Saturday, February 18, 2006

Allowing authentication with postfix

I’m running my own mail server at berrier.org. Doing this has been fantastic for spam filtering and mail processing. For spam, I use spamassasin as well as greylisting as suggested by Andrew. I get very little spam.

There are some options when setting up postfix with tls authentication. I could use a sasl db to authenticate users against, but I don’t want to maintain 2 sets of accounts (/etc/passwd accounts as wel as sasldb). Also, if I use the sasldb I must authenticate in user@host format, where as my normal logins are only with user. I need some consistency. So, I want to use saslauthd against pam. The only problem is that the only authentication methods available for this option are PLAIN and LOGIN. I don’t feel very good about sending my passwords in the clear, so I’m also going to set up postfix to force TLS when authenticating.

I had some troubles with postfix finding the sasl socket. This page had the answers:

http://www.howtoforge.com/perfect_setup_debian_sarge_p4

You have to modify the saslauthdb setup to run inside the postfix chroot.

So, inside of /etc/postfix/sasl/smtpd.conf:

pwcheck_method: saslauthd
mech_list: plain login

And for /etc/postfix/main.cf:

# Sasl authentication
# Also added the permit_sasl_authenticated above for this to work
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
# And now for using tls to authenticate
# Update: don’t do this next line… it forces tls for people trying to send mail to you.
#smtpd_enforce_tls = yes
# This was what I had intended:
smtpd_tls_auth_only = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
#smtpd_tls_key_file = /etc/ssl/smtpd.key
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem
#smtpd_tls_CAfile = /etc/ssl/cert/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

As for the modifications for saslauthdb, check the above link, it explains it well.
That’s it! Now, if I could just send email without getting blocked by sorbs…

Note: In order to authenticate with Evolution, you must select “Whenever Possible” under “Use Secure Connection” in the “Sending Email” tab. I’m not sure exactly why this is, but the other options don’t seem to work.


Comments:

  1. Andrew Jorgensen Says:

    I’m sorry to have to report that I couldn’t send you a mail today because you’re requiring TLS on incoming connections from other mail hosts as well. I would tell you by email but well…

  2. wberrier Says:

    Doh! Thank you. Wow, and I thought I wasn’t getting any email because of my exceptional spam filtering!

No comments: