Thursday, April 21, 2011

Setup Postfix SMTP password authentication with SASL

Simple Authentication and Security Layer(SASL) is a framework for authentication and data security in Internet protocols.
Postfix can relay the SASL framework to provide SMTP password authentication.
SMTP password authentication is suitable for roaming users who are outside of trusted network. They are still allowed to send email without relaxing SMTP restrictions , which could introduce spam emails. 
Postfix version 2.3 onwards  supports two SASL implementations(This post will discuss cryus)
[Centos 5.5 ] $ postconf -a
cyrus
dovecot 
SASL Mechanisms
- SASL mechanisms: DIGEST-MD5 CRAM-MD5 use encrypted password , but they are only supported in saslauthd mechanism:sasldb,sql,ldapdb
cyrus-sasl-md5 package provides library for DIGEST-MD5 CRAM-MD5
- SASL mechanisms: PLAIN LOGIN use clear  text password,  it is supported saslauthd mechanism: pam, but the clear text can be protected by TLS
cyrus-sasl-plain package provides library for  PLAIN LOGIN
NOTE:
  - This post only discuss SASL    PLAIN LOGIN    in saslauthd    PAM
  - make sure  you already have a basic working Postfix before continue next steps
1. Install and configure  saslauthd
$rpm -qa | grep sas
cyrus-sasl-2.1.22-5.el5_4.3
cyrus-sasl-plain-2.1.22-5.el5_4.3                
cyrus-sasl-lib-2.1.22-5.el5_4.3
#saslauthd should be configured to use pam mechanism 
$ grep MECH /etc/sysconfig/saslauthd
MECH=pam
#start /etc/init.dd/saslauthd and test it
#smtp is service name /etc/pam.d/smtp
$testsaslauthd -u guest01 -p Pass001  -s smtp
0: OK "Success."
2. Enable SASL in postfix
$cat /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_sasl_security_options = noanonymous
smtpd_recipient_restrictions =   permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
3.Restart postfix and test the authentication
#First test:  telnet to check if   PLAIN LOGIN   is shown
$(echo "ehlo localhost"; sleep 2; echo "quit") | telnet localhost 25
250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5
## you can limit  mechanism  type 
$cat /usr/lib64/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
#Second test: test username and password by converting them to base64
$ printf  "\0guest01\0Pass001" |openssl base64
AGd1ZXN0MDEAUGFzczAwMQ==
$ (echo "AUTH PLAIN AGd1ZXN0MDEAUGFzczAwMQ=="; sleep 2 )| telnet localhost 25
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
235 2.0.0 Authentication successful
Connection closed by foreign host.
4. Enable TLS (Optional) to protect clear text password in PLAIN LOGIN
$cat /etc/postfix/main.cf
smtpd_use_tls = yes
smtpd_tls_CAfile =  /etc/postfix/certs/ca.pem
smtpd_tls_cert_file = /etc/postfix/certs/postfix.pem
smtpd_tls_key_file = /etc/postfix/certs/postfix.key
smtpd_tls_loglevel = 1

No comments:

Post a Comment