l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: Web Application Hacking: How to Make and Break Security on the Web
Next Installfest:
TBD
Latest News:
Oct. 10: LUGOD Installfests coming again soon
Page last updated:
2003 Oct 24 16:44

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox-tech] Debian Woody, Postfix, and authenticated SMTP
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox-tech] Debian Woody, Postfix, and authenticated SMTP



Keywords: debian woody postfix smtp auth

I'm posting this here in case anyone is interested in this sort of
thing, plus this way Google will find it. There's lots of help on
getting Postfix+SMTP AUTH working on Sid, but the stuff that I was able
to find concerning Woody was fragmentary and incomplete. 

This document tells how to set up authenticated SMTP using Debian Woody
3.0. I did this since I have a mail server sitting at home plus
another machine that travels around a bit, and I got sick of trying to
figure out which SMTP server to use for outbound mail at each place I
went to. 

I don't say much about encryption; the existing documentation on that is
pretty good. 

Here's how you do it: 

0) Back up your config files in case stuff breaks. 

1) Put the following lines in your main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks,  
permit_sasl_authenticated, check_relay_domains

The first line tells postfix to offer authentication. The second turns
off anonymous authentication, since anonymous authentication lets anyone
in and effectively turns your machine into an open relay. (Boo!) The
third sets the realm for SASL authentication. As far as I can see, this
can be just about any nonempty string. 

The fourth line allows users of broken mail clients (like some from
those folk in Redmond) to use authentication too. This can be set to
"no" if none of your users run Redmond-ware. 

The fifth line allows both local (on $mynetworks) and authenticated
users to relay mail through your mail server. 

2) Set up SASL. 

Postfix uses SASL to authenticate users. The file
/etc/postfix/sasl/smtpd.conf contains the SASL settings for smtpd. Mine
looks like this: 

pwcheck_method:pam
auto_transition:no
mech_list:PLAIN LOGIN
minimum_layer:0

This uses PAM for authentication and allows the PLAIN and LOGIN methods
of authentication. I don't have any password-hashing authentication
methods in here since I wasn't sure how to make those work with PAM
without storing users' passwords in the clear. 

Users like this since their password for sending mail is the same as the
one for logging in. Fewer passwords => less hassle. 

However, since the password is sent across the network unencrypted, this
should probably only be used when TLS is enabled.  

3) Unchroot smtpd. 

I know that having smtpd in a chroot jail is good for security. The
problem is that postfix needs to access /etc/shadow (or /etc/passwd) to
check passwords, so you wind up putting the crown jewels in the chroot
area anyway! If you'd like to do so, though, you can copy all the PAM
and SASL libraries and the password files into Postfix's jail and then
come up with some way to keep it all synchronized. 

If you're lazy like me, just change
smtp      inet  n       -       -       -       -       smtpd
to
smtp      inet  n       -       n       -       -       smtpd
in /etc/postfix/master.cf. 

4) Add the postfix user to the shadow group. 

Use vigr and append "postfix" to the line starting with "shadow". If
you don't do this, smtpd won't be able to read /etc/shadow and so
authentication will always fail.

5) Restart postfix. 

# postfix stop; postfix start

6) Test it out. 

Telnet to your mailserver, port 25, and issue EHLO. You should see a
line like 250-AUTH PLAIN LOGIN. If that's there, fire up a mail client
and try to send a message using authentication. If it succeeds, there'll
be a line like 

Oct 23 16:24:19 minimeat postfix/smtpd[23811]: 57C5A24090: 
client=somebox.example.com[10.20.30.40], sasl_method=PLAIN, 
sasl_username=someuser

in /var/log/mail.info. 

If that works, you're good to go. However, I highly recommend getting
TLS working, since this setup sends your password in the clear as part
of every connection to the mail server. 

-- 
Samuel Merritt
OpenPGP key is at http://meat.andcheese.org/~spam/spam_at_andcheese_dot_org.asc
Information about PGP can be found at http://www.mindspring.com/~aegreene/pgp/

Attachment: pgp00016.pgp
Description: PGP signature



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.