Like so many other articles on this subject, I will start by saying that I looked at various documents, but none of them worked perfectly for me, so I will write up my own steps. Most of the regular readers of this blog will not care at all about SMTP authentication, TLS, SSL, port 25, 465, 587, postfix (the oldstable postfix-tls) or Debian, though search engines should nicely find those keywords for those people who do care about them.I pretty much run the debian defaults, using the testing distribution.
debian packages to install:
libasn1-6-heimdal
libdb4.1
libkrb-1-kerberos4kth
libroken16-kerberos4kth
libkrb5-17-heimdal
libgssapi1-heimdal
libsasl2-modules
sasl2-bin
Stuff I added to various configuration files:
/etc/postfix/main.cf
smtpd_recipient_restrictions = permit_sasl_authenticated
(consider where you add this line, somewhere near the top, but perhaps after check_recipient_access, if you use that)
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_tls_cert_file = /etc/ssl/certs/my.crt
smtpd_tls_key_file = /etc/ssl/private/my.key
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
/etc/postfix/master.cf
Nothing added. Most people say to uncomment the TLS lines, but I apparently didn't need to. Postfix is apparently happy running unauthenticated and authenticated requests on port 25 simultaneously, and the extra lines in master.cf open ports 465 and 587, and apparently aren't needed. Please let me know if you know why it is important to use those instead of the way I am doing it.
/etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
/etc/defaults/saslauthd
START=yes
MECHANISMS="pam"
PARAMS="-m /var/spool/postfix/var/run/saslauthd"
I wasn't writing down what I was doing as I did it, but I think that is it.
/etc/init.d/saslauthd start
Check saslauthd is working by running testsaslauthd.
If
ps aux | grep saslauthd doesn't show anything, you probably forgot to uncomment the START=YES line.
/etc/init.d/postfix reload
telnet localhost 25
EHLO blahblah
You should see STARTTLS on the options list. If you turn off the smptd_tls_auth_only option in main.cf, you should also see the AUTH option line as well.
Outlook Express is a good a test as any, you can test that relaying doesn't work unless you are authenticated, and authentication doesn't work if SSL has not been turned on. Outlook will also check your certificate for you, and give a warning if it is invalid. (after you tell Outlook to ignore the warning, it won't complain until you restart Outlook)
Posted by
Jon Daley on
November 8, 2005, 6:59 pm
| Read 4630 times
Category
Programming:
[
first]
[
previous]
[
next]
[
newest]
I added these bits of code to make it work properly:
/etc/defaults/saslauthd +PIDFILE="/var/spool/postfix/var/run/saslauthd/saslauthd.pid" /etc/init.d/saslauthd -PIDFILE="/var/run/${NAME}/saslauthd.pid" +if [ "x${PIDFILE}" = "x" ]; then + PIDFILE="/var/run/${NAME}/saslauthd.pid" +fi Saslauthd hadn't been using the Debian PIDFILE parameter, and so Debian tried to find /var/run/saslauthd/saslauthd.pid, but it didn't exist, so thought it wasn't running, and then when it tried to start it again, it got this error: invoke-rc.d: initscript saslauthd, action "start" failed.