken_sasl_auth_clients = yes
> > smtpd_recipient_restrictions = 
> > permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
> > smtpd_tls_auth_only = no
> > smtp_use_tls = yes
> > smtpd_use_tls = yes
> > smtp_tls_note_starttls_offer = yes
> > smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
> > smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
> > smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
> > smtpd_tls_loglevel = 1
> > smtpd_tls_received_header = yes
> > smtpd_tls_session_cache_timeout = 3600s
> > tls_random_source = dev:/dev/urandom
> > 
> > /etc/init.d/postfix restart
> > 
> > Authentication will be done by saslauthd. We have to change a few
> > things to make it work properly. Because Postfix runs chrooted
> > in /var/spool/postfix we have to do the following:
> > 
> > mkdir -p /var/spool/postfix/var/run/saslauthd
> > rm -fr /var/run/saslauthd
> > 
> > Now we have to edit /etc/default/saslauthd in order to activate
> > saslauthd. Remove # in front of START=yes and add the line PARAMS="-
> > m /var/spool/postfix/var/run/saslauthd":
> > 
> > 
> > --
> > poison at list.memphistw.org
> > 
> >
> 
> Howtoforge is indeed awesome :P
> 
> ~ Chris "Kyral" Peterman
> Computer Science Undergraduate
> Clarkson University
> Associate Member of the Free Software Foundation
> Ubuntu Member
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.1 (GNU/Linux)
> 
> iD8DBQFEBkGlX41hkg8aZjkRAtbmAJ0U2eK3+AzZYCSFxX430atdEISI7gCgnRhA
> 3evqJ3RetDXsA9LkPjLWfHY=
> =SlIJ
> -----END PGP SIGNATURE-----


--
poison at list.memphistw.org

More information about the ubuntu-users mailing list