postfix sasl2 auth login

periferral · 10-20-2009, 12:20 PM

Hi. I am trying to get my postfix install to require auth login using sasl. However I'm not having much luck getting this working. Here is what I have. This is running on debian squeeze

dns:~# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
inet_interfaces = all
mailbox_size_limit = 0
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
myhostname = dns.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_sasl_auth_enable = no
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetwork, sreject_unauth_destination, check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_maps_rbl, reject_unauth_destination
smtpd_tls_CAfile = /etc/ssl/CA/keys/ca.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/CA/keys/example.crt
smtpd_tls_key_file = /etc/ssl/CA/keys/example.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
virtual_alias_maps = ldap:ldapalias
virtual_gid_maps = static:999
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = ldap:domains
virtual_mailbox_maps = ldap:accounts
virtual_minimum_uid = 999
virtual_transport = dovecot
virtual_uid_maps = static:999
dns:~#

dns:~# cat /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: login plain

dns:~#
dns:~# cat /etc/saslauthd.conf
ldap_servers: ldap://127.0.0.1
ldap_search_base: dc=example,dc=com
ldap_filter: (mail=%u)

dns:~#

dns:~# testsaslauthd -u example@example.com -p password
0: OK "Success."
dns:~#

dns:~# telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 dns.example.com ESMTP Postfix (Debian/GNU)
ehlo example.com
250-dns.example.com
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
^]
telnet> q

Above I expect to see 250-AUTH which I don't. Any clues why this is. I'm wondering if I have the location of smtpd.conf location right. Or is there something else wrong here. Thanks much

Berhanie · 10-20-2009, 04:06 PM

Quote:

smtpd_tls_auth_only = yes

This means that smtp auth is only given under TLS.
Connect this way and you'll see it:

Code:

openssl s_client -connect localhost:25 -starttls smtp

Note: when doing manual smtp conversations with s_client, you must
type a space before lines starting with an 'R' since an 'R' means
something to s_client (see s_client man page), e.g.

Code:

# line starts with 'M':
MAIL FROM:<something@somwhere>

# line starts with 'R': must be indented:
 RCPT TO:<someone@whereever>

periferral · 10-20-2009, 10:52 PM

seems like i had it right all along and just didn't know it. thanks again to bringing this to my attention.