Postfix SASL Howto


WARNING

People who go to the trouble of installing Postfix may have the expectation that Postfix is more secure than some other mailers. The Cyrus SASL library is a lot of code. With this, Postfix becomes as secure as other mail systems that use the Cyrus SASL library. Dovecot provides an alternative that may be worth considering.

How Postfix uses SASL authentication information

Postfix SASL support (RFC 4954, formerly RFC 2554) can be used to authenticate remote SMTP clients to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a remote SMTP server.

When receiving mail, the Postfix SMTP server logs the client-provided username, authentication method, and sender address to the maillog file, and optionally grants mail access via the permit_sasl_authenticated UCE restriction.

When sending mail, the Postfix SMTP client can look up the remote SMTP server hostname or destination domain (the address right-hand part) in a SASL password table, and if a username/password is found, it will use that username and password to authenticate to the remote SMTP server. And as of version 2.3, Postfix can be configured to search its SASL password table by the sender email address.

This document covers the following topics:

What SASL implementations are supported

This document describes Postfix with the following SASL implementations:

Postfix version 2.3 introduces a plug-in mechanism that provides support for multiple SASL implementations. To find out what implementations are built into Postfix, use the following commands:

% postconf -a (SASL support in the SMTP server)
% postconf -A (SASL support in the SMTP+LMTP client)

Needless to say, these commands are not available in earlier Postfix versions.

Building Postfix with Dovecot SASL support

These instructions assume that you build Postfix from source code as described in the INSTALL document. Some modification may be required if you build Postfix from a vendor-specific source package.

Support for the Dovecot version 1 SASL protocol is available in Postfix 2.3 and later. At the time of writing, only server-side SASL support is available, so you can't use it to authenticate to your network provider's server. Dovecot uses its own daemon process for authentication. This keeps the Postfix build process simple, because there is no need to link extra libraries into Postfix.

To generate the necessary Makefiles, execute the following in the Postfix top-level directory:

% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SERVER_SASL_TYPE=\"dovecot\"'

After this, proceed with "make" as described in the INSTALL document.

Notes:

Building the Cyrus SASL library

Postfix appears to work with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, which are available from:

ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

IMPORTANT: if you install the Cyrus SASL libraries as per the default, you will have to symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.x or /usr/lib/sasl2 -> /usr/local/lib/sasl2 for version 2.1.x.

Reportedly, Microsoft Outlook (Express) requires the non-standard LOGIN authentication method. To enable this authentication method, specify ``./configure --enable-login''.

Building Postfix with Cyrus SASL support

These instructions assume that you build Postfix from source code as described in the INSTALL document. Some modification may be required if you build Postfix from a vendor-specific source package.

The following assumes that the Cyrus SASL include files are in /usr/local/include, and that the Cyrus SASL libraries are in /usr/local/lib.

On some systems this generates the necessary Makefile definitions:

(for Cyrus SASL version 1.5.x):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
    -I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"
(for Cyrus SASL version 2.1.x):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
    -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib -lsasl2"

On Solaris 2.x you need to specify run-time link information, otherwise ld.so will not find the SASL shared library:

(for Cyrus SASL version 1.5.x):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
    -I/usr/local/include" AUXLIBS="-L/usr/local/lib \
    -R/usr/local/lib -lsasl"
(for Cyrus SASL version 2.1.x):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
    -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib \
    -R/usr/local/lib -lsasl2"

Enabling SASL authentication in the Postfix SMTP server

In order to enable SASL support in the Postfix SMTP server:

/etc/postfix/main.cf:
    smtpd_sasl_auth_enable = yes

In order to allow mail relaying by authenticated remote SMTP clients:

/etc/postfix/main.cf:
    smtpd_recipient_restrictions = 
        permit_mynetworks 
        permit_sasl_authenticated 
        reject_unauth_destination

To report SASL login names in Received: message headers (Postfix version 2.3 and later):

/etc/postfix/main.cf:
    smtpd_sasl_authenticated_header = yes

Note: the SASL login names will be shared with the entire world.

Older Microsoft SMTP client software implements a non-standard version of the AUTH protocol syntax, and expects that the SMTP server replies to EHLO with "250 AUTH=mechanism-list" instead of "250 AUTH mechanism-list". To accommodate such clients (in addition to conformant clients) use the following:

/etc/postfix/main.cf:
    broken_sasl_auth_clients = yes

Dovecot SASL configuration for the Postfix SMTP server

Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side you need to specify the location of the Dovecot authentication daemon socket. We use a pathname relative to the Postfix queue directory, so that it will work whether or not the Postfix SMTP server runs chrooted:

/etc/postfix/main.cf:
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth

On the Dovecot side you also need to specify the Dovecot authentication daemon socket. In this case we specify an absolute pathname. In the example we assume that the Postfix queue is under /var/spool/postfix/.

/some/where/dovecot.conf:
    auth default {
      mechanisms = plain login
      passdb pam {
      }
      userdb passwd {
      }
      socket listen {
        client {
          path = /var/spool/postfix/private/auth
          mode = 0660
          user = postfix
          group = postfix
        }
      }
    }

See the Dovecot documentation for how to configure and operate the Dovecot authentication server.

Cyrus SASL configuration for the Postfix SMTP server

You need to configure how the Cyrus SASL library should authenticate a remote SMTP client's username and password. These settings must be stored in a separate configuration file.

The name of the configuration file (default: smtpd.conf) will be constructed from a value that the Postfix SMTP server sends to the Cyrus SASL library, which adds the suffix .conf. The value is configured using one of the following variables:

/etc/postfix/main.cf:
    # Postfix 2.3 and later
    smtpd_sasl_path = smtpd
    # Postfix < 2.3
    smtpd_sasl_application_name = smtpd

Cyrus SASL searches for the configuration file in /usr/local/lib/sasl/ (Cyrus SASL version 1.5.5) or /usr/local/lib/sasl2/ (Cyrus SASL version 2.1.x).

Note: some Postfix distributions are modified and look for the smtpd.conf file in /etc/postfix/sasl.

Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.

IMPORTANT: The Cyrus SASL password verification services pwcheck and saslauthd can only support the plaintext mechanisms PLAIN or LOGIN. However, the Cyrus SASL library doesn't know this, and will happily advertise other authentication mechanisms that the SASL library implements, such as DIGEST-MD5. As a result, if a remote SMTP client chooses any mechanism other than PLAIN or LOGIN while pwcheck or saslauthd are used, authentication will fail. Thus you may need to limit the list of mechanisms advertised by the Postfix SMTP server.

For the same reasons you might want to limit the list of plugins used for authentication.

To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble.

Testing SASL authentication in the Postfix SMTP server

To test the server side, connect (for example, with telnet) to the Postfix SMTP server port and you should be able to have a conversation as shown below. Information sent by the client (that is, you) is shown in bold font.

$ telnet server.example.com 25
. . .
220 server.example.com ESMTP Postfix
EHLO client.example.com
250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
250 8BITMIME
AUTH PLAIN AHRlc3QAdGVzdHBhc3M=
235 Authentication successful

Instead of AHRlc3QAdGVzdHBhc3M=, specify the base64 encoded form of \0username\0password (the \0 is a null byte). The example above is for a user named `test' with password `testpass'.

In order to generate base64 encoded authentication information you can use one of the following commands:

% printf '\0username\0password' | mmencode 
% perl -MMIME::Base64 -e \
    'print encode_base64("\0username\0password");'

The mmencode command is part of the metamail software. MIME::Base64 is available from http://www.cpan.org/.

Caution: when posting logs of the SASL negotiations to public lists, please keep in mind that username/password information is trivial to recover from the base64-encoded form.

Trouble shooting the SASL internals

In the Cyrus SASL sources you'll find a subdirectory named "sample". Run make there, then create a symbolic link from sample.conf to smtpd.conf in your Cyrus SASL library directory /usr/local/lib/sasl2. "su" to the user postfix (or whatever your mail_owner directive is set to):

% su postfix

then run the resulting sample Cyrus SASL server and client in separate terminals. The sample applications send log messages to the syslog facility auth. Check the log to fix the problem or run strace / ktrace / truss on the server to see what makes it unhappy. Repeat the previous step until you can successfully authenticate with the sample Cyrus SASL client. Only then get back to Postfix.

Enabling SASL authentication in the Postfix SMTP client

Turn on client-side SASL authentication, and specify a table with per-host or per-destination username and password information. The Postfix SMTP client first searches the table for an entry with the remote SMTP server hostname; if no entry is found, then the Postfix SMTP client searches the table for an entry with the next-hop destination. Usually, that is the right-hand part of an email address, but it can also be the information that is specified with the relayhost parameter or with a transport(5) table.

/etc/postfix/main.cf:
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_type = cyrus
    relayhost = [mail.myisp.net]
    # Alternative form:
    # relayhost = [mail.myisp.net]:submission

/etc/postfix/sasl_passwd:
    [mail.myisp.net]            username:password
    [mail.myisp.net]:submission username:password

Notes:

Workarounds:

Supporting multiple ISP accounts in the Postfix SMTP client

Postfix version 2.3 supports multiple ISP accounts. This can be useful when one person uses the same machine for work and for personal use, or when people with different ISP accounts share the same Postfix server. To make this possible, Postfix 2.3 supports per-sender SASL passwords and per-sender relay hosts. In the example below, Postfix will search the SASL password file by sender before it searches that same file by destination. Likewise, Postfix will search the per-sender relayhost file, and use the default relayhost only as a final resort.

/etc/postfix/main.cf:
    smtp_sender_dependent_authentication = yes
    sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    relayhost = [mail.myisp.net]
    # Alternative form:
    # relayhost = [mail.myisp.net]:submission

/etc/postfix/sasl_passwd:
    # Per-sender authentication; see also /etc/postfix/sender_relay.
    user1@example.com           username2:password2
    user2@example.net           username2:password2
    # Login information for the default relayhost.
    [mail.myisp.net]            username:password
    [mail.myisp.net]:submission username:password

/etc/postfix/sender_relay:
    # Per-sender provider; see also /etc/postfix/sasl_passwd.
    user1@example.com           [mail.example.com]:submission
    user2@example.net           [mail.example.net]

Notes:

Credits