Thursday, April 21, 2011

Setup Postfix SMTP password authentication with SASL

Simple Authentication and Security Layer(SASL) is a framework for authentication and data security in Internet protocols.
Postfix can relay the SASL framework to provide SMTP password authentication.
SMTP password authentication is suitable for roaming users who are outside of trusted network. They are still allowed to send email without relaxing SMTP restrictions , which could introduce spam emails. 
Postfix version 2.3 onwards  supports two SASL implementations(This post will discuss cryus)
[Centos 5.5 ] $ postconf -a
cyrus
dovecot
SASL Mechanisms
- SASL mechanisms: DIGEST-MD5 CRAM-MD5 use encrypted password , but they are only supported in saslauthd mechanism:sasldb,sql,ldapdb
cyrus-sasl-md5 package provides library for DIGEST-MD5 CRAM-MD5
- SASL mechanisms: PLAIN LOGIN use clear  text password,  it is supported saslauthd mechanism: pam, but the clear text can be protected by TLS
cyrus-sasl-plain package provides library for  PLAIN LOGIN
NOTE:
  - This post only discuss SASL    PLAIN LOGIN    in saslauthd    PAM
  - make sure  you already have a basic working Postfix before continue next steps
1. Install and configure  saslauthd
$rpm -qa | grep sas

cyrus-sasl-2.1.22-5.el5_4.3

cyrus-sasl-plain-2.1.22-5.el5_4.3                

cyrus-sasl-lib-2.1.22-5.el5_4.3

#saslauthd should be configured to use pam mechanism 

$ grep MECH /etc/sysconfig/saslauthd

MECH=pam

#start /etc/init.dd/saslauthd and test it

#smtp is service name /etc/pam.d/smtp

$testsaslauthd -u guest01 -p Pass001  -s smtp

0: OK "Success."
2. Enable SASL in postfix


$cat /etc/postfix/main.cf

smtpd_sasl_auth_enable = yes

broken_sasl_auth_clients = yes

smtp_sasl_security_options = noanonymous

smtpd_recipient_restrictions =   permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination

3.Restart postfix and test the authentication


#First test:  telnet to check if   PLAIN LOGIN   is shown

$(echo "ehlo localhost"; sleep 2; echo "quit") | telnet localhost 25

250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5

## you can limit  mechanism  type 

$cat /usr/lib64/sasl2/smtpd.conf

pwcheck_method: saslauthd

mech_list: plain login

#Second test: test username and password by converting them to base64

$ printf  "\0guest01\0Pass001" |openssl base64

AGd1ZXN0MDEAUGFzczAwMQ==

$ (echo "AUTH PLAIN AGd1ZXN0MDEAUGFzczAwMQ=="; sleep 2 )| telnet localhost 25

Trying 127.0.0.1...

Connected to localhost (127.0.0.1).

Escape character is '^]'.

220 mail.example.com ESMTP Postfix

235 2.0.0 Authentication successful

Connection closed by foreign host.
4. Enable TLS (Optional) to protect clear text password in PLAIN LOGIN


$cat /etc/postfix/main.cf

smtpd_use_tls = yes

smtpd_tls_CAfile =  /etc/postfix/certs/ca.pem

smtpd_tls_cert_file = /etc/postfix/certs/postfix.pem

smtpd_tls_key_file = /etc/postfix/certs/postfix.key

smtpd_tls_loglevel = 1










Posted by



at


























Labels:
,


















No comments:















Post a Comment






Note: Only a member of this blog may post a comment.














        

      









Subscribe to:
Post Comments (Atom)