SMTP Authenticate before send

[tyme]

I'm working on setting up my server and I want to enable authentication before send for SMTP (Postfix). So far I've been able to get virtual mailboxes set up and working, but I can't find how to set postfix to authenticate these users before allowing them to send email. I want to do it this way so that I can avoid having an "completely" open relay while still being able to relay (so that users can send from any of the domains i host to anywhere).

 

Any suggestions on how to approach this? I've essentially followed these directions, save for setting it up to allow checking with other than just squirrelmail.

[ianw1974]

For authentication, you need to have cyrus-sasl, this is what I use with postfix. Then your directive within postfix is usually under smtpd_recipient_restrictions but can also be under smtpd_sender_restrictions and you put:

 

smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain

 

also, don't forget to put under smtpd_recipient_restrictions the reject_unauth_destination directive, else you will be an open relay. Then under mydestinations directive, list all domains you want your server to send/receive so that it's still not an open relay. If you put reject_unauth_destination, you'll need to put the domains under mydestination so as to ensure your more secure. I'd prefer it secured, than leaving it an open relay that requires authentication, in case something goes wrong!

[tyme]

I still seem to be missing a piece. I think postfix doesn't know how to authenticate the users...I'm not sure. Haven't had a lot of time to work on it just yet.

[ianw1974]

Postfix does need a little bit of configuration for clients that are going to connect, and in particular one line for broken clients (Outlook - no surprise there!).

 

When you have cyrus-sasl installed, you need to configure this with the IP of the machine that is providing the SMTP/POP3/IMAP services, so if the same server, then localhost will do in here. Otherwise, the IP of the other server.

 

This is about the best document you could follow for doing this:

 

http://www.gentoo.org/doc/en/virt-mail-howto.xml

 

Look at section 4 for cyrus-sasl config and adapt it for your distro. Then look at section 6 for the SASL config. Ignore the TLS stuff, unless you want to use TLS with SMTP. Note, this is not the same as SMTPS (SSL).

[tyme]

thanks for the link...i'll try to sit down with that document tonight and see if i can get this configured correctly.

Edited April 17, 2008 by tyme

[ianw1974]

I'm using this config, so I know it works :)

 

PM me if you need anything specific, as I have two working servers using SMTP auth, one with virtual domains, and one as an SMTP relay for two other email servers behind it.

[tyme]

[edit - apparently I was wrong, Thunderbird was set to use my old smtp server, which is why I thought it was working (it's not) ]

 

now I'm not sure what's wrong...i could receive email before, but now I can't receive or send. When I attempt to connect to SMTP via localhost the connection either gets closed within a few seconds (by the server - "foreign host") or if I attempt EHLO I get no response back. I've tried sending a few emails and they aren't arriving.

 

*sigh*...back to the drawing board.

Edited April 18, 2008 by tyme

[tyme]

ugh. No progress. Setting this:

mynetworks = my.ip.net.work/24, 127.0.0.0/8

In /etc/postfix/main.cf (following the Gentoo wiki) made smtp essentially unresponsive from localhost. I think some settings from the Gentoo wiki are causing problems...I'm not sure. Will have to get back to this tomorrow night.

[ianw1974]

That shouldn't cause a problem, is practically the same as what I have in mine - all working OK. You must have some other config disturbing it.

[tyme]

I also found that setting myhostname and mydomain in /etc/postfix/main.cf causes mail to be delivered to the local users and not the virtual users. :unsure:

[tyme]

checking auth.log seems to have revealed the source of my issue:

Apr 18 05:37:46 tymnia postfix/smtpd[27070]: sql_select option missing

Now to figure out where in the configs i need to set this option...hmm...so far google hasn't provided an answer (aside from removing the sql ability for sasl, but that's not what i want to do).

Edited April 18, 2008 by tyme

[ianw1974]

I use mysql with my server. It's all in that Gentoo link I sent. I've even used this on CentOS/Red Hat too. Adapted slightly of course, but works.

 

To disable local mail, edit master.cf and look for the local line and comment it out.

[tyme]

Adapted slightly of course, but works.

I'm sure it does...I think I've just either missed a piece or there is some other difference in how arch does it that I'm missing.

 

To disable local mail, edit master.cf and look for the local line and comment it out.

Thanks for the tip :)

[ianw1974]

I'm downloading the latest Arch iso now, so I'll replicate my config on this in vmware - won't take too long to see if I notice any issues.

[tyme]

note that I'm using 64-bit arch on this server, so there may be some differences if you grabbed 32-bit.

Edited April 21, 2008 by tyme