[vox-tech] Debian Woody, Postfix, and authenticated SMTP

[Samuel N. Merritt]

--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Keywords: debian woody postfix smtp auth

I'm posting this here in case anyone is interested in this sort of
thing, plus this way Google will find it. There's lots of help on
getting Postfix+SMTP AUTH working on Sid, but the stuff that I was able
to find concerning Woody was fragmentary and incomplete.=20

This document tells how to set up authenticated SMTP using Debian Woody
3.0. I did this since I have a mail server sitting at home plus
another machine that travels around a bit, and I got sick of trying to
figure out which SMTP server to use for outbound mail at each place I
went to.=20

I don't say much about encryption; the existing documentation on that is
pretty good.=20

Here's how you do it:=20

0) Back up your config files in case stuff breaks.=20

1) Put the following lines in your main.cf:

smtpd_sasl_auth_enable =3D yes
smtpd_sasl_security_options =3D noanonymous
smtpd_sasl_local_domain =3D $myhostname
broken_sasl_auth_clients =3D yes
smtpd_recipient_restrictions =3D permit_mynetworks, =20
permit_sasl_authenticated, check_relay_domains

The first line tells postfix to offer authentication. The second turns
off anonymous authentication, since anonymous authentication lets anyone
in and effectively turns your machine into an open relay. (Boo!) The
third sets the realm for SASL authentication. As far as I can see, this
can be just about any nonempty string.=20

The fourth line allows users of broken mail clients (like some from
those folk in Redmond) to use authentication too. This can be set to
"no" if none of your users run Redmond-ware.=20

The fifth line allows both local (on $mynetworks) and authenticated
users to relay mail through your mail server.=20

2) Set up SASL.=20

Postfix uses SASL to authenticate users. The file
/etc/postfix/sasl/smtpd.conf contains the SASL settings for smtpd. Mine
looks like this:=20

pwcheck_method:pam
auto_transition:no
mech_list:PLAIN LOGIN
minimum_layer:0

This uses PAM for authentication and allows the PLAIN and LOGIN methods
of authentication. I don't have any password-hashing authentication
methods in here since I wasn't sure how to make those work with PAM
without storing users' passwords in the clear.=20

Users like this since their password for sending mail is the same as the
one for logging in. Fewer passwords =3D> less hassle.=20

However, since the password is sent across the network unencrypted, this
should probably only be used when TLS is enabled. =20

3) Unchroot smtpd.=20

I know that having smtpd in a chroot jail is good for security. The
problem is that postfix needs to access /etc/shadow (or /etc/passwd) to
check passwords, so you wind up putting the crown jewels in the chroot
area anyway! If you'd like to do so, though, you can copy all the PAM
and SASL libraries and the password files into Postfix's jail and then
come up with some way to keep it all synchronized.=20

If you're lazy like me, just change
smtp      inet  n       -       -       -       -       smtpd
to
smtp      inet  n       -       n       -       -       smtpd
in /etc/postfix/master.cf.=20

4) Add the postfix user to the shadow group.=20

Use vigr and append "postfix" to the line starting with "shadow". If
you don't do this, smtpd won't be able to read /etc/shadow and so
authentication will always fail.

5) Restart postfix.=20

# postfix stop; postfix start

6) Test it out.=20

Telnet to your mailserver, port 25, and issue EHLO. You should see a
line like 250-AUTH PLAIN LOGIN. If that's there, fire up a mail client
and try to send a message using authentication. If it succeeds, there'll
be a line like=20

Oct 23 16:24:19 minimeat postfix/smtpd[23811]: 57C5A24090:=20
client=3Dsomebox.example.com[10.20.30.40], sasl_method=3DPLAIN,=20
sasl_username=3Dsomeuser

in /var/log/mail.info.=20

If that works, you're good to go. However, I highly recommend getting
TLS working, since this setup sends your password in the clear as part
of every connection to the mail server.=20

--=20
Samuel Merritt
OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org=
.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/p=
gp/

--Q68bSM7Ycu6FN28Q
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/mHUkW3tuPJ1t7wURAjCKAJsHNYsdh8Rwwl1rBwGM17PRhf5R/gCeKsmy
8Rc1Lg/Eh3VvbI6F6CbeEQA=
=47ZH
-----END PGP SIGNATURE-----

--Q68bSM7Ycu6FN28Q--