Postfix SASL Howto


WARNING

People who go to the trouble of installing Postfix may have the expectation that Postfix is more secure than some other mailers. The Cyrus SASL library is a lot of code. With this, Postfix becomes as secure as other mail systems that use the Cyrus SASL library. Dovecot provides an alternative that may be worth considering.

How Postfix uses SASL authentication information

Postfix SASL support (RFC 2554) can be used to authenticate remote SMTP clients to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a remote SMTP server.

When receiving mail, Postfix logs the client-provided username, authentication method, and sender address to the maillog file, and optionally grants mail access via the permit_sasl_authenticated UCE restriction.

When sending mail, Postfix can look up the server hostname or destination domain (the address right-hand part) in a Postfix SASL password table, and if a username/password is found, it will use that username and password to authenticate to the server. And as of version 2.3, Postfix can be configured to search its SASL password table by the sender email address.

This document covers the following topics:

What SASL implementations are supported

This document describes Postfix with the following SASL implementations:

Postfix version 2.3 introduces a plug-in mechanism that provides support for multiple SASL implementations. To find out what implementations are built into Postfix, use the following commands:

% postconf -a (SASL support in the SMTP server)
% postconf -A (SASL support in the SMTP+LMTP client)

Needless to say, these commands are not available in earlier Postfix versions.

Building Postfix with Dovecot SASL support

Dovecot SASL support is available in Postfix 2.3 and later. The Dovecot source code is available via http://www.dovecot.org/. At the time of writing, only server-side SASL support is available, so you can't use it to authenticate to your network provider's server. Dovecot uses its own daemon process for authentication. This keeps the Postfix build process simple, because there is no need to link extra libraries into Postfix.

To generate the necessary Makefiles, execute the following in the Postfix top-level directory:

% make makefiles CCARGS='-DUSE_SASL_AUTH -DDEF_SASL_SERVER_TYPE=\"dovecot\"'

After this, proceed with "make" as described in the INSTALL document.

Notes:

Building the Cyrus SASL library

Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1, which are available from:

ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

IMPORTANT: if you install the Cyrus SASL libraries as per the default, you will have to symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.5 or /usr/lib/sasl2 -> /usr/local/lib/sasl2 for version 2.1.1.

Reportedly, Microsoft Internet Explorer version 5 requires the non-standard SASL LOGIN authentication method. To enable this authentication method, specify ``./configure --enable-login''.

Building Postfix with Cyrus SASL support

The following assumes that the Cyrus SASL include files are in /usr/local/include, and that the Cyrus SASL libraries are in /usr/local/lib.

On some systems this generates the necessary Makefile definitions:

(for Cyrus SASL version 1.5.5):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
    -I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"
(for Cyrus SASL version 2.1.1):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
    -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib -lsasl2"

On Solaris 2.x you need to specify run-time link information, otherwise ld.so will not find the SASL shared library:

(for Cyrus SASL version 1.5.5):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
    -I/usr/local/include" AUXLIBS="-L/usr/local/lib \
    -R/usr/local/lib -lsasl"
(for Cyrus SASL version 2.1.1):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
    -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib \
    -R/usr/local/lib -lsasl2"

Enabling SASL authentication in the Postfix SMTP server

In order to enable SASL support in the SMTP server:

/etc/postfix/main.cf:
    smtpd_sasl_auth_enable = yes

In order to allow mail relaying by authenticated clients:

/etc/postfix/main.cf:
    smtpd_recipient_restrictions = 
        permit_mynetworks permit_sasl_authenticated ...

To report SASL login names in Received: message headers (Postfix version 2.3 and later):

/etc/postfix/main.cf:
    smtpd_sasl_authenticated_header = yes

Note: the SASL login names will be shared with the entire world.

Older Microsoft SMTP client software implements a non-standard version of the AUTH protocol syntax, and expects that the SMTP server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH stuff". To accommodate such clients (in addition to conformant clients) use the following:

/etc/postfix/main.cf:
    broken_sasl_auth_clients = yes

Dovecot SASL configuration for the Postfix SMTP server

Dovecot SASL support is available in Postfix 2.3 and later. On the Postfix side you need to specify the location of the Dovecot authentication daemon socket. We use a pathname relative to the Postfix queue directory, so that it will work whether or not Postfix runs chrooted:

/etc/postfix/main.cf:
    smtpd_sasl_type = dovecot
    smtpd_sasl_path = private/auth

On the Dovecot side you also need to specify the Dovecot authentication daemon socket. In this case we specify an absolute pathname. In the example we assume that the Postfix queue is under /var/spool/postfix/.

/some/where/dovecot.conf:
    auth default {
      mechanisms = plain login
      passdb pam {
      }
      userdb passwd {
      }
      socket listen {
        client {
          path = /var/spool/postfix/private/auth
          mode = 0660
          user = postfix
          group = postfix
        }
      }
    }

See the Dovecot documentation for how to configure and operate the Dovecot authentication server.

Cyrus SASL configuration for the Postfix SMTP server

In /usr/local/lib/sasl/smtpd.conf (Cyrus SASL version 1.5.5) or /usr/local/lib/sasl2/smtpd.conf (Cyrus SASL version 2.1.1) you need to specify how the server should validate client passwords.

Note: some Postfix distributions are modified and look for the smtpd.conf file in /etc/postfix.

Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.

IMPORTANT: all users must be able to authenticate using ALL authentication mechanisms advertised by Postfix, otherwise the negotiation might end up with an unsupported mechanism, and authentication would fail. For example if you configure SASL to use saslauthd for authentication against PAM (pluggable authentication modules), only the PLAIN and LOGIN mechanisms are supported and stand a chance to succeed, yet the SASL library would also advertise other mechanisms, such as DIGEST-MD5. This happens because those mechanisms are made available by other plugins, and the SASL library have no way to know that your only valid authentication source is PAM. Thus you might need to limit the list of mechanisms advertised by Postfix.

For the same reasons you might want to limit the list of plugins used for authentication.

To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble.

Testing SASL authentication in the Postfix SMTP server

To test the server side, connect to the SMTP server, and you should be able to have a conversation as shown below. Information sent by the client is shown in bold font.

220 server.example.com ESMTP Postfix
EHLO client.example.com
250-server.example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
250 8BITMIME
AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz
235 Authentication successful

Instead of dGVzdAB0ZXN0AHRlc3RwYXNz, specify the base64 encoded form of username\0username\0password (the \0 is a null byte). The example above is for a user named `test' with password `testpass'.

In order to generate base64 encoded authentication information you can use one of the following commands:

% printf 'username\0username\0password' | mmencode 
% perl -MMIME::Base64 -e \
    'print encode_base64("username\0username\0password");'

The mmencode command is part of the metamail software. MIME::Base64 is available from http://www.cpan.org/.

Caution: when posting logs of the SASL negotiations to public lists, please keep in mind that username/password information is trivial to recover from the base64-encoded form.

Trouble shooting the SASL internals

In the Cyrus SASL sources you'll find a subdirectory named "sample". Run make there, "su" to the user postfix (or whatever your mail_owner directive is set to):

% su postfix

then run the resulting sample server and client in separate terminals. Strace / ktrace / truss the server to see what makes it unhappy, and fix the problem. Repeat the previous step until you can successfully authenticate with the sample client. Only then get back to Postfix.

Enabling SASL authentication in the Postfix SMTP client

Turn on client-side SASL authentication, and specify a table with per-host or per-destination username and password information. Postfix first searches the table for an entry with the server hostname; if no entry is found, then Postfix searches the table for an entry with the next-hop destination. Usually, that is the right-hand part of an email address, but it can also be the information that is specified with the relayhost parameter or with a transport(5) table.

/etc/postfix/main.cf:
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_type = cyrus

/etc/postfix/sasl_passwd:
    foo.com                     username:password
    bar.com                     username
    [mail.myisp.net]            username:password
    [mail.myisp.net]:submission username:password

Postfix version 2.3 supports-per-sender SASL password information. To search the Postfix SASL password by sender before it searches by destination, specify:

/etc/postfix/main.cf:
    smtp_sender_dependent_authentication = yes
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

/etc/postfix/sasl_passwd:
    user@example.com            username:password
    bar.com                     username
    [mail.myisp.net]            username:password
    [mail.myisp.net]:submission username:password

Note: some SMTP servers support PLAIN or LOGIN authentication only. By default, the Postfix SMTP client does not use authentication methods that send plaintext passwords, and defers delivery with the following error message: "Authentication failed: cannot SASL authenticate to server". To enable plaintext authentication specify, for example:

/etc/postfix/main.cf:
    smtp_sasl_security_options = noanonymous

The Postfix SASL client password file is opened before the SMTP server enters the optional chroot jail, so you can keep the file in /etc/postfix.

Note: Some SMTP servers support authentication mechanisms that, although available on the client system, may not in practice work or possess the appropriate credentials to authenticate to the server. It is possible via the smtp_sasl_mechanism_filter parameter to further restrict the list of server mechanisms that the smtp(8) client will take into consideration:

/etc/postfix/main.cf:
    smtp_sasl_mechanism_filter = !gssapi, !external, static:all

In the above example, Postfix will decline to use mechanisms that require special infrastructure such as Kerberos.

The Postfix SMTP client is backwards compatible with SMTP servers that use the non-standard "AUTH=method..." syntax in response to the EHLO command; there is no Postfix client configuration needed to work around it.

Credits