Posted in Howto Linux Postfix Red Hat/CentOS SQL Security

CentOS/RHEL Postfix SMTP AUTH

November 15, 2006 - 9 comments

Thanks to Luca Gibelli for his document about Postfix SMTP AUTH.
It helped me a lot, this article is largely based on his work, I adapted it to match RHEL/CentOS systems.

Scenario
Your mail server hosts multiple domains.
You use a MySQL database as backend for user authentication.

Users authenticate to the POP3/IMAP server as :
username : username@example.org
password : test123

You want to allow them to authenticate with SMTP AUTH using the same credentials.
The credentials are stored in a MySQL database in an encrypted form.
You want them to authenticate on a secure channel (TLS)

What you need
postfix with MySQL, TLS support (available in the centosplus repository)
cyrus-sasl (available in the base repo)
cyrus-sasl-plain (ditto)
cyrus-sasl-md5 (ditto)
openssl (ditto)
pam_mysql (ditto)

pam_mysql is available at : http://repo.securityteam.us/repository/
el3 : http://repo.securityteam.us/repository/redhat/el3/i386/RPMS/pam_mysql-0.6.2-2.i386.rpm
el4 : http://repo.securityteam.us/repository/redhat/el4/i386/RPMS/pam_mysql-0.6.2-2.i386.rpm

How to set it up
* Edit /etc/pam.d/smtp :

#%PAM-1.0
#auth required pam_stack.so service=system-auth
#account required pam_stack.so service=system-auth
# Comment : SMTP AUTH with MySQL
# This is the first line
auth required pam_mysql.so user=database passwd=password host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1
# This is a second line
account sufficient pam_mysql.so user=database passwd=password host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1

Change the info to match your configuration
The auth and account lines could be cut in half in this article.
If you are copy-pasting the text, make sure everything holds on one line on both auth and account statement.

* Edit /usr/lib/sasl2/smtpd.conf :

pwcheck_method: saslauthd
# add the following two lines for smtp auth
mech_list: PLAIN LOGIN
log_level: 5

* Make sure “MECH=pam” is present under /etc/sysconfig/saslauthd

===
Edit 15 dec 2006 :
IMPORTANT NOTICE FOR RHEL/CENTOS 4 USERS

I’m currently installing a mail server under CentOS 4.4 while this guide describes the CentOS 3 way
I thought it did not matter but there’s a small difference with saslauthd..

Under CentOS 4.x you need to add the following line in /etc/sysconfig/saslauthd :
FLAGS="-r"

Without the -r flag, saslauthd would query the MySQL database this way :
25 Query SELECT password FROM mailbox WHERE username = 'admin'

Obviously, the whole email address is stored in the database, with the -r flag, it will query correctly :
26 Query SELECT password FROM mailbox WHERE username = 'admin@example.org'

The man page for saslauthd mentions the -r flag under CentOS 4 only..

-r Combine the realm with the login (with an ’@’ sign in between). e.g. login: “foo” realm: “bar” will get passed as login: “foo@bar”. Note that the realm will still be passed, which may lead to unexpected behavior.
===

* Add the following lines to /etc/postfix/main.cf :

smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

This will enable SASL authentication to all the smtp ssl instances.
You can disable sasl auth for certain instances under /etc/postfix/master.rc if you need

10.0.0.1:smtps inet n - n - 10 smtpd
-o smtpd_sasl_auth_enable=no

* Under /etc/postfix/main.cf :

Add “permit_sasl_authenticated” to the “smtpd_recipient_restrictions” section :

smtpd_recipient_restrictions =
...
permit_sasl_authenticated
reject_unauth_destination

Enable TLS

* Finally create the SSL certificate needed by TLS:

# mkdir /etc/postfix/tls
# cd /etc/postfix/tls
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
# openssl req -new -key smtpd.key -out smtpd.csr

Note: leave “challenge password” empty.

# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

# openssl rsa -in smtpd.key -out smtpd.key.unencrypted

# mv -f smtpd.key.unencrypted smtpd.key

# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

* Add the following lines to /etc/postfix/main.cf:

smtpd_tls_auth_only = no
# smtp_use_tls : if set to "no" do not use TLS when connecting to server offering STARTTLS
smtp_use_tls = no
# smtpd_use_tls : if set to "yes", offers STARTTLS to SMTP clients
smtpd_use_tls = yes
# smtp_tls_note_starttls_offer : logs STARTTLS offers from remote SMTP server
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
tls_daemon_random_source = dev:/dev/urandom

Restart the services
service saslauthd restart
service postfix restart

Start services at boot
chkconfig postfix on
chkconfig saslauthd on

Debugging issues with verbose logs :

* pam-mysql :
add “verbose=true” to the end of the auth and account lines in /etc/pam.d/smtp

* saslauthd :
stop the service
start saslauthd manually :
# saslauthd -a pam -d

Links :

If you want to run Postfix chrooted with a MySQL backend : http://www.wains.be/?p=161
If you want to run Postfix chrooted with saslauthd : http://www.wains.be/?p=162
Script to enable/disable Postfix chroot (tested with Postfix 2.2.8) : http://www.wains.be/pub/postfix-chroot

Comments

voytek

October 24, 2007 - 16:32

Sebastien,

many thanks for this how to

dumb question: do I need to place ‘select’ statement somewhere..?

I’m getting this in /var/log/secure:

Oct 25 00:30:27 saslauthd[1852]: pam_mysql – SELECT returned no result.

Oct 25 00:30:29 postfix/smtpd[2325]: warning: [59.101.42.5]: SASL PLAIN authentication failed: authentication failure

Sureshkumar

February 19, 2009 - 8:39

How can i add multiple users for Setting up SMTP Authentication on postfix …please
help me. am waiting your reply

Seb

February 19, 2009 - 10:42

@ Sureshkumar
http://www.wains.be/index.php/category/postfix/

Sureshkumar

February 19, 2009 - 11:26

How can i add multiple users for Setting up SMTP Authentication on postfix in the /etc/postfix/sasl_passwd …please help me. am waiting your reply

Seb

February 19, 2009 - 11:28

You obviously didn’t follow this howto.. since it doesn’t mention sasl_passwd anywhere. This howto shows how to do SMTP auth with multiple users stored in a MySQL DB.

Francisco Sosa

May 6, 2009 - 3:39

Hello Sebastien

I have the same error than Voithek,
May 5 20:37:26 mail postfix/smtpd[3453]: warning: mail.linuxmail.sytes.net[127.0.0.1]: SASL PLAIN authentication failed: authentication failure

can you help me???

Sébastien Wains

May 6, 2009 - 21:35

This howto is somewhat deprecated, and I no longer use CentOS. I recommend you to check howtoforge.com for updated tutorials.

shankar

June 28, 2009 - 9:30

Hi Sebastain,

I wan a step by step description of how to send virtual mail delivery using only postfix and mysql

Please help

thanks
shankar

zxvzv

January 30, 2010 - 7:56

If you are lack of wow gold, do you want to

learn how to make world of warcraft gold? As for how to make world of warcraft

gold, there a lot of wow gold kuafen making

guides that can teach you the ways to collect wow gold.

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

Before submitting, some rules :
- Is your comment related to the article ?
- You're having a problem ? Have you checked Google, other howtos, docs, manpages ?
- You're still having the problem ? Have you raised log verbosity, checked traces, ran tcpdump ?
- Have you checked your configuratoin for typo ?
Unless your comment is providing additional info or respect the rules above, DON'T comment.
If you don't understand what you are doing, I urge you to read the documentation, I'm not your free Level 1 helpdesk guy.