<< HOWTO-Index

  NEW! Visit my Linux forums!

  This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.

Subscribe to FalkoTimme.com Newsletter and stay informed about my latest HOWTOs and projects. Email (If you want to unsubscribe from our newsletter, visit this link.)

Postfix-SMTP-AUTH-TLS-Howto

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 12/31/2003

This document describes how to install a mail server based on postfix that is capable of SMTP-AUTH and TLS. It should work (maybe with slight changes concerning paths etc.) on all *nix operating systems. I tested it on Debian Woody and Fedora Core 1 so far.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind!

1 Get the Sources

We need the following software: openssl, cyrus-sasl2, postfix and the TLS patch for postfix. We will install the software from the /tmp directory.

cd /tmp
wget http://www.openssl.org/source/openssl-0.9.7c.tar.gz
wget --passive-ftp ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.17.tar.gz
wget --passive-ftp ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/related/postfix/postfix-2.0.16.tar.gz
wget --passive-ftp ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz

2 Install Openssl

tar xvfz openssl-0.9.7c.tar.gz
cd openssl-0.9.7c
./config
make
make install

3 Install Cyrus-sasl

cd /tmp
tar xvfz cyrus-sasl-2.1.17.tar.gz
cd cyrus-sasl-2.1.17
./configure --enable-anon --enable-plain --enable-login --disable-krb4 --with-saslauthd=/var/run/saslauthd --with-pam --with-openssl=/usr/local/ssl --with-plugindir=/usr/local/lib/sasl2 --enable-cram --enable-digest --enable-otp (1 line!)
make
make install

If /usr/lib/sasl2 exists:
mv /usr/lib/sasl2 /usr/lib/sasl2_orig

ln -s /usr/local/lib/sasl2 /usr/lib/sasl2

Create the file /usr/local/lib/sasl2/smtpd.conf:

# This sets smtpd to authenticate using the saslauthd daemon. pwcheck_method:saslauthd # This allows only plain, login, cram-md5 and digest-md5 as the authentication mechanisms. mech_list: plain login cram-md5 digest-md5

4 Install Postfix

cd /tmp
tar xvfz pfixtls-0.8.16-2.0.16-0.9.7b.tar.gz
tar xvfz postfix-2.0.16.tar.gz
cd postfix-2.0.16
useradd postfix
groupadd postdrop
patch -p1 < ../pfixtls-0.8.16-2.0.16-0.9.7b/pfixtls.diff
make makefiles CCARGS="-DHAS_SSL -DUSE_SASL_AUTH -I/usr/local/include/sasl -I/usr/local/ssl/include" AUXLIBS="-L/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -lsasl2 -lssl -lcrypto" (1 line!)
make
make install (accept the default values)

cp /etc/postfix/aliases /etc/
newaliases

Create /etc/init.d/postfix:

#!/bin/bash # # postfix This script controls the postfix daemon. # # description: Postfix MTA # processname: postfix case "$1" in start) /usr/sbin/postfix start ;; stop) /usr/sbin/postfix stop ;; reload) /usr/sbin/postfix reload ;; restart) $0 stop $0 start ;; *) echo "Usage: $0 {start|stop|reload|restart}" exit 1 esac exit 0

chmod 755 /etc/init.d/postfix

In order to start postfix at boot time do the following:

ln -s /etc/init.d/postfix /etc/rc2.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc3.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc4.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc5.d/S20postfix
ln -s /etc/init.d/postfix /etc/rc0.d/K20postfix
ln -s /etc/init.d/postfix /etc/rc1.d/K20postfix
ln -s /etc/init.d/postfix /etc/rc6.d/K20postfix

Our postfix will run chrooted in /var/spool/postfix so we have to copy a few files:

mkdir -p /var/spool/postfix/etc
cd /etc
cp localtime services hosts resolv.conf /var/spool/postfix/etc/
mkdir -p /var/spool/postfix/var/run
mv -f /var/run/saslauthd/ /var/spool/postfix/var/run/
chmod 755 /var/spool/postfix/var/run/saslauthd/
ln -s /var/spool/postfix/var/run/saslauthd/ /var/run/saslauthd

Now we have to generate the certificate files needed for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/

If /usr/bin/openssl exists:

mv /usr/bin/openssl /usr/bin/openssl_orig

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

<- Enter a password for smtpd.key.

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

<- Again, enter your password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.

The following information is optional:

<- Enter a challenge password.
<- Enter an optional company name.

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

<- Again, enter your password for smtpd.key.

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

<- Again, enter your password for smtpd.key.

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

<- Again, enter your password for smtpd.key.
<- Enter your Country Name (e.g., "DE").
<- Enter your State or Province Name.
<- Enter your City.
<- Enter your Organization Name (e.g., the name of your company).
<- Enter your Organizational Unit Name (e.g. "IT Department").
<- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
<- Enter your Email Address.

Edit /etc/postfix/main.cf in order to enable SMTP-AUTH and TLS:

postconf -e 'mydomain = example.com'
postconf -e 'myhostname = server1.$mydomain'
postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_recipient_restrictions=permit_sasl_authenticated,permit_mynetworks,check_relay_domains'
postconf -e 'inet_interfaces = all'
postconf -e 'alias_maps = hash:/etc/aliases'
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

5 Configure Saslauthd

Create /etc/init.d/saslauthd:

#!/bin/sh -e NAME=saslauthd DAEMON="/usr/sbin/${NAME}" DESC="SASL Authentication Daemon" DEFAULTS=/etc/default/saslauthd test -f "${DAEMON}" || exit 0 # Source defaults file; edit that file to configure this script. if [ -e "${DEFAULTS}" ]; then . "${DEFAULTS}" fi # If we're not to start the daemon, simply exit if [ "${START}" != "yes" ]; then exit 0 fi # If we have no mechanisms defined if [ "x${MECHANISMS}" = "x" ]; then echo "You need to configure ${DEFAULTS} with mechanisms to be used" exit 0 fi # Add our mechanimsms with the necessary flag for i in ${MECHANISMS}; do PARAMS="${PARAMS} -a ${i}" done # Consider our options case "${1}" in start) echo -n "Starting ${DESC}: " ln -fs /var/spool/postfix/var/run/${NAME} /var/run/${NAME} ${DAEMON} ${PARAMS} echo "${NAME}." ;; stop) echo -n "Stopping ${DESC}: " PROCS=`ps aux | grep -iw '/usr/sbin/saslauthd' | grep -v 'grep' |awk '{print $2}' | tr '\n' ' '` if [ "x${PROCS}" != "x" ]; then kill -15 ${PROCS} &> /dev/null fi echo "${NAME}." ;; restart|force-reload) $0 stop sleep 1 $0 start echo "${NAME}." ;; *) echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0

chmod 755 /etc/init.d/saslauthd

In order to start saslauthd at boot time do the following:

ln -s /etc/init.d/saslauthd /etc/rc2.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc3.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc4.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc5.d/S20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc0.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc1.d/K20saslauthd
ln -s /etc/init.d/saslauthd /etc/rc6.d/K20saslauthd

Then create /etc/default/saslauthd:

# This needs to be uncommented before saslauthd will be run automatically START=yes # You must specify the authentication mechanisms you wish to use. # This defaults to "pam" for PAM support, but may also include # "shadow" or "sasldb" MECHANISMS=shadow

If you find out that saslauthd is located in /usr/local/sbin instead of /usr/sbin create a symbolic link:

ln -s /usr/local/sbin/saslauthd /usr/sbin/saslauthd

Then start saslauthd and postfix:

/etc/init.d/saslauthd start

/etc/init.d/postfix start

6 Test your Configuration

To see if SMTP-AUTH and TLS work properly now run the following command:

telnet localhost 25

After you have established the connection to your postfix mail server type

ehlo localhost

If you see the lines

250-STARTTLS

and

250-AUTH

everything is fine.

Type

quit

to return to the system's shell.

Further (Debian-specific) information about this topic can be found here: http://www.projektfarm.com/en/support/debian_setup/index.html.

Links

Postfix MTA: http://www.postfix.org/

OpenSSL: http://www.openssl.org/

Cyrus-SASL: http://asg.web.cmu.edu/sasl/

Postfix/TLS: http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/

  NEW! Visit my Linux forums!

  This Howto is also available on HowtoForge! If you have also written tutorials, you can publish them there.

<< HOWTO-Index