Mail server - secure connection, configuring Saslauthd

Following from the previous article we can begin creating creating the means to use secure connections with our mail server. We do this by using saslauthd.

Saslauthd

Eh?

Saslauthd is quite simply (and from the 'man' page):

"a daemon process that handles plaintext authentication requests on behalf of the SASL library."

Or to put it in even plainer English: You need this log on.

Let's go ahead and edit the main saslauthd file:

sudo nano /etc/default/saslauthd

The first line to edit is the first you come accross and starts saslauthd on login (the default is set to no):

# Should saslauthd run automatically on startup? (default: no)
START=yes

The second thing we need to change is the options defined at the bottom of the file.

The default looks like this:

#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/run/saslauthd"

Well, we are running Postfix so let's follow their advice and change the options to read:

#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Note we added the '-r' option as we parse users by the whole domain (user@example.com) and not just 'user'.

Missing directory

The eagle eyed amongst you will have noticed that we just defined an OPTION to a directory that does not exist.

Well, let's rectify that by creating it:

sudo mkdir -p /var/spool/postfix/var/run/saslauthd

MySQL

Remember that we are using MySQL to hold the information on our domains, emails and users, etc.

As such, the authorisation process for each user needs to know where to get the information from (i.e. the user and password).

As such, we need to create two simple files to allow the authorisation process access to the db holding the relevant data:

sudo nano /etc/pam.d/smtp

We need to enter the relevant details for the db.

In my case I entered:

auth    required   pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1

This allows the auth process to access the db to check the email and password (note we have defined the password column of the table to be encrypted. When we add users, we will ensure the password is entered into the table in an encrypted format.

And finally, we need to create a second file:

sudo nano /etc/postfix/sasl/smtpd.conf

The contents are very similar to those just entered:

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: mysql
sql_hostnames: 127.0.0.1
sql_user: mailadmin
sql_passwd: newpassword
sql_database: mail
sql_select: select password from users where email = '%u'

Again, fairly self explanatory, but the contents simply define how to login and check the details (saslauthd) and how to access the database containing the user details.

Users

As with all things Linux, permissions to execute certain actions and to read certain files are all based around users and groups.

As such, we need to add postfix to the sasl group so it can access the saslauthd process we just setup.

This is dome very simply:

sudo adduser postfix sasl

Done.

Restart

So far, we have added and edited and had a good time with the configuration files. As such we need to restart the process to ensure any changes are picked up and acted on:

sudo /etc/init.d/postfix restart
sudo /etc/init.d/saslauthd restart

Summary

Adding saslauthd details and defining the database means that Postfix has access to the authorisation process and that any requests to log into the mail server can be process securely.

Let's move on to the next article which looks at creating an SSL certificate for our secure connection.

PickledOnion

Article Comments:

Dave D commented Tue Sep 09 19:10:59 UTC 2008:

Shouldn't the following line:

sudo mkdir -p /var/spool/postfix/var/run/saslauth

read:

sudo mkdir -p /var/spool/postfix/var/run/saslauthd

?

PickledOnion commented Tue Sep 09 20:04:26 UTC 2008:

Dave,

Thanks for that - you are absolutely correct.

I have changed the article appropriately.

Please always feel free to show me such errors.

Cheers,

PickledOnion

Steve commented Wed Sep 17 01:17:43 UTC 2008:

I think you forgot the command for changing the default permissions/group on /etc/pam.d/smtp and /etc/postfix/sasl/smtpd.conf so that all users can't see the mailadmin password. I think you also forgot to mention to fill in the mailadmin password in place of newpassword in both files.

Branko Vukelic commented Sun Sep 21 10:39:08 UTC 2008:

You said:

Or to put it in even plainer English: You need this log on

I think you wanted to say:

Or to put it in even plainer English: You need this _to_ log on

Excellent guides, as usual, though!

Dan Phiffer commented Sat Oct 18 20:05:33 UTC 2008:

I'm having some difficulty getting SMTP to work over SSL. I can send email fine if I configure Apple Mail.app not to use SSL, but once I enable it I first get a warning about self-signed certificates, click continue, and then a message that says it failed to connect. I set smtpdtlsloglevel = 2 and got the following in my mail.log:

Oct 18 18:40:30 mail postfix/smtpd[10425]: initializing the server-side TLS engine
Oct 18 18:40:30 mail postfix/smtpd[10425]: connect from xxxxx
Oct 18 18:40:30 mail postfix/smtpd[10425]: setting up TLS connection from xxxxx
Oct 18 18:40:30 mail postfix/smtpd[10425]: xxxxx: TLS cipher list "ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:before/accept initialization
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 read client hello A
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 write server hello A
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 write certificate A
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 write server done A
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept:SSLv3 flush data
Oct 18 18:40:30 mail postfix/smtpd[10425]: SSL_accept error from xxxxx: -1
Oct 18 18:40:30 mail postfix/smtpd[10425]: lost connection after CONNECT from xxxxx
Oct 18 18:40:30 mail postfix/smtpd[10425]: disconnect from xxxxx

Dan Phiffer commented Sun Oct 19 18:31:12 UTC 2008:

I figured out why SMTP+SSL wasn't working! It's actually a "problem" with Mail.app. Here's the sequence it was going through during my tests:

  1. Connect to IMAP-SSL at startup
  2. Accept Courier's self-signed certificate
  3. Attempt to send mail via SMTP-SSL
  4. Reject Postfix's self-signed certificate because it doesn't match Courier's
  5. Bail out connection, fail to send email

The solution is simply to make sure Courier is set up with the same certificate as Postfix. This can be configured in /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl. Restart the daemons and voila!

PickledOnion commented Mon Oct 20 10:19:29 UTC 2008:

Dan,

Thanks for the tips on mail.app.

I will follow up with an article on changing the courier settings to match those that postfix uses.

PickledOnion

jerome sniddler commented Fri Oct 24 20:24:51 UTC 2008:

How about secure authentication?

This is great, I'm happy to have ssl mail download - but is it secure with plaintext authentication?

A grand plan for a future extension to these fabulous guides would be tips on implementing cram-md5 or something.

Ray commented Fri Nov 21 06:26:55 UTC 2008:

I must have missed something... /etc/default/saslauthd doesn't exist, and there were ~20 packages available with 'sasl' in the name -- what do I need to install / which step did I miss?

Thanks.

PickledOnion commented Fri Nov 21 10:34:53 UTC 2008:

Ray,

Not sure what step you missed - please go through the list of articles as laid out (in order) on the main email page.

There are no steps missing from the articles.

Good luck,

PickledOnion

Ray commented Sat Nov 22 18:35:24 UTC 2008:

The problem turned out to be that I hadn't run aptitude update before doing the first step of "Postfix and MySQL Installation", and didn't notice I was getting 404's on the sasl packages.

Thanks for these articles! They're a great resource.

-Ray

David commented Thu Dec 04 03:33:57 UTC 2008:

I found it helpful to use testsaslauthd for checking that sasl authentication itself was working, independently of Postfix: testsaslauthd -u username -p password I thought it might be useful to mention it here since I spent quite a while searching for a way to do that.

Matthew R commented Fri Dec 19 17:55:04 UTC 2008:

After hours of trying to figure out why my mail client can't connect via SMTP, I've finally figured it out. My mail client can connect via pop, but not by SMTP. This is because this article sets up your mail server to use 2 different authentication methods when connecting to POP and SMTP. POP is via clear test password authentication, but SASL SMTP is by Secure Password Authentication. So when you configure your mail, make sure pop is using clear text and SMTP is using Secure Password Authentication. DON'T tick the box that says use same settings as incomming. That screws everything up! Hope this helps!

m commented Sat Dec 27 23:44:19 UTC 2008:

In case anyone else runs into this:

When editing /etc/default/saslauthd and changing the "START=no" to "START=yes", make sure the "yes" is lower case.

After going through the MYSQL setup, I got conditioned to type in upper case and entered "START=YES" instead. I must have looked over the file seven times before I caught my error.

m commented Mon Dec 29 06:51:19 UTC 2008:

I'm trying to sort out why I can't send email from my email clients. Both Thunderbird and Mail.app report that the username and password are being rejected by Postfix.

I ran testsaslauthd as suggested by David, and the result is:

connect() : No such file or directory

which seems wrong and not very helpful. I'd be grateful for any advice.

B commented Mon Jan 12 07:19:29 UTC 2009:

I ran into issues after completing all the mail server setup steps. The mail.log files were showing there was a problem connecting to MySQL. authdaemond: failed to connect to mysql server (server=localhost, userid=mailadmin)

Turns out I had a space in the stmp.conf file at the end of the password line (sql_passwd:).

danpar commented Mon Jan 19 03:39:56 UTC 2009:

/etc/pam.d/smtp and /etc/postfix/sasl/smtpd.conf are world-readable and contain clear text passwords. Is this not a security problem? A previous comment was made on this that was also not addressed yet. If you could kindly address it. Thanks.

Musfuut commented Sun Feb 01 14:38:44 UTC 2009:

Having those files world-readable would seem like a security risk.

I found the following worked...

sudo chown root:postfix /etc/pam.d/smtp /etc/postfix/sasl/smtpd.conf

sudo chmod 640 /etc/pam.d/smtp /etc/postfix/sasl/smtpd.conf

sudo /etc/init.d/postfix restart

sudo /etc/init.d/saslauthd restart

Good luck!

Stephen commented Wed Feb 11 04:39:52 UTC 2009:

I was having the same problem as m above. The following command fixed it for me:

ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

Jing commented Fri Mar 27 20:32:02 UTC 2009:

I ran the following commands to remove the other permissions, and set the group of the files to sasl and postfix accordingly. Not sure if those are the proper groups yet, but it seems to work so far.

sudo chmod o= /etc/pam.d/smtp sudo chgrp sasl /etc/pam.d/smtp

sudo chmod o= /etc/postfix/sasl/smtpd.conf sudo chgrp postfix /etc/postfix/sasl/smtpd.conf

mister z commented Thu Apr 02 02:31:14 UTC 2009:

If you get:

admin@mail:/$ sudo /etc/init.d/saslauthd restart

  • No run directory defined for saslauthd, cannot stop
  • Starting SASL Authentication Daemon saslauthd
    • No run directory defined for saslauthd, not starting

Try changing:

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

to:

OPTIONS="-c -m -r /var/spool/postfix/var/run/saslauthd"

s debaun commented Fri May 15 10:21:11 UTC 2009:

Not sure how I missed it.. (I am running Ubuntu intrepid)... but here is how I got SASLAUTHD installed...

sudo aptitude install libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail dpkg-reconfigure postfix

oh, and thanks for all the great article/tutorials pickled!

Brian Armstrong commented Mon May 18 22:26:31 UTC 2009:

The lines you are adding to /etc/pam.d/smtp

Do these get added to the bottom? You didn't specify. Thanks! Brian

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)