Like so many other articles on this subject, I will start by saying that I looked at various documents, but none of them worked perfectly for me, so I will write up my own steps. Most of the regular readers of this blog will not care at all about SMTP authentication, TLS, SSL, port 25, 465, 587, postfix (the oldstable postfix-tls) or Debian, though search engines should nicely find those keywords for those people who do care about them.I pretty much run the debian defaults, using the testing distribution.
debian packages to install:
libasn1-6-heimdal
libdb4.1
libkrb-1-kerberos4kth
libroken16-kerberos4kth
libkrb5-17-heimdal
libgssapi1-heimdal
libsasl2-modules
sasl2-bin

Stuff I added to various configuration files:
/etc/postfix/main.cf
smtpd_recipient_restrictions = permit_sasl_authenticated
(consider where you add this line, somewhere near the top, but perhaps after check_recipient_access, if you use that)

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

smtpd_tls_cert_file = /etc/ssl/certs/my.crt
smtpd_tls_key_file = /etc/ssl/private/my.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes

/etc/postfix/master.cf
Nothing added. Most people say to uncomment the TLS lines, but I apparently didn't need to. Postfix is apparently happy running unauthenticated and authenticated requests on port 25 simultaneously, and the extra lines in master.cf open ports 465 and 587, and apparently aren't needed. Please let me know if you know why it is important to use those instead of the way I am doing it.

/etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

/etc/defaults/saslauthd
START=yes
MECHANISMS="pam"
PARAMS="-m /var/spool/postfix/var/run/saslauthd"


I wasn't writing down what I was doing as I did it, but I think that is it.
/etc/init.d/saslauthd start
Check saslauthd is working by running testsaslauthd.
If ps aux | grep saslauthd doesn't show anything, you probably forgot to uncomment the START=YES line.
/etc/init.d/postfix reload
telnet localhost 25
EHLO blahblah
You should see STARTTLS on the options list. If you turn off the smptd_tls_auth_only option in main.cf, you should also see the AUTH option line as well.
Outlook Express is a good a test as any, you can test that relaying doesn't work unless you are authenticated, and authentication doesn't work if SSL has not been turned on. Outlook will also check your certificate for you, and give a warning if it is invalid. (after you tell Outlook to ignore the warning, it won't complain until you restart Outlook)
Posted by Jon Daley on November 8, 2005, 6:59 pm | Read 4630 times
Category Programming: [first] [previous] [next] [newest]
Comments
I read here that port 465 is the old port for smtps stuff, and 587 is mostly only useful for getting around ISPs who block port 25, and that any reasonable new client or server will do both plain and SSL SMTP on port 25, so perhaps I actually did it right.
Posted by jondaley on November 8, 2005, 7:34 pm

Today I remembered that saslauthd hasn't been able to shutdown properly, so when I did the latest Debian update, it failed to restart.
I added these bits of code to make it work properly:
/etc/defaults/saslauthd +PIDFILE="/var/spool/postfix/var/run/saslauthd/saslauthd.pid" /etc/init.d/saslauthd -PIDFILE="/var/run/${NAME}/saslauthd.pid" +if [ "x${PIDFILE}" = "x" ]; then + PIDFILE="/var/run/${NAME}/saslauthd.pid" +fi Saslauthd hadn't been using the Debian PIDFILE parameter, and so Debian tried to find /var/run/saslauthd/saslauthd.pid, but it didn't exist, so thought it wasn't running, and then when it tried to start it again, it got this error: invoke-rc.d: initscript saslauthd, action "start" failed.
Posted by jondaley on November 21, 2005, 9:13 am

You also need to create the /var/spool/postfix/var/run/saslauthd directory, if it doesn't already exist.
Posted by jondaley on May 2, 2006, 10:40 pm
Add Comment
Add comment
E-mail me when comments occur on this article

culpable-adaptable