1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
|
P�Po�os�st�tf�fi�ix�x S�SA�AS�SL�L H�Ho�ow�wt�to�o
-------------------------------------------------------------------------------
W�WA�AR�RN�NI�IN�NG�G
People who go to the trouble of installing Postfix may have the expectation
that Postfix is more secure than some other mailers. The Cyrus SASL library is
a lot of code. With this, Postfix becomes as secure as other mail systems that
use the Cyrus SASL library. Dovecot provides an alternative that may be worth
considering.
H�Ho�ow�w P�Po�os�st�tf�fi�ix�x u�us�se�es�s S�SA�AS�SL�L a�au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n i�in�nf�fo�or�rm�ma�at�ti�io�on�n
Postfix SASL support (RFC 2554) can be used to authenticate remote SMTP clients
to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a
remote SMTP server.
When receiving mail, Postfix logs the client-provided username, authentication
method, and sender address to the maillog file, and optionally grants mail
access via the permit_sasl_authenticated UCE restriction.
When sending mail, Postfix can look up the server hostname or destination
domain (the address right-hand part) in a Postfix SASL password table, and if a
username/password is found, it will use that username and password to
authenticate to the server. And as of version 2.3, Postfix can be configured to
search its SASL password table by the sender email address.
This document covers the following topics:
* What SASL implementations are supported
* Building Postfix with Dovecot SASL support
* Building the Cyrus SASL library
* Building Postfix with Cyrus SASL support
* Enabling SASL authentication in the Postfix SMTP server
* Dovecot SASL configuration for the Postfix SMTP server
* Cyrus SASL configuration for the Postfix SMTP server
* Testing SASL authentication in the Postfix SMTP server
* Trouble shooting the SASL internals
* Enabling SASL authentication in the Postfix SMTP client
* Credits
W�Wh�ha�at�t S�SA�AS�SL�L i�im�mp�pl�le�em�me�en�nt�ta�at�ti�io�on�ns�s a�ar�re�e s�su�up�pp�po�or�rt�te�ed�d
This document describes Postfix with the following SASL implementations:
* Cyrus SASL version 1 (client and server).
* Cyrus SASL version 2 (client and server).
* Dovecot protocol version 1 (server only, Postfix version 2.3 and later)
Postfix version 2.3 introduces a plug-in mechanism that provides support for
multiple SASL implementations. To find out what implementations are built into
Postfix, use the following commands:
% postconf -a (SASL support in the SMTP server)
% postconf -A (SASL support in the SMTP+LMTP client)
Needless to say, these commands are not available in earlier Postfix versions.
B�Bu�ui�il�ld�di�in�ng�g P�Po�os�st�tf�fi�ix�x w�wi�it�th�h D�Do�ov�ve�ec�co�ot�t S�SA�AS�SL�L s�su�up�pp�po�or�rt�t
Support for the Dovecot version 1 SASL protocol is available in Postfix 2.3 and
later. At the time of writing, only server-side SASL support is available, so
you can't use it to authenticate to your network provider's server. Dovecot
uses its own daemon process for authentication. This keeps the Postfix build
process simple, because there is no need to link extra libraries into Postfix.
To generate the necessary Makefiles, execute the following in the Postfix top-
level directory:
% make makefiles CCARGS='-DUSE_SASL_AUTH -
DDEF_SERVER_SASL_TYPE=\"dovecot\"'
After this, proceed with "make" as described in the INSTALL document.
Notes:
* The "-DDEF_SERVER_SASL_TYPE" stuff is not necessary; it just makes Postfix
configuration a little more convenient because you don't have to specify
the SASL plug-in type in the Postfix main.cf file.
* If you also want support for LDAP or TLS, you will have to merge their
CCARGS and AUXLIBS into the above command line.
B�Bu�ui�il�ld�di�in�ng�g t�th�he�e C�Cy�yr�ru�us�s S�SA�AS�SL�L l�li�ib�br�ra�ar�ry�y
Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1, which are
available from:
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
IMPORTANT: if you install the Cyrus SASL libraries as per the default, you will
have to symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.5 or /usr/
lib/sasl2 -> /usr/local/lib/sasl2 for version 2.1.1.
Reportedly, Microsoft Internet Explorer version 5 requires the non-standard
SASL LOGIN authentication method. To enable this authentication method, specify
``./configure --enable-login''.
B�Bu�ui�il�ld�di�in�ng�g P�Po�os�st�tf�fi�ix�x w�wi�it�th�h C�Cy�yr�ru�us�s S�SA�AS�SL�L s�su�up�pp�po�or�rt�t
The following assumes that the Cyrus SASL include files are in /usr/local/
include, and that the Cyrus SASL libraries are in /usr/local/lib.
On some systems this generates the necessary Makefile definitions:
(for Cyrus SASL version 1.5.5):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"
(for Cyrus SASL version 2.1.1):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib -lsasl2"
On Solaris 2.x you need to specify run-time link information, otherwise ld.so
will not find the SASL shared library:
(for Cyrus SASL version 1.5.5):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include" AUXLIBS="-L/usr/local/lib \
-R/usr/local/lib -lsasl"
(for Cyrus SASL version 2.1.1):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib \
-R/usr/local/lib -lsasl2"
E�En�na�ab�bl�li�in�ng�g S�SA�AS�SL�L a�au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n i�in�n t�th�he�e P�Po�os�st�tf�fi�ix�x S�SM�MT�TP�P s�se�er�rv�ve�er�r
In order to enable SASL support in the SMTP server:
/etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes
In order to allow mail relaying by authenticated clients:
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks permit_sasl_authenticated ...
To report SASL login names in Received: message headers (Postfix version 2.3
and later):
/etc/postfix/main.cf:
smtpd_sasl_authenticated_header = yes
Note: the SASL login names will be shared with the entire world.
Older Microsoft SMTP client software implements a non-standard version of the
AUTH protocol syntax, and expects that the SMTP server replies to EHLO with
"250 AUTH=stuff" instead of "250 AUTH stuff". To accommodate such clients (in
addition to conformant clients) use the following:
/etc/postfix/main.cf:
broken_sasl_auth_clients = yes
D�Do�ov�ve�ec�co�ot�t S�SA�AS�SL�L c�co�on�nf�fi�ig�gu�ur�ra�at�ti�io�on�n f�fo�or�r t�th�he�e P�Po�os�st�tf�fi�ix�x S�SM�MT�TP�P s�se�er�rv�ve�er�r
Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side
you need to specify the location of the Dovecot authentication daemon socket.
We use a pathname relative to the Postfix queue directory, so that it will work
whether or not Postfix runs chrooted:
/etc/postfix/main.cf:
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
On the Dovecot side you also need to specify the Dovecot authentication daemon
socket. In this case we specify an absolute pathname. In the example we assume
that the Postfix queue is under /var/spool/postfix/.
/some/where/dovecot.conf:
auth default {
mechanisms = plain login
passdb pam {
}
userdb passwd {
}
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
}
See the Dovecot documentation for how to configure and operate the Dovecot
authentication server.
C�Cy�yr�ru�us�s S�SA�AS�SL�L c�co�on�nf�fi�ig�gu�ur�ra�at�ti�io�on�n f�fo�or�r t�th�he�e P�Po�os�st�tf�fi�ix�x S�SM�MT�TP�P s�se�er�rv�ve�er�r
In /usr/local/lib/sasl/smtpd.conf (Cyrus SASL version 1.5.5) or /usr/local/lib/
sasl2/smtpd.conf (Cyrus SASL version 2.1.1) you need to specify how the server
should validate client passwords.
Note: some Postfix distributions are modified and look for the smtpd.conf file
in /etc/postfix.
Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.
* To authenticate against the UNIX password database, try:
(Cyrus SASL version 1.5.5)
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: pwcheck
(Cyrus SASL version 2.1.1)
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: pwcheck
The name of the file in /usr/local/lib/sasl (Cyrus SASL version 1.5.5) or /
usr/local/lib/sasl2 (Cyrus SASL version 2.1.1) used by the SASL library for
configuration can be set with:
/etc/postfix/main.cf:
smtpd_sasl_application_name = smtpd (Postfix < 2.3)
smtpd_sasl_path = smtpd (Postfix 2.3 and later)
The pwcheck daemon is contained in the cyrus-sasl source tarball.
IMPORTANT: postfix processes need to have group read+execute permission for
the /var/pwcheck directory, otherwise authentication attempts will fail.
* Alternately, in Cyrus SASL 1.5.26 and later (including 2.1.1), try:
(Cyrus SASL version 1.5.26)
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: saslauthd
(Cyrus SASL version 2.1.1)
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd
The saslauthd daemon is also contained in the cyrus-sasl source tarball. It
is more flexible than the pwcheck daemon, in that it can authenticate
against PAM and various other sources. To use PAM, start saslauthd with "-
a pam".
* To authenticate against Cyrus SASL's own password database:
(Cyrus SASL version 1.5.5)
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: sasldb
(Cyrus SASL version 2.1.1)
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: auxprop
This will use the Cyrus SASL password file (default: /etc/sasldb in version
1.5.5, or /etc/sasldb2 in version 2.1.1), which is maintained with the
saslpasswd or saslpasswd2 command (part of the Cyrus SASL software). On
some poorly-supported systems the saslpasswd command needs to be run
multiple times before it stops complaining. The Postfix SMTP server needs
read access to the sasldb file - you may have to play games with group
access permissions. With the OTP authentication mechanism, the SMTP server
also needs WRITE access to /etc/sasldb2 or /etc/sasldb (or the back end SQL
database, if used).
IMPORTANT: To get sasldb running, make sure that you set the SASL domain
(realm) to a fully qualified domain name.
EXAMPLE:
(Cyrus SASL version 1.5.5)
% saslpasswd -c -u `postconf -h myhostname` exampleuser
(Cyrus SASL version 2.1.1)
% saslpasswd2 -c -u `postconf -h myhostname` exampleuser
You can find out SASL's idea about the realms of the users in sasldb with
sasldblistusers (Cyrus SASL version 1.5.5) or sasldblistusers2 (Cyrus SASL
version 2.1.1).
On the Postfix side, you can have only one realm per smtpd instance, and
only the users belonging to that realm would be able to authenticate. The
Postfix variable smtpd_sasl_local_domain controls the realm used by smtpd:
/etc/postfix/main.cf:
smtpd_sasl_local_domain = $myhostname
IMPORTANT: all users must be able to authenticate using ALL authentication
mechanisms advertised by Postfix, otherwise the negotiation might end up with
an unsupported mechanism, and authentication would fail. For example if you
configure SASL to use saslauthd for authentication against PAM (pluggable
authentication modules), only the PLAIN and LOGIN mechanisms are supported and
stand a chance to succeed, yet the SASL library would also advertise other
mechanisms, such as DIGEST-MD5. This happens because those mechanisms are made
available by other plugins, and the SASL library have no way to know that your
only valid authentication source is PAM. Thus you might need to limit the list
of mechanisms advertised by Postfix.
* With older Cyrus SASL versions you remove the corresponding library files
from the SASL plug-in directory (and again whenever the system is updated).
* With Cyrus SASL version 2.1.1 or later:
/usr/local/lib/sasl2/smtpd.conf:
mech_list: plain login
For the same reasons you might want to limit the list of plugins used for
authentication.
* With Cyrus SASL version 1.5.5 your only choice is to delete the
corresponding library files from the SASL plug-in directory.
* With SASL version 2.1.1:
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: auxprop
auxprop_plugin: sql
To run software chrooted with SASL support is an interesting exercise. It
probably is not worth the trouble.
T�Te�es�st�ti�in�ng�g S�SA�AS�SL�L a�au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n i�in�n t�th�he�e P�Po�os�st�tf�fi�ix�x S�SM�MT�TP�P s�se�er�rv�ve�er�r
To test the server side, connect to the SMTP server, and you should be able to
have a conversation as shown below. Information sent by the client is shown in
bold font.
220 server.example.com ESMTP Postfix
E�EH�HL�LO�O c�cl�li�ie�en�nt�t.�.e�ex�xa�am�mp�pl�le�e.�.c�co�om�m
250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
250 8BITMIME
A�AU�UT�TH�H P�PL�LA�AI�IN�N d�dG�GV�Vz�zd�dA�AB�B0�0Z�ZX�XN�N0�0A�AH�HR�Rl�lc�c3�3R�Rw�wY�YX�XN�Nz�z
235 Authentication successful
Instead of dGVzdAB0ZXN0AHRlc3RwYXNz, specify the base64 encoded form of
username\0username\0password (the \0 is a null byte). The example above is for
a user named `test' with password `testpass'.
In order to generate base64 encoded authentication information you can use one
of the following commands:
% printf 'username\0username\0password' | mmencode
% perl -MMIME::Base64 -e \
'print encode_base64("username\0username\0password");'
The mmencode command is part of the metamail software. MIME::Base64 is
available from http://www.cpan.org/.
Caution: when posting logs of the SASL negotiations to public lists, please
keep in mind that username/password information is trivial to recover from the
base64-encoded form.
T�Tr�ro�ou�ub�bl�le�e s�sh�ho�oo�ot�ti�in�ng�g t�th�he�e S�SA�AS�SL�L i�in�nt�te�er�rn�na�al�ls�s
In the Cyrus SASL sources you'll find a subdirectory named "sample". Run make
there, "su" to the user postfix (or whatever your mail_owner directive is set
to):
% su postfix
then run the resulting sample server and client in separate terminals. Strace /
ktrace / truss the server to see what makes it unhappy, and fix the problem.
Repeat the previous step until you can successfully authenticate with the
sample client. Only then get back to Postfix.
E�En�na�ab�bl�li�in�ng�g S�SA�AS�SL�L a�au�ut�th�he�en�nt�ti�ic�ca�at�ti�io�on�n i�in�n t�th�he�e P�Po�os�st�tf�fi�ix�x S�SM�MT�TP�P c�cl�li�ie�en�nt�t
Turn on client-side SASL authentication, and specify a table with per-host or
per-destination username and password information. Postfix first searches the
table for an entry with the server hostname; if no entry is found, then Postfix
searches the table for an entry with the next-hop destination. Usually, that is
the right-hand part of an email address, but it can also be the information
that is specified with the relayhost parameter or with a transport(5) table.
/etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
/etc/postfix/sasl_passwd:
foo.com username:password
bar.com username
[mail.myisp.net] username:password
[mail.myisp.net]:submission username:password
Postfix version 2.3 supports-per-sender SASL password information. To search
the Postfix SASL password by sender before it searches by destination, specify:
/etc/postfix/main.cf:
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
/etc/postfix/sasl_passwd:
user@example.com username:password
bar.com username
[mail.myisp.net] username:password
[mail.myisp.net]:submission username:password
Note: some SMTP servers support PLAIN or LOGIN authentication only. By default,
the Postfix SMTP client does not use authentication methods that send plaintext
passwords, and defers delivery with the following error message:
"Authentication failed: cannot SASL authenticate to server". To enable
plaintext authentication specify, for example:
/etc/postfix/main.cf:
smtp_sasl_security_options = noanonymous
The Postfix SASL client password file is opened before the SMTP server enters
the optional chroot jail, so you can keep the file in /etc/postfix.
Note: Some SMTP servers support authentication mechanisms that, although
available on the client system, may not in practice work or possess the
appropriate credentials to authenticate to the server. It is possible via the
smtp_sasl_mechanism_filter parameter to further restrict the list of server
mechanisms that the smtp(8) client will take into consideration:
/etc/postfix/main.cf:
smtp_sasl_mechanism_filter = !gssapi, !external, static:all
In the above example, Postfix will decline to use mechanisms that require
special infrastructure such as Kerberos.
The Postfix SMTP client is backwards compatible with SMTP servers that use the
non-standard "AUTH=method..." syntax in response to the EHLO command; there is
no Postfix client configuration needed to work around it.
C�Cr�re�ed�di�it�ts�s
* Postfix SASL support was originally implemented by Till Franke of SuSE
Rhein/Main AG.
* Wietse trimmed down the code to only the bare necessities.
* Support for Cyrus SASL version 2 was contributed by Jason Hoos.
* Liviu Daia added smtpd_sasl_application_name, split
reject_sender_login_mismatch into
reject_authenticated_sender_login_mismatch and
reject_unauthenticated_sender_login_mismatch, and revised the docs.
* Wietse made another iteration through the code to add plug-in support for
multiple SASL implementations, and changed smtpd_sasl_application_name into
smtpd_sasl_path.
* The Dovecot SMTP server-only plug-in was originally implemented by Timo
Sirainen of Procontrol, Finland.
|
