How to enable user authentication for a Postfix SMTP server with SASL

#  yum -y install cyrus*

#  vi main.cf

##SASL

smtpd_sasl_auth_enable = yes

broken_sasl_auth_clients = yes

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_security_options = noanonymous

# SMTPD CLIENT RESTRICTIONS

smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/access reject_unauth_pipelining permit_inet_interfaces

Configure Postfix To Listen Port 25 and Port 26/456 TCP Port

# vi /etc/postfix/master.cf

Line no: remove #

      15   #tlsproxy  unix  -       -       n       -       0       tlsproxy

     16   submission inet n       -       n       -       -       smtpd

     17   #  -o syslog_name=postfix/submission

     18   #  -o smtpd_tls_security_level=encrypt

     19      -o smtpd_sasl_auth_enable=yes

     20      -o smtpd_reject_unlisted_recipient=no

     21   #  -o smtpd_client_restrictions=$mua_client_restrictions

     22   #  -o smtpd_helo_restrictions=$mua_helo_restrictions

     23      -o smtpd_sender_restrictions=$mua_sender_restrictions

     24      -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

     25   #  -o milter_macro_daemon_name=ORIGINATING

     26   smtps     inet  n       -       n       -       -       smtpd

     27   #  -o syslog_name=postfix/smtps

     28   #  -o smtpd_tls_wrappermode=yes

     29      -o smtpd_sasl_auth_enable=yes

     30      -o smtpd_reject_unlisted_recipient=no

     31   #  -o smtpd_client_restrictions=$mua_client_restrictions

     32   #  -o smtpd_helo_restrictions=$mua_helo_restrictions

     33   #  -o smtpd_sender_restrictions=$mua_sender_restrictions

     34      -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

     35   #  -o milter_macro_daemon_name=ORIGINATING

     36   #628       inet  n       -       n       -       -       qmqpd

Last updated on January 28, 2014 Authored by Sarmed Rahman 4 Comments

Every mail server administrator dreads his or her server becoming compromised by spammers. A lot of effort, time and even money is spent on securing mail servers and making sure that the servers do not become open relay.

To combat against spambots in an SMTP server, Postfix in general uses the mynetworks parameter to specify the trusted sender network i.e., LAN. In a typical scenario, the users stationed in the internal LAN are legitimate users, and Postfix will happily accept SMTP requests from them, and forward the emails towards destination. Although this used to be the standard practice in the past, today's users want mobility. Everyone wants to be able to send/receive emails in their phones/tablets/laptops at work, home, on the go, or even from their favorite coffee shop around the corner. For people who are in the fields for critical services, a simple email alert could save a lot of time, effort and money.

To cope up with the mobility need, Postfix started to support another method of validating users. Simple Authentication and Security Layer (SASL) is a framework that can be used by many connection-oriented Internet protocols for securing data, servers and users. With SASL enabled, Postfix will not accept any incoming SMTP connections without proper authentication. As smart spammer can imitate a legitimate email account, no SMTP from even internal users are accepted without authentication.

This tutorial will focus on setting up a Postfix SMTP server to use Dovecot SASL for user authentication. As Dovecot provides mechanisms for user authentication, Postfix will simply ask Dovecot to do the work for it. That way, there is no need to re-invent the wheel.

Prerequisites

1. A working mail server running on postfix and dovecot2

2. SSL/TLS support for the mail server3

Preparing Dovecot

Backing up configuration files prior to modification is always a good idea.

Since Dovecot will be the one doing most of the work, we will start configuration with Dovecot.

First of all, a listener is added to Dovecot. Postfix will use this listener to communicate with Dovecot.

root@mail:~# vim /etc/dovecot/conf.d/10-master.conf

## The listener is added under the service auth section ## service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660         user = postfix         group = postfix   } ##end listener } ## end service auth

The above definition places the socket to be used by Postfix at /var/spool/postfix/private/auth with permission 0660 for Postfix only.

root@mail:~# vim /etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain login

The above parameter provides the plain login authentication mechanisms for Postfix.

Finally, for the changes to take effect, we restart the Dovecot service as follows.

root@mail:~# service dovecot restart

Preparing Postfix

Necessary SST/TLS and SASL parameters are added in the configuration file main.cf.

root@mail:~# vim /etc/postfix/main.cf

#### SASL #### ## specify SASL type ## smtpd_sasl_type = dovecot  ## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ## smtpd_sasl_path = private/auth  ## postfix appends the domain name for SASL logins that do not have the domain part ## smtpd_sasl_local_domain = example.tst  ## SASL default policy ## smtpd_sasl_security_options = noanonymous  ## for legacy application compatibility ## broken_sasl_auth_clients = yes  ## enable SMTP auth ## smtpd_sasl_auth_enable = yes  ## smtp checks ## ## these checks are based on first match, so sequence is important ## smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

The official guideline can be consulted for more details on available parameters and their function.

SSL/TLS specific parameters are added to the server as well.

root@mail:~# vim /etc/postfix/main.cf

#### SSL/TLS parameters ####  ## 'encrypt' will enforce SSL. Not recommended for live servers ## smtpd_tls_security_level = may  #smtpd_tls_security_level = encrypt   smtpd_tls_received_header = yes  smtpd_tls_auth_only = no   ## loglevel 3 or 4 can be used during troubleshooting ## smtpd_tls_loglevel = 1   ## path to certificate and key file ## smtpd_tls_cert_file = /etc/ssl/certs/postfixcert.pem  smtpd_tls_key_file = /etc/ssl/private/postfixkey.pem  smtpd_use_tls=yes   ## server will announce STARTTLS ## smtp_tls_note_starttls_offer = yes   smtpd_tls_session_cache_timeout = 3600s 

Now Postfix is reloaded with updated settings.

root@mail:~# service postfix restart

At this point, Postfix will not allow SMTP connections without authentication.

Mail User Agent Configuration

Your mail client is configured with mandatory authentication for SMTP as shown below.

Troubleshooting

If SASL is not working correctly, the following troubleshooting may help.

Enabling Verbose Postfix Logs

To increase the level of output in Postfix log, the "-v" parameter can be added in the following file.

root@mail:/etc/postfix# vim /etc/postfix/master.cf

smtp      inet  n       -       -       -       -       smtpd -v

Now there should be more verbose information the log file at /var/log/mail.log, which can help with the troubleshooting process.

Telnet to port 25

telnet connection to port 25 should be successful.

$ telnet mail.example.tst 25

ehlo  mail.example.tst 250- mail.example.tst 250-PIPELINING  250-SIZE 10240000  250-VRFY  250-ETRN  250-STARTTLS  250-AUTH PLAIN LOGIN  250-AUTH=PLAIN LOGIN  250-ENHANCEDSTATUSCODES  250-8BITMIME  250 DSN 

Amongst other features that the SMTP server advertises, the STARTTLS and AUTH features should be available.

Sending mails using telnet should fail, and no authentication information should be sent to the server.

$ telnet mail.example.tst 25

ehlo  mail.example.tst mail from:sarmed@example.tst 250 2.1.0 Ok  rcpt to:sarmed@example.tst 554 5.7.1 : Relay access denied 

Tuning parameter – mynetworks

Earlier in the tutorial, the Postfix server was configured to allow SMTP connections originated in the trusted network i.e., mynetworks, as shown in /etc/postfix/main.cf.

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

To make sure that mails originating from mynetworks do not pass through unauthenticated, /etc/postfix/main.cf can be modified as follows.

smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

Based on the requirements, permit_mynetworks can be allowed or denied later on.

To sum up, SASL can provide additional security to a mail server by enforcing mandatory authentication to users for SMTP requests. As users may use a mail server from anywhere, SASL can meet with the security requirements that do not conflict with the mobility of users.

#############################################################################################################

Postfix with SMTP-AUTH and TLS

1. Install all required packages

yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix

1b. Backup default postfix config

cp /etc/postfix/main.cf /etc/postfix/main.cf_orig

2. Configure SMTP-AUTH and TLS using postconf

/usr/sbin/postconf -e 'smtpd_sasl_local_domain ='

/usr/sbin/postconf -e 'smtpd_sasl_auth_enable = yes'

/usr/sbin/postconf -e 'smtpd_sasl_security_options = noanonymous'

/usr/sbin/postconf -e 'broken_sasl_auth_clients = yes'

/usr/sbin/postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

/usr/sbin/postconf -e 'inet_interfaces = all'

/usr/sbin/postconf -e 'mynetworks = 127.0.0.0/8, 10.50.1.0/24'

3. Set postfix to allow LOGIN and PLAIN logins.

vim /usr/lib/sasl2/smtpd.conf (32-bit)

vim/usr/lib64/sasl2/smtpd.conf (64-bit)

pwcheck_method: saslauthd

mech_list: plain login

4. Create key for SSL certificate signing request

mkdir /etc/postfix/ssl

cd /etc/postfix/ssl/

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key

5. Create the signing request with the key

openssl req -new -key smtpd.key -out smtpd.csr

6. Create the SSL certificate with the signing request and the key

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

7. Create RSA key

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv smtpd.key.unencrypted smtpd.key

8. Create CA key and cert

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

9. Configure postfix for TLS

/usr/sbin/postconf -e 'smtpd_tls_auth_only = no'

/usr/sbin/postconf -e 'smtp_use_tls = yes'

/usr/sbin/postconf -e 'smtpd_use_tls = yes'

/usr/sbin/postconf -e 'smtp_tls_note_starttls_offer = yes'

/usr/sbin/postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'

/usr/sbin/postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'

/usr/sbin/postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'

/usr/sbin/postconf -e 'smtpd_tls_loglevel = 1'

/usr/sbin/postconf -e 'smtpd_tls_received_header = yes'

/usr/sbin/postconf -e 'smtpd_tls_session_cache_timeout = 3600s'

/usr/sbin/postconf -e 'tls_random_source = dev:/dev/urandom'

10. Set servers hostname and mydomain in postfix config

/usr/sbin/postconf -e 'myhostname = vsv01.atbnet.local'

/usr/sbin/postconf -e 'mydomain = atbnet.local'

11. Check through the postfix config

more /etc/postfix/main.cf

12. Create DNS entry in your domain zone file (e.g. smtp.atbnet.local)

smtp IN A 10.50.1.50

13. Stop sendmail and Start postfix, saslauthd

/etc/init.d/sendmail stop

/etc/init.d/postfix start

/etc/init.d/saslauthd start

14. Check maillog for errors/failures and correct startup

tail /var/log/maillog

....

Mar 10 04:21:55 vsv01 sendmail[6074]: alias database /etc/aliases rebuilt by andy

Mar 10 04:21:55 vsv01 sendmail[6074]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total

Mar 10 04:21:55 vsv01 postfix/postfix-script: starting the Postfix mail system

Mar 10 04:21:55 vsv01 postfix/master[6120]: daemon started -- version 2.3.3, configuration /etc/postfix

....

15. Configure services to start at required runlevels

/sbin/chkconfig --level 345 sendmail off

/sbin/chkconfig --level 345 postfix on

/sbin/chkconfig --level 345 saslauthd on

16. Test that postfix is running, accepting connections and SMTP-AUTH/TLS is working

telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

220 vsv01.atbnet.local ESMTP Postfix

ehlo localhost

250-vsv01.atbnet.local

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

quit

221 2.0.0 Bye

Connection closed by foreign host.

If the below is in the statement returned by the server then TLS and PLAIN/LOGIN logins are configured correctly:

250-STARTTLS

250-AUTH PLAIN LOGIN

17. Check firewall rules allow port 25

/sbin/iptables -nvL

/etc/sysconfig/iptables

-A INPUT -i lo -j ACCEPT

-A INPUT -s 10.50.1.0/255.255.255.0 -p tcp --dport 25 -j ACCEPT