Postfix SMTP AUTH (and TLS) HOWTO

Postfix SMTP AUTH (and TLS) HOWTO
		Next

for RedHat Linux < Version 8.0 and Cyrus-SASL < 1.5.28

M.A., Patrick Ben Koetter

Revision History
Revision 1.42	June, 22 2004	PK
Fixed a typo in Section 7. Thanks to Jim Woodworth.
Revision 1.41	April, 4. 2004	PK
Updated the link to SASL Clients. Thanks to Michael Bunk.
Revision 1.4	October, 1. 2003	PK
Added some debug information to tell if saslauthd was started correctly.
Revision 1.3	July, 31. 2003	PK
Added short explanations for Cyrus-SASL-2.x users.
Revision 1.2.2	April, 15 2003	PK
Added english wishlist to provide english interface for payment process.
Revision 1.2.1	April, 8. 2003	PK
Added link to my wishlist, removed downloadable formats because the number of wget clients doesn't decrease.
Revision 1.2	March, 13. 2003	PK
Rewrote the source to DocBook XML, Added SMTP AUTH for mail servers, Added a Mini-FAQ section
Revision 1.1.1	May, 11. 2002	PK
Fixed misleading path statement in SASL RPM install (reported by Frank Jones)
Revision 1.1	May, 10. 2002	PK
Beefed up TLS support, cleanup, fixed lots of mistypings
Revision 1.0	May, 09. 2002	PK
Initial Version for RedHat Users (without Authentication for Mailservers)

Table of Contents

1. Introduction
2. Benefits of using SMTP AUTH
3. How SMTP AUTH is processed
4. What do you need to offer SMTP AUTH in Postfix?
5. Authentication service or what is Cyrus-SASL?
6. Planning SMTP AUTH
7. Building RPMS from SOURCE or SRPMS
8. Cyrus-SASL Installation
9. Postfix Installation
10. Configuring SASL to use saslauthd
11. Basic Postfix configuration and preparation for SMTP AUTH
12. SMTP Authentication for Mail clients
13. Limiting SASL mechanisms
14. Configuring SASL to use sasldb
15. Adding TLS support to Postfix
16. SMTP Authentication for Mail servers
17. FAQ
18. Acknowledgments
19. Donations

Abstract

This HOWTO will help you deploy SMTP AUTH for Postfix. It will explain installation, configuration and use of the softwares needed (Cyrus-SASL, TLS and Postfix) for this solution.

	Important
Postfix 2.x and Cyrus-SASL-2.x users! This HOWTO was written for Postfix 1.x and Cyrus-SASL-1.5.x. With the arrival of Cyrus-SASL-2.x some minor, but important changes were made to configuration options. For now I put these changes as important notes, just as this one, in this HOWTO until I find time to rewrite it completely. At the earliest this will be after Ralf and I have finished the Postfix Book.

Important

Postfix 2.x and Cyrus-SASL-2.x users!

This HOWTO was written for Postfix 1.x and Cyrus-SASL-1.5.x. With the arrival of Cyrus-SASL-2.x some minor, but important changes were made to configuration options.

For now I put these changes as important notes, just as this one, in this HOWTO until I find time to rewrite it completely. At the earliest this will be after Ralf and I have finished the Postfix Book.

1. Introduction

This HOWTO will help you deploy a method that is called SMTP AUTH in conjunction with Postfix. It will explain installation, configuration and use of the softwares needed (Cyrus-SASL©, TLS and Postfix©) for this solution. Before you decide on using this method, read if you can do with less.

1.1. What's the problem?

If you want to relay messages from everywhere in the world using only one (your) SMTP server you usually run into trouble. The servers relay permissions check your IP if it belongs to a trusted network (e.g. a range of IP Addresses). From the SMTP servers point of view you try to send from an untrusted network when you dial-up.

1.2. What are the approaches to fix this issue?

1.2.1. Add IP manually

Each time a user wants to relay from an IP Address unknown to the system, she adds the IP to the relay net, restarts the SMTP server and sends her mail. After messaging is done she removes the IP and restarts the SMTP server once more.

This is by far the most insecure solution. Though possible, you would have to permit shell access to users and teach them how to deal with the system. It won't work for those who focus on the computing and not the computer...

1.2.2. SMTP-After-POP (POP-Before-SMTP)

A service/script runs on the SMTP server that will add IPs of users that have successfully authenticated to their POP3 or IMAP server. The service/script will write the IP of those users to a file or database. Since they are valid users to the pop/imap server they must also be valid users to the SMTP server. When they send messages after the pop/imap the SMTP server also looks up the file or database that the pop/imap server has written to and if the IP is found in there the client may relay messages. After a certain period the IP expires and is removed from the file/database.

This will not work easily with common Mail clients, as not all of them come with built-in support for SMTP-After-POP. There are workarounds on the net, but solution may require expensive configuration and/or constant support.

1.2.3. SMTP AUTH

This approach uses a totally different, IP independent method. Instead of checking the IP of the Mail client and comparing it to a range of permitted IP Addresses, the Mail client authenticates itself providing username and password to the mail server (or sharing a secret with it). These credentials are compared to a source that the mail server has access to and if valid data has been provided, the mail server will permit relaying.

This HOWTO will help you to enable Postfix to provide SMTP AUTH using Cyrus-SASL©. Read about the benefits of using SMTP AUTH and how SMTP AUTH is being processed before you will find out what steps you will have to go to deploy your specific SMTP AUTH solution.