PPoossttffiixx SSAASSLL HHoowwttoo

-------------------------------------------------------------------------------

WWAARRNNIINNGG

People who go to the trouble of installing Postfix may have the expectation
that Postfix is more secure than some other mailers. The Cyrus SASL library is
a lot of code. With this, Postfix becomes as secure as other mail systems that
use the Cyrus SASL library. Dovecot provides an alternative that may be worth
considering.

HHooww PPoossttffiixx uusseess SSAASSLL aauutthheennttiiccaattiioonn iinnffoorrmmaattiioonn

Postfix SASL support (RFC 4954, formerly RFC 2554) can be used to authenticate
remote SMTP clients to the Postfix SMTP server, and to authenticate the Postfix
SMTP client to a remote SMTP server.

When receiving mail, the Postfix SMTP server logs the client-provided username,
authentication method, and sender address to the maillog file, and optionally
grants mail access via the permit_sasl_authenticated UCE restriction.

When sending mail, the Postfix SMTP client can look up the remote SMTP server
hostname or destination domain (the address right-hand part) in a SASL password
table, and if a username/password is found, it will use that username and
password to authenticate to the remote SMTP server. And as of version 2.3,
Postfix can be configured to search its SASL password table by the sender email
address.

This document covers the following topics:

  * What SASL implementations are supported
  * Building Postfix with Dovecot SASL support
  * Building the Cyrus SASL library
  * Building Postfix with Cyrus SASL support
  * Enabling SASL authentication in the Postfix SMTP server
  * Dovecot SASL configuration for the Postfix SMTP server
  * Cyrus SASL configuration for the Postfix SMTP server
  * Testing SASL authentication in the Postfix SMTP server
  * Trouble shooting the SASL internals
  * Enabling SASL authentication in the Postfix SMTP client
  * Supporting multiple ISP accounts in the Postfix SMTP client
  * Credits

WWhhaatt SSAASSLL iimmpplleemmeennttaattiioonnss aarree ssuuppppoorrtteedd

This document describes Postfix with the following SASL implementations:

  * Cyrus SASL version 1 (client and server).

  * Cyrus SASL version 2 (client and server).

  * Dovecot protocol version 1 (server only, Postfix version 2.3 and later)

Postfix version 2.3 introduces a plug-in mechanism that provides support for
multiple SASL implementations. To find out what implementations are built into
Postfix, use the following commands:

    % postconf -a (SASL support in the SMTP server)
    % postconf -A (SASL support in the SMTP+LMTP client)

Needless to say, these commands are not available in earlier Postfix versions.

BBuuiillddiinngg PPoossttffiixx wwiitthh DDoovveeccoott SSAASSLL ssuuppppoorrtt

These instructions assume that you build Postfix from source code as described
in the INSTALL document. Some modification may be required if you build Postfix
from a vendor-specific source package.

Support for the Dovecot version 1 SASL protocol is available in Postfix 2.3 and
later. At the time of writing, only server-side SASL support is available, so
you can't use it to authenticate to your network provider's server. Dovecot
uses its own daemon process for authentication. This keeps the Postfix build
process simple, because there is no need to link extra libraries into Postfix.

To generate the necessary Makefiles, execute the following in the Postfix top-
level directory:

    % make makefiles CCARGS='-DUSE_SASL_AUTH -
    DDEF_SERVER_SASL_TYPE=\"dovecot\"'

After this, proceed with "make" as described in the INSTALL document.

Notes:

  * The "-DDEF_SERVER_SASL_TYPE" stuff is not necessary; it just makes Postfix
    configuration a little more convenient because you don't have to specify
    the SASL plug-in type in the Postfix main.cf file.

  * If you also want support for LDAP or TLS, you will have to merge their
    CCARGS and AUXLIBS into the above command line.

BBuuiillddiinngg tthhee CCyyrruuss SSAASSLL lliibbrraarryy

Postfix appears to work with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, which are
available from:

    ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

IMPORTANT: if you install the Cyrus SASL libraries as per the default, you will
have to symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.x or /usr/
lib/sasl2 -> /usr/local/lib/sasl2 for version 2.1.x.

Reportedly, Microsoft Outlook (Express) requires the non-standard LOGIN
authentication method. To enable this authentication method, specify ``./
configure --enable-login''.

BBuuiillddiinngg PPoossttffiixx wwiitthh CCyyrruuss SSAASSLL ssuuppppoorrtt

These instructions assume that you build Postfix from source code as described
in the INSTALL document. Some modification may be required if you build Postfix
from a vendor-specific source package.

The following assumes that the Cyrus SASL include files are in /usr/local/
include, and that the Cyrus SASL libraries are in /usr/local/lib.

On some systems this generates the necessary Makefile definitions:

(for Cyrus SASL version 1.5.x):

    % make tidy # if you have left-over files from a previous build
    % make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
        -I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"

(for Cyrus SASL version 2.1.x):

    % make tidy # if you have left-over files from a previous build
    % make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
        -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib -lsasl2"

On Solaris 2.x you need to specify run-time link information, otherwise ld.so
will not find the SASL shared library:

(for Cyrus SASL version 1.5.x):

    % make tidy # if you have left-over files from a previous build
    % make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
        -I/usr/local/include" AUXLIBS="-L/usr/local/lib \
        -R/usr/local/lib -lsasl"

(for Cyrus SASL version 2.1.x):

    % make tidy # if you have left-over files from a previous build
    % make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
        -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib \
        -R/usr/local/lib -lsasl2"

EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr

In order to enable SASL support in the Postfix SMTP server:

    /etc/postfix/main.cf:
        smtpd_sasl_auth_enable = yes

In order to allow mail relaying by authenticated remote SMTP clients:

    /etc/postfix/main.cf:
        smtpd_recipient_restrictions =
            permit_mynetworks
            permit_sasl_authenticated
            reject_unauth_destination

To report SASL login names in Received: message headers (Postfix version 2.3
and later):

    /etc/postfix/main.cf:
        smtpd_sasl_authenticated_header = yes

Note: the SASL login names will be shared with the entire world.

Older Microsoft SMTP client software implements a non-standard version of the
AUTH protocol syntax, and expects that the SMTP server replies to EHLO with
"250 AUTH=mechanism-list" instead of "250 AUTH mechanism-list". To accommodate
such clients (in addition to conformant clients) use the following:

    /etc/postfix/main.cf:
        broken_sasl_auth_clients = yes

DDoovveeccoott SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr

Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side
you need to specify the location of the Dovecot authentication daemon socket.
We use a pathname relative to the Postfix queue directory, so that it will work
whether or not the Postfix SMTP server runs chrooted:

    /etc/postfix/main.cf:
        smtpd_sasl_type = dovecot
        smtpd_sasl_path = private/auth

On the Dovecot side you also need to specify the Dovecot authentication daemon
socket. In this case we specify an absolute pathname. In the example we assume
that the Postfix queue is under /var/spool/postfix/.

    /some/where/dovecot.conf:
        auth default {
          mechanisms = plain login
          passdb pam {
          }
          userdb passwd {
          }
          socket listen {
            client {
              path = /var/spool/postfix/private/auth
              mode = 0660
              user = postfix
              group = postfix
            }
          }
        }

See the Dovecot documentation for how to configure and operate the Dovecot
authentication server.

CCyyrruuss SSAASSLL ccoonnffiigguurraattiioonn ffoorr tthhee PPoossttffiixx SSMMTTPP sseerrvveerr

You need to configure how the Cyrus SASL library should authenticate a remote
SMTP client's username and password. These settings must be stored in a
separate configuration file.

The name of the configuration file (default: smtpd.conf) will be constructed
from a value that the Postfix SMTP server sends to the Cyrus SASL library,
which adds the suffix .conf. The value is configured using one of the following
variables:

    /etc/postfix/main.cf:
        # Postfix 2.3 and later
        smtpd_sasl_path = smtpd
        # Postfix < 2.3
        smtpd_sasl_application_name = smtpd

Cyrus SASL searches for the configuration file in /usr/local/lib/sasl/ (Cyrus
SASL version 1.5.5) or /usr/local/lib/sasl2/ (Cyrus SASL version 2.1.x).

Note: some Postfix distributions are modified and look for the smtpd.conf file
in /etc/postfix/sasl.

Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.

  * To authenticate against the UNIX password database, use:

    (Cyrus SASL version 1.5.x)

        /usr/local/lib/sasl/smtpd.conf:
            pwcheck_method: pwcheck

        IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck and
        waits for authentication requests. The Postfix SMTP server must have
        read+execute permission to this directory or authentication attempts
        will fail.

        The pwcheck daemon is contained in the cyrus-sasl source tarball.

    (Cyrus SASL version 1.5.26)

        /usr/local/lib/sasl/smtpd.conf:
            pwcheck_method: saslauthd

    (Cyrus SASL version 2.1.x)

        /usr/local/lib/sasl2/smtpd.conf:
            pwcheck_method: saslauthd
            mech_list: PLAIN LOGIN

    The saslauthd daemon is also contained in the cyrus-sasl source tarball. It
    is more flexible than the pwcheck daemon, in that it can authenticate
    against PAM and various other sources. To use PAM, start saslauthd with "-
    a pam".

    IMPORTANT: saslauthd usually establishes a UNIX domain socket in /var/run/
    saslauthd and waits for authentication requests. The Postfix SMTP server
    must have read+execute permission to this directory or authentication
    attempts will fail.

    Note: The directory where saslauthd puts the socket is configurable. See
    the command-line option "-m /path/to/socket" in the saslauthd --help
    listing.

  * To authenticate against Cyrus SASL's own password database:

    (Cyrus SASL version 1.5.x)

        /usr/local/lib/sasl/smtpd.conf:
            pwcheck_method: sasldb

    (Cyrus SASL version 2.1.x)

        /usr/local/lib/sasl2/smtpd.conf:
            pwcheck_method: auxprop
            auxprop_plugin: sasldb
            mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

    This will use the Cyrus SASL password file (default: /etc/sasldb in version
    1.5.x, or /etc/sasldb2 in version 2.1.x), which is maintained with the
    saslpasswd or saslpasswd2 command (part of the Cyrus SASL software). On
    some poorly-supported systems the saslpasswd command needs to be run
    multiple times before it stops complaining. The Postfix SMTP server needs
    read access to the sasldb file - you may have to play games with group
    access permissions. With the OTP authentication mechanism, the Postfix SMTP
    server also needs WRITE access to /etc/sasldb2 or /etc/sasldb (or the back
    end SQL database, if used).

    IMPORTANT: To get sasldb running, make sure that you set the SASL domain
    (realm) to a fully qualified domain name.

    EXAMPLE:

    (Cyrus SASL version 1.5.x)

        % saslpasswd -c -u `postconf -h myhostname` exampleuser

    (Cyrus SASL version 2.1.x)

        % saslpasswd2 -c -u `postconf -h myhostname` exampleuser

    You can find out SASL's idea about the realms of the users in sasldb with
    sasldblistusers (Cyrus SASL version 1.5.x) or sasldblistusers2 (Cyrus SASL
    version 2.1.x).

    On the Postfix side, you can have only one realm per smtpd(8) instance, and
    only the users belonging to that realm would be able to authenticate. The
    Postfix variable smtpd_sasl_local_domain controls the realm used by smtpd
    (8):

        /etc/postfix/main.cf:
            smtpd_sasl_local_domain = $myhostname

IMPORTANT: The Cyrus SASL password verification services pwcheck and saslauthd
can only support the plaintext mechanisms PLAIN or LOGIN. However, the Cyrus
SASL library doesn't know this, and will happily advertise other authentication
mechanisms that the SASL library implements, such as DIGEST-MD5. As a result,
if a remote SMTP client chooses any mechanism other than PLAIN or LOGIN while
pwcheck or saslauthd are used, authentication will fail. Thus you may need to
limit the list of mechanisms advertised by the Postfix SMTP server.

  * With older Cyrus SASL versions you remove the corresponding library files
    from the SASL plug-in directory (and again whenever the system is updated).

  * With Cyrus SASL version 2.1.x or later the mech_list variable can specify a
    list of authentication mechanisms that Cyrus SASL may offer:

        /usr/local/lib/sasl2/smtpd.conf:
            mech_list: plain login

For the same reasons you might want to limit the list of plugins used for
authentication.

  * With Cyrus SASL version 1.5.x your only choice is to delete the
    corresponding library files from the SASL plug-in directory.

  * With SASL version 2.1.x:

        /usr/local/lib/sasl2/smtpd.conf:
            pwcheck_method: auxprop
            auxprop_plugin: sql

To run software chrooted with SASL support is an interesting exercise. It
probably is not worth the trouble.

TTeessttiinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr

To test the server side, connect (for example, with telnet) to the Postfix SMTP
server port and you should be able to have a conversation as shown below.
Information sent by the client (that is, you) is shown in bold font.

    $ tteellnneett sseerrvveerr..eexxaammppllee..ccoomm 2255
    . . .
    220 server.example.com ESMTP Postfix
    EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
    250-server.example.com
    250-PIPELINING
    250-SIZE 10240000
    250-ETRN
    250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
    250 8BITMIME
    AAUUTTHH PPLLAAIINN AAHHRRllcc33QQAAddGGVVzzddHHBBhhcc33MM==
    235 Authentication successful

Instead of AHRlc3QAdGVzdHBhc3M=, specify the base64 encoded form of
\0username\0password (the \0 is a null byte). The example above is for a user
named `test' with password `testpass'.

In order to generate base64 encoded authentication information you can use one
of the following commands:

    % printf '\0username\0password' | mmencode

    % perl -MMIME::Base64 -e \
        'print encode_base64("\0username\0password");'

The mmencode command is part of the metamail software. MIME::Base64 is
available from http://www.cpan.org/.

Caution: when posting logs of the SASL negotiations to public lists, please
keep in mind that username/password information is trivial to recover from the
base64-encoded form.

TTrroouubbllee sshhoooottiinngg tthhee SSAASSLL iinntteerrnnaallss

In the Cyrus SASL sources you'll find a subdirectory named "sample". Run make
there, then create a symbolic link from sample.conf to smtpd.conf in your Cyrus
SASL library directory /usr/local/lib/sasl2. "su" to the user postfix (or
whatever your mail_owner directive is set to):

    % su postfix

then run the resulting sample Cyrus SASL server and client in separate
terminals. The sample applications send log messages to the syslog facility
auth. Check the log to fix the problem or run strace / ktrace / truss on the
server to see what makes it unhappy. Repeat the previous step until you can
successfully authenticate with the sample Cyrus SASL client. Only then get back
to Postfix.

EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt

Turn on client-side SASL authentication, and specify a table with per-host or
per-destination username and password information. The Postfix SMTP client
first searches the table for an entry with the remote SMTP server hostname; if
no entry is found, then the Postfix SMTP client searches the table for an entry
with the next-hop destination. Usually, that is the right-hand part of an email
address, but it can also be the information that is specified with the
relayhost parameter or with a transport(5) table.

    /etc/postfix/main.cf:
        smtp_sasl_auth_enable = yes
        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
        smtp_sasl_type = cyrus
        relayhost = [mail.myisp.net]
        # Alternative form:
        # relayhost = [mail.myisp.net]:submission

    /etc/postfix/sasl_passwd:
        [mail.myisp.net]            username:password
        [mail.myisp.net]:submission username:password

Notes:

  * The "submission" destination port tells Postfix to send mail via TCP
    network port 587, which is normally reserved for email clients. The default
    is to send mail to the "smtp" destination port (TCP port 25), which is used
    for receiving mail across the internet. If you use an explicit destination
    port in main.cf, then you must use the same form also in the
    smtp_sasl_password_maps file.

  * Postfix does not deliver mail via TCP port 465 (the obsolete "wrappermode"
    protocol). See TLS_README for a solution that uses the "stunnel" command.

  * The "[" and "]" prevent Postfix from looking up the MX (mail exchanger)
    records for the enclosed name. If you use this form in main.cf, then you
    must use the same form also in the smtp_sasl_password_maps file.

  * The Postfix SMTP client opens the SASL client password file before entering
    the optional chroot jail, so you can keep the file in /etc/postfix and set
    permissions read / write only for root to keep the username:password
    combinations away from other system users.

  * Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb
    files. To find out what lookup tables Postfix supports, use the command
    "ppoossttccoonnff --mm".

  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change
    the sasl_passwd table.

Workarounds:

  * Some remote SMTP servers support PLAIN or LOGIN authentication only. By
    default, the Postfix SMTP client does not use authentication methods that
    send plaintext passwords, and defers delivery with the following error
    message: "Authentication failed: cannot SASL authenticate to server". To
    enable plaintext authentication specify, for example:

        /etc/postfix/main.cf:
            smtp_sasl_security_options = noanonymous

  * Some remote SMTP servers announce authentication mechanisms that don't
    actually work. It is possible via the smtp_sasl_mechanism_filter parameter
    to restrict the list of server mechanisms that the Postfix SMTP client will
    take into consideration:

        /etc/postfix/main.cf:
            smtp_sasl_mechanism_filter = !gssapi, !external, static:all

    In the above example, the Postfix SMTP client will decline to use
    mechanisms that require special infrastructure such as Kerberos or TLS.

  * The Postfix SMTP client is backwards compatible with SMTP servers that use
    the non-standard "AUTH=method..." syntax in response to the EHLO command;
    there is no Postfix client configuration needed to work around it.

SSuuppppoorrttiinngg mmuullttiippllee IISSPP aaccccoouunnttss iinn tthhee PPoossttffiixx SSMMTTPP cclliieenntt

Postfix version 2.3 supports multiple ISP accounts. This can be useful when one
person uses the same machine for work and for personal use, or when people with
different ISP accounts share the same Postfix server. To make this possible,
Postfix 2.3 supports per-sender SASL passwords and per-sender relay hosts. In
the example below, Postfix will search the SASL password file by sender before
it searches that same file by destination. Likewise, Postfix will search the
per-sender relayhost file, and use the default relayhost only as a final
resort.

    /etc/postfix/main.cf:
        smtp_sender_dependent_authentication = yes
        sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
        smtp_sasl_auth_enable = yes
        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
        relayhost = [mail.myisp.net]
        # Alternative form:
        # relayhost = [mail.myisp.net]:submission

    /etc/postfix/sasl_passwd:
        # Per-sender authentication; see also /etc/postfix/sender_relay.
        user1@example.com           username2:password2
        user2@example.net           username2:password2
        # Login information for the default relayhost.
        [mail.myisp.net]            username:password
        [mail.myisp.net]:submission username:password

    /etc/postfix/sender_relay:
        # Per-sender provider; see also /etc/postfix/sasl_passwd.
        user1@example.com           [mail.example.com]:submission
        user2@example.net           [mail.example.net]

Notes:

  * If you are creative, then you can try to combine the two tables into one
    single MySQL database, and configure different Postfix queries to extract
    the appropriate information.

  * Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb
    files. To find out what lookup tables Postfix supports, use the command
    "ppoossttccoonnff --mm".

  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change
    the sasl_passwd table.

  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" whenever you change
    the sender_relay table.

CCrreeddiittss

  * Postfix SASL support was originally implemented by Till Franke of SuSE
    Rhein/Main AG.
  * Wietse trimmed down the code to only the bare necessities.
  * Support for Cyrus SASL version 2 was contributed by Jason Hoos.
  * Liviu Daia added smtpd_sasl_application_name, split
    reject_sender_login_mismatch into
    reject_authenticated_sender_login_mismatch and
    reject_unauthenticated_sender_login_mismatch, and revised the docs.
  * Wietse made another iteration through the code to add plug-in support for
    multiple SASL implementations, and changed smtpd_sasl_application_name into
    smtpd_sasl_path.
  * The Dovecot SMTP server-only plug-in was originally implemented by Timo
    Sirainen of Procontrol, Finland.
  * Patrick Ben Koetter revised this document for Postfix 2.4 and made much
    needed updates.