Jimmy's weblog

12/5/2005

Postfix and SASL (Debian)

Filed under: — jimmy @ 5:30 am

Today I wanted to configure one of my postfix boxes to use SASL. This time I decided to use saslauthd instead of pwcheck, as I always did before.
Let’s start with the easy part… installing the packages (it’s a debian sarge server):

apt-get install postfix-tls sasl2-bin libsasl2 libsasl2-modules

Now edit /etc/default/saslauthd:

START=yes
MECHANISMS="pam"

saslauthd is not started after package installation (we’ll do it later)!
Next file to edit is /etc/postfix/sasl/smtpd.conf (you have to create it):

pwcheck_method: saslauthd

Ok, let’s add some lines in /etc/postfix/main.cf to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination

postfix does a chroot so it can’t communicate with saslauthd. This is the tricky part:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
adduser postfix sasl

Now restart postfix and start saslauthd

/etc/init.d/postfix restart
/etc/init.d/saslauthd start

Finally we test it using telnet. We need perl to generate the string for the SASL authentication

perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password");'
e.g.
perl -MMIME::Base64 -e 'print encode_base64("jimmy\0jimmy\0real-secret");'
amltbXkAamltbXkAcmVhbC1zZWNyZXQ=

Then use telnet:

jimmy@reptile:~$ telnet jimmy.co.at 25
Trying 80.237.145.96...
Connected to jimmy.co.at.
Escape character is '^]'.
220 kitana.jimmy.co.at ESMTP Mailserver
ehlo reptile.g-tec.co.at
250-kitana.jimmy.co.at
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
AUTH PLAIN amltbXkAamltbXkAcmVhbC1zZWNyZXQ=
235 Authentication successful

If it doesn’t work check you logfiles. If you get something like this: “warning: SASL authentication failure: cannot connect to saslauthd server: Permission denied”, then check the permissions in /var/spool/postfix/var/run/saslauthd.