Postfix, SMTP Auth (instead of pop-before-smtp) and TLS


In order to be able to send e-mails from an external device, it is necessary that the e-mail server allows relaying; however, caution is important, so that no spammers may send their spam mails via this server - so we want to avoid an open relay.
First experiments with the package pop-before-smtp (works also for imap or imap4, respectively) were successful, but not very reliable. Therefore, the solution with SMTP Auth was chosen and after some difficulties successfully installed.
Of course, we do not want so send usernames and passwords unencrypted over the internet and therefore we use TLS, whenever contacting our mail-server.

First, the following packages have to be installed:

apt-get install postfix-tls libsasl2 libsasl2-modules sasl2-bin

This implementation was done under Debian Linux Sarge. First, messages like postfix/smtpd[30238]: warning: SASL authentication failure:cannot connect to saslauthd server: Not a directory
postfix/smtpd[30238]: warning:[]: SASL LOGIN authentication failed
appeared in the file /var/log/mail.log.

Finally, the reason for these error-messages could be found: there was a wrong entry in the file /etc/postfix/sasl/smtpd.conf : As mentioned on one of the web-pages found with a Google search, the entry should have a line with
saslauthd_path: /var/run/saslauthd/mux/mux.   However, this is wrong!

Now, we have the following entries in our configuration files:
/etc/postfix/sasl/smtpd.conf :

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
saslauthd_path: /var/run/saslauthd/mux
log_level: 3
The file /etc/default/saslauthd contains the following relevant entries:
In the file /etc/postfix/ the following lines were uncommented:
tlsmgr    fifo  -       -       n       300     1       tlsmgr
smtps     inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
587       inet  n       -       n       -       -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
The important modifications/additions in the file /etc/postfix/ are as follows:
# Allow relaying for sasl-authenticated devices:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:
# For SMTP Auth:
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
# For TLS:
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
We use the same certificate as for our IMAP-server 'dovecot'; this works fine.
Should you wish to transform it into a certificate, which may be loaded to a portable device such as a Nokia E90 communicator, just convert it into the *.der format, rename it to dovecot.crt and upload it to your device. This is necessary in order to avoid messages on your portable like "Diese Seite hat ein unbeglaubigtes Zertifikat gesendet".
cd /etc/ssl/certs
openssl 509 -in dovecot.pem -outform der -out dovecot.der
mv dovecot.der dovecot.crt

Once all these configuration steps are made, the only things remaining are:

/etc/init.d/saslauthd start
/etc/init.d/postfix restart

Last Update: 02Jan2008 uk --- Created: 01Jan2008 uk