## - Configure a postfix server to act as relay host for ## - AUTENTiCATED clients ## - ## - see also Postfix SASL Howto: ## - http://www.postfix.org/SASL_README.html ## - http://www.synology-wiki.de/index.php/Mail-Relay_mit_Postfix ## - ## - Todo: ## - 1.) Configuring SASL authentication in the Postfix SMTP server ## - - Configuring Cyrus SASL - using accounts are stored in a Cyrus SASL ## - Berkeley DB database ## - 2.) Configuring SASL authentication in the Postfix SMTP/LMTP client ## - ------------------------------------------------------------- - ## ## - 1. Configuring SASL authentication at the Postfix SMTP server - ## ## - ------------------------------------------------------------- - ## ## ----------------------------- ## - Create the sasldb2 Database ## - ## - To create and maintain the database, we will user the ## - command-line utility "saslpasswd2". So, we have to install ## - the packages sasl2-bin ## - apt-get install sasl2-bin ## - The sasldb auxprop plugin authenticates SASL clients against credentials ## - that are stored in a Berkeley DB database. The database schema is specific ## - to Cyrus SASL. The database is usually located at /etc/sasldb2 ## - ## - !!!! ## - NOTE: in chrooted postfix, thats if chroot in master.cf is not set (have ## - "-") or is set to yes (have "y"), the database "sasdb2" ist ## - searched in the chrooted path. In debian it is file ## - /var/spool/postfix/etc/sasldb2 ## - !!!! ## - ## - Create a new account ## - ## - Note: ## - 1.) usernames of accounts are of the Form: ## - @ and NOT ## - ## - 2.) The database-file defaults to "/etc/sasldb2". But on chrooted ## - postfix (as we have), the database file must placed to ## - /var/spool/postfix/etc/sasldb2 - on default debian postfix ## - install. So use flag "-f" ## - saslpasswd2 -c -u b.mx.oopen.de -f /var/spool/postfix/etc/sasldb2 ## - Check with command-line utility "sasldblistusers2" ## - sasldblistusers2 -f /var/spool/postfix/etc/sasldb2 ## ------------------------------------------------ ## - Configure and Enable Cyrus SASL authentication ## - in /etc/postfix/main.cf set: ## - ## - smtpd_sasl_type = cyrus ## - ## - # Define the name of the configuration file. Cyrus SASL add's the ## - # suffix ".conf". The location where Cyrus SASL searches for the named ## - # file depends on the Cyrus SASL version and the OS/distribution used. ## - # For debian it is: /etc/postfix/sasl/ ## - smtpd_sasl_path = smtpd ## - ## - # enable SASL authentication ## - smtpd_sasl_auth_enable = yes ## - ## - # Disallow methods that allow anonymous authentication. ## - smtpd_sasl_security_options = noanonymous ## - smtpd_sasl_tls_security_options = $smtpd_sasl_security_options ## - ## - # Do not accept SASL authentication over unencrypted connections ## - smtpd_tls_auth_only = yes ## - vim /etc/postfix/main.cf ## - create /etc/postfix/sasl/smtpd.conf ## - ## - pwcheck_method: auxprop ## - auxprop_plugin: sasldb ## - mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM ## - ## - Take care only to use provided login mechanisms ## - # saslpluginviewer -x AUXPROP_MECHS ## - vim /etc/postfix/sasl/smtpd.conf ## - To allow (dynamic) ip-adresses to relay, even if they ar blacklistet ## - you can use permit_sasl_authenticated in postfix smtpd_relay_restrictions ## - BEFOR checking against blacklists ## - ## - in /etc/postfix/main.cf set: ## - ## - smtpd_recipient_restrictions = ## - ... ## - # permit trusted network mynetwork ## - permit_mynetworks, ## - # sasl authenticated user (we work as relayhost for some office networks) ## - permit_sasl_authenticated, ## - # dont' accept misconfigured Mail ## - reject_non_fqdn_recipient, ## - reject_unknown_sender_domain, ## - reject_unknown_recipient_domain, ## - reject_unlisted_recipient, ## - # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use ## - permit_dnswl_client dnswl.oopen.de, ## - #reject_rbl_client zen.spamhaus.org, ## - reject_rbl_client ix.dnsbl.manitu.net, ## - reject_rbl_client bl.spamcop.net, ## - reject_rbl_client dnsbl.njabl.org, ## - # Policyd-Weight ## - ... ## - vim /etc/postfix/main.cf ## - --------------------------------------------------------------- - ## ## - Configuring SASL authentication in the Postfix SMTP/LMTP client - ## ## - --------------------------------------------------------------- - ## ## - Notice: you have to install Pluggable Authentication Modules for SASL ## - for debian: install package libsasl2-modules ## - apt-get install libsasl2-modules ## - Edit file /etc/postfix/main.cf and set: ## - ## - # Enable SASL authentication ## - smtp_sasl_auth_enable = yes ## - ## - # Forwarding to the ip-adress of host b.mx.oopen.de ## - relayhost = [b.mx.oopen.de] ## - ## - # File including login data ## - smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd ## - ## - # Force using a (TLS) security connection ## - # obsulete - use smtp_tls_security_level instead ## - #smtp_use_tls = yes ## - #smtp_tls_enforce_peername = no ## - smtp_tls_security_level = encrypt ## - ## - # Disallow methods that allow anonymous authentication. ## - smtp_sasl_security_options = noanonymous ## - vim /etc/postfix/main.cf ## - Enter SASL account data into file /etc/postfix/sasl_passwd ## - ## - : ## - ## - Note: if relayhost is configured as above, username is of the form ## - @ ## - vim /etc/postfix/sasl_passwd ## - Important ## - ## - Keep the SASL client password file in /etc/postfix, and make the file ## - read+write only for root to protect the username/password combinations against ## - other users. The Postfix SMTP client will still be able to read the SASL ## - client passwords. It opens the file as user root before it drops privileges, ## - and before entering an optional chroot jail. ## - chown root:root /etc/postfix/sasl_passwd chmod 600 /etc/postfix/sasl_passwd ## - Create databasefile of /etc/postfix/sasl_passwd ## - postmap /etc/postfix/sasl_passwd ## - Reload postfix ## - /etc/init.d/postfix reload