How to force SMTP authentication in postfix
mohamed....@gmail.com
I am using Dovecot + Postfix + webmin for my mail server.
I have implemented SMTP auth
mail:~ # telnet mail.ofinetblr.com 25
Trying 10.0.0.93...
Connected to mail.ofinetblr.com.
Escape character is '^]'.
220 mail.ofinetblr.com ESMTP Postfix
EHLO mail.ofinetblr.com
250-mail.ofinetblr.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME
auth login
334 VXNlcm5hbWU6
421 mail.ofinetblr.com Error: timeout exceeded
Connection closed by foreign host.
mail:~ # telnet mail.ofinetblr.com 25
Trying 10.0.0.93...
Connected to mail.ofinetblr.com.
Escape character is '^]'.
220 mail.ofinetblr.com ESMTP Postfix
EHLO mail.ofinetblr.com
250-mail.ofinetblr.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250 8BITMIME
auth login
334 VXNlcm5hbWU6
bW9oYW1lZC56YWJpdWxsYQ==
334 UGFzc3dvcmQ6
bW9oYW1lZA==
235 Authentication successful
The issue is that without using auth login, the user is able to send
mail.
The authentication test is successful.
I WANT TO FORCE THE USER TO LOGIN ONLY IF HE IS AUTHENTICATED
whereas the user is able to send mails with and without authentication
Is there anyone that can help me..???
Thanks in advance
Regards,
zabi
kevin bailey
Hi,
Not sure if it will help but I've pasted on my notes from setting up SASL
AUTH on a Debian Etch box.
Setting up authenticated SMTP access
We want to enable users to be able to send email via the server from any
location. For this we will enable SMTP AUTH - this will enable the users to
use the server to relay mail providing they provide their username and
password.
Most of the following steps were taken from 'The Book of Postfix' from No
Starch Press.
Postfix can use SASL as an authentication mechanism - and SASL can in turn
use the local accounts to verify credentials.
The basic SASL libraries are installed when Postfix is installed on Debian
Etch - it is necessary to add the libsasl2-modules package to enble SASL to
authenticate using the main methods. Postfix has SASL support built in by
default.
SASL can authenticate as a command line program - but if it is called by
Postfix then SASL will not be able to authenticate against /etc/passwd
because Postfix does not run as root. Therefore we will install sasl2-bin
and this will install the saslauthd daemon which runs as root. Therefore,
Postfix can query the saslauthd daemon which it turn queries the local
account database.
After installing libsasl2-modules and sasl2-bin...
Edited /etc/default/saslauthd and set START=yes.
Then started the daemon with /etc/init.d/sasldauthd restart.
Then followed instructions which came with sasl2-bin in the DEBIAN doc file.
See
# most /usr/share/doc/sasl2-bin/README.Debian
NB - Postfix is installed chrooted by default on Debian Etch - see the
Postfix Debian doc. This means that the following steps need to be taken.
These are the instructions:
If you run a chrooted server such as Postfix and wish to use saslauthd, you
must place the saslauthd socket ("mux") inside the Postfix chroot. You must
also set correct overrides for the run directory inside the chroot, using
dpkg-statoverride. Finally, you must add the postfix user to the sasl
group.
These steps ensure that the Debian subsystems know how you want things to
be
laid out.
To place the saslauthd socket inside the Postfix chroot, edit
/etc/default/saslauthd and set OPTIONS like this (you may omit -c):
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
To set the run directory using dpkg-statoverride, run this command as root:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
Finally, to add the postfix user to the sasl group:
adduser postfix sasl
The init script will automatically create the run directory with the
permissions you have set using dpkg-statoverride. Please note that you must
also configure Postfix correctly. There are many options related to SASL.
See
the Postfix documentation for how to do this.
Then restarted saslauthd - this seemed to take a while to restart but
eventually gets restarted.
Then tested that authentication is working with
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username -p
password
and
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username -p
badpassword
The first should be ok and the second should fail.
This shows that SASL is authenticating against a backend (which is currently
set to use PAM). This seems to check against the local user accounts which
is what is required.
Now we need to get Postfix to authenticate SMTP connections against SASL -
more specifically against saslauthd.
The following parameters were added to /etc/postfix/main.cf.
# Setting up SMTP authentication.
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination
The file /etc/postfix/sasl/smtpd.conf needed to be created with the
following contents. This is actually a configuration file for SASL - it
uses small config files specific for the programs using its services. It
also seems to dictate which authentication mechanisms get offered to the
clients by Postfix.
# Global parameters
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
The restarted Postfix and saslauthd.
It should now be possible for clients to send email using the server - they
can use TLS if required.
For extra security it is possible to force all users to use TLS when
connecting. This provides an encrypted tunnel for all traffic.
This means that the users can use their email account credentials to use the
server to send emails.
mohamed....@gmail.com
I am using a SUSE SLES 10.0 on my machine. I tried the steps suggested
by you.
I am not able to find dpkg-statoverride function.
Are the steps suggested by you applicable for SLES 10.0, if not is
there any way out???
Thanks in advance.
Regards,
zabi.