pslog

this article describes how to install smtp authentication on a postfix server so that clients can authenticate before sending emails. it is copied from Jimmy’s weblog and is aimed at debian etch.

install the needed packages:

apt-get install postfix-tls sasl2-bin libsasl2-2 libsasl2-modules

edit /etc/default/saslauthd and make sure it contains those two lines:

START=yes
MECHANISMS="pam"

create and edit /etc/postfix/sasl/smptd.conf and write this line into it:

pwcheck_method: saslauthd

in /etc/postfix/main.cf enable sasl authenticateion

smtpd_sasl_auth_enable = yes 
smtpd_sasl_security_options = noanonymous 
broken_sasl_auth_clients = yes 
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

since postfix runs in a chrooted environment we need to copy all the needed stuff into it in order for postfix to communicate with saslauthd:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

now lets restart postfix and start saslauthd

/etc/init.d/postfix restart
/etc/init.d/saslauthd start

by now your smtpauth should be working. to make sure it does, we can now create a hash for a test user on our system and try to connect through telnet:

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
e.g.
perl -MMIME::Base64 -e 'print encode_base64("jimmy\0jimmy\0real-secret");'
amltbXkAamltbXkAcmVhbC1zZWNyZXQ=

now copy the funny string and use telnet to login (the bold stuff is what you should type in:

jimmy@reptile:~$ telnet jimmy.co.at 25
Trying 80.237.145.96...
Connected to jimmy.co.at.
Escape character is '^]'.
220 kitana.jimmy.co.at ESMTP Mailserver
ehlo reptile.g-tec.co.at
250-kitana.jimmy.co.at
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
AUTH PLAIN amltbXkAamltbXkAcmVhbC1zZWNyZXQ=
235 Authentication successful

if you got “authentication successful” take a deep breath and be happy it worked. it took me some time to get there

if you can’t login it’s always a good idea to check your logs. allthough i must confess they didn’t really say alot in my case.
one other thing that could be needed is to add a user to the saslauthd database. i don’t know if that is needed because i did it before in one of my success less tries. so maybe that was helpful, maybe not. just in case it’s needed, here’s what i did:

add a user to the saslauthd db:

 saslpasswd2 -c -u my.mail.server -a smtpauth username

now test to see if the user’s there:

sasldblistusers2

try if it works now. if it still doesn’t it is probably because postfix can’t see or access the saslauthdb from its chrooted environment. so try to copy /etc/sasldb to the chroot environment:

cp /etc/sasldb2 /var/spool/postfix/etc/

try again. if it’s still not working change the owner of /var/spool/postfix/etc/sasldb2 to postfix and try again.

still without success? continue to google .. that’s all i did and it now works on my server and i am happy it does and i don’t want to touch it anymore