Postfix, SMTP Auth (instead of pop-before-smtp) and TLS
In order to be able to send e-mails from an external device, it is necessary
that the e-mail server allows relaying; however, caution is important, so that
no spammers may send their spam mails via this server - so we want to avoid an
open relay.
First experiments with the package pop-before-smtp (works also for imap or
imap4, respectively) were successful, but not very reliable. Therefore, the
solution with SMTP Auth was chosen and after some difficulties successfully
installed.
Of course, we do not want so send usernames and passwords unencrypted over
the internet and therefore we use TLS, whenever contacting our mail-server.
First, the following packages have to be installed:
apt-get install postfix-tls libsasl2 libsasl2-modules sasl2-bin
This implementation was done under Debian Linux Sarge. First, messages like
postfix/smtpd[30238]: warning: SASL authentication failure:cannot connect to saslauthd server: Not a directory
postfix/smtpd[30238]: warning: gprs01.swisscom-mobile.ch[193.247.250.1]: SASL LOGIN authentication failed
appeared in the file /var/log/mail.log.
Finally, the reason for these error-messages could be found: there was a wrong
entry in the file /etc/postfix/sasl/smtpd.conf : As mentioned on one of
the web-pages found with a Google search, the entry should have a line with
saslauthd_path: /var/run/saslauthd/mux/mux.
However, this is wrong!
Now, we have the following entries in our configuration files:
/etc/postfix/sasl/smtpd.conf :
pwcheck_method: saslauthd mech_list: PLAIN LOGIN saslauthd_path: /var/run/saslauthd/mux autotransition:true log_level: 3The file /etc/default/saslauthd contains the following relevant entries:
START=yes MECHANISMS="shadow"In the file /etc/postfix/master.cf the following lines were uncommented:
tlsmgr fifo - - n 300 1 tlsmgr smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yesThe important modifications/additions in the file /etc/postfix/main.cf are as follows:
# Allow relaying for sasl-authenticated devices: smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:60000 # For SMTP Auth: smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes # For TLS: smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem smtpd_tls_key_file = /etc/ssl/private/dovecot.pemWe use the same certificate as for our IMAP-server 'dovecot'; this works fine.
cd /etc/ssl/certs openssl 509 -in dovecot.pem -outform der -out dovecot.der mv dovecot.der dovecot.crt
Once all these configuration steps are made, the only things remaining are:
/etc/init.d/saslauthd start /etc/init.d/postfix restart