Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Help using SMTP AUTH & SASL to close open relay

3 views
Skip to first unread message

Jim Holmes

unread,
Nov 28, 2001, 10:13:46 PM11/28/01
to postfi...@postfix.org
There are a few How-to's out there, this one:
http://www-dt.e-technik.uni-dortmund.de/~ma/postfix/SASL_README

I found most helpful. The short form (If this is any help let me know):

1. Compile Cyrus-SASL per it's instructions. A stright:

./configure
make
make install
ln -s /usr/local/lib/sasl /usr/lib/sasl

Will do for most installs I think. I chose to use sasldb, setting up
passwords with saslpw. You might have to run it a few times at first to
initalize the database (took 3 tries for me).

Then you probely want to test just that part. In <sasl-src>/sample there is
a server and client program. If this works, then move onto postfix.

You will want to (This taken from above document):

Building Postfix with SASL authentication support
=================================================
To build Postfix with SASL authentication support, the following
assumes that the Cyrus SASL include files are in /usr/local/include,
and that the Cyrus SASL libraries are in /usr/local/lib. On some systems
this generates the necessary Makefile definitions:

% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS=-DUSE_SASL_AUTH" -I/usr/local/include" \
AUXLIBS="-L/usr/local/lib -lsasl"

------------------------

Now create /usr/local/lib/sasl/smtpd.conf with the line:
pwcheck_method: sasldb

-----------

See conf/sample-sasl.cf for examples.
In order to enable SASL support in the SMTP server:

/etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes

In order to allow mail relaying by authenticated clients:

/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks permit_sasl_authenticated ...
----------------

To test this:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 bushmills.chillyjim.org ESMTP Postfix
ehlo localhost
250-bushmills.chillyjim.org
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME

The line you are looking for is the
"250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5" line.

This means that the auth part is enabled. Now to make sure it works you
can generate your encrypted password for plain auth you can:

printf 'username\0username\0password' | mmencode

- or -

perl -MMIME::Base64 -e \
'print encode_base64("username\0username\0password");'

(MIME::Base64 is available from CPAN in case you don't have it).

So if your username is "user" and password is "pass":

$ perl -MMIME::Base64 -e 'print encode_base64("user\0user\0pass");'
dXNlcgB1c2VyAHBhc3M=

------

%telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 bushmills.chillyjim.org ESMTP Postfix
ehlo localhost
250-bushmills.chillyjim.org
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
auth plain dXNlcgB1c2VyAHBhc3M=
235 Authentication successful

-----

Now if this works you win!! If not shout and I'll try to help.
-
To unsubscribe, send mail to majo...@postfix.org with content
(not subject): unsubscribe postfix-users

Wietse Venema

unread,
Nov 28, 2001, 6:19:39 PM11/28/01
to Clarence Brown, postfi...@postfix.org
The definitive book on Postfix is being written.

The documentation on how to configure SASL for Postfix is thin,
mainly because the SASL software provides little documentation.

Wietse

Nick Rout

unread,
Nov 28, 2001, 6:29:31 PM11/28/01
to postfi...@postfix.org
Not strictly an answer to your question, but what if the outside users, use their own isp's smtp server and log into you only to pick up their mail (pop/imap or whatever?)

I'm assuming these people have some sort of isp.

> I'm currently trying to switch from an old sendmail server
> to a new server (FreeBSD4.4) running postfix because
> the old sendmail server is an open relay. I host a few
> small domains in an attempt to defray connection costs.
> This means that some clients, not in my domain or
> ip subnet connect using various different dialup providers
> need access to the smpt server. (I also need access to
> it when on the road with my laptop.)
>
> This seemed to rule out the domain and ip limiting features,
> and push me towards "POP before SMTP" or SMTP
> AUTH. "POP before" seemed like a bit of a kludge,
> whereas SMTP AUTH seemed like exactly what I was
> looking for. Require clients to login before sending
> email, exactly like logging in before accessing a POP3 account.
> Seems like this ought to be simple.
>
> So, I've been trying to understand it, but can find very
> little info on SMTP AUTH. There is a sample-auth.cf
> file, but this seems to be ONLY good for explaining the
> options to someone who already understands them and
> knows how to use them. There doesn't seem to be any
> documentation of them on the postfix.org site, but there
> was a link to a smtp-auth.txt file by D.Ganger. I've been
> reading this, but get confused about configuring the
> Server vs the Client.
>
> If I understand it, the Server, smptd will handle incoming
> from users or other servers. Clients who pass the SMTP
> AUTH will be able to send. Servers should only be
> sending to my Server if they are sending to an email
> account it handles. What about the Client section? This
> must address when my server sends email to other
> servers. But how/who gets authorized at this point?
> I know the client sending the email has passed AUTH.
> So at that point postfix tries to send his outgoing email
> to another server, it is acting like a Client. What does it
> authorize? It already knows that it is itself sending it, so
> why would it need to authorize itself? The other option
> would be to authorize that the other email server it is
> sending to is ok, but this would just limit acceptable
> outgoing connections I guess. In this case would the
> Server that my server is trying to send to have to have
> an account (or passwd entry, or whatever) on my server?
> Can I just ignore the client settings?
>
> Is there any simple, "here are the settings" documents
> for implementing this? With sendmail I found lots of
> documents explaining background as well as straight
> forward HOWTO lists, and even bought a massive reference
> book. Somewhere there ought to be a postfix for dummies
> reference. I don't really want to be a postfix expert, I just
> want to set it up "right" and then ignore it because it is
> working perfectly...
>
> Thanks in advance, Cla.


>
> -
> To unsubscribe, send mail to majo...@postfix.org with content
> (not subject): unsubscribe postfix-users

--
Nick Rout <ni...@rout.co.nz>

Message has been deleted

Clarence Brown

unread,
Nov 28, 2001, 7:26:04 PM11/28/01
to postfi...@postfix.org

Ralf Hildebrandt

unread,
Nov 29, 2001, 1:21:09 AM11/29/01
to postfi...@postfix.org
On Wed, Nov 28, 2001 at 10:13:46PM -0500, Jim Holmes wrote:

> 1. Compile Cyrus-SASL per it's instructions. A stright:
>
> ./configure

--with-pwcheck

--
Ralf Hildebrandt Tel. +49 (0)30-450 570-155
Fax. +49 (0)30-450 570-916
"Those who do not understand UNIX are condemned to reinvent it -- badly."
-- Henry Spencer

Ralf Hildebrandt

unread,
Nov 29, 2001, 1:19:58 AM11/29/01
to postfi...@postfix.org
On Wed, Nov 28, 2001 at 06:26:04PM -0600, Clarence Brown wrote:

> If I understand it, the Server, smptd will handle incoming
> from users or other servers.

Yes.

> Clients who pass the SMTP
> AUTH will be able to send. Servers should only be
> sending to my Server if they are sending to an email
> account it handles.

No. With SMTP AUTH, the server will handle ANY request for the client, if
the client authenticated successfully.

> What about the Client section? This
> must address when my server sends email to other
> servers.

Correct.


> But how/who gets authorized at this point?

Why do you care? You don't need this.

> I know the client sending the email has passed AUTH.
> So at that point postfix tries to send his outgoing email
> to another server, it is acting like a Client. What does it
> authorize?

It authorizes against the remote server in order to be able to relay via it.

> It already knows that it is itself sending it, so
> why would it need to authorize itself?

Because the other server won't relay otherwise?

> Can I just ignore the client settings?

Definitely.



--
Ralf Hildebrandt Tel. +49 (0)30-450 570-155
Fax. +49 (0)30-450 570-916

PowerPoint & Windows. Office and NT - I might like'em more after my lobotomy

Vivek Khera

unread,
Nov 29, 2001, 10:59:27 AM11/29/01
to postfi...@postfix.org
>>>>> "CB" == Clarence Brown <clab...@granitepost.com> writes:

CB> I'm currently trying to switch from an old sendmail server
CB> to a new server (FreeBSD4.4) running postfix because
CB> the old sendmail server is an open relay. I host a few

0) your dialup friends should be using their dialup service's SMTP
servers. They only need you for POP or forwarding of email.

1) install postfix-current from ports using source. specify that you
want SASL and DB3 support, and make sure that the SASL build also
specifies DB3 support.

2) decide if you want to use your password database or a private
database to authenticate your users. I use my password database.
I will assume you do to.

3) create an entry using the saslpasswd program. it can be anything
since it will not be used, but SASL libs insist it exist. go
figure.

4) start pwcheck daemon: /usr/local/etc/rc.d/pwcheck.sh start

5) ensure that /var/pwcheck/pwcheck has perms for postfix to
read/write to it.

6) create /usr/local/lib/sasl/smtpd.conf with the contents of one
line: "pwcheck_method: pwcheck" without the quotes.

7) configure postfix to use SASL auth as per postfix docs, and restart
postfix.

It should work now. I hope I didn't leave out any steps...

0 new messages