Install and secure a complete mail server (Mail, SMTP, Auth by SASL, IMAP, POP3, webmail, TLS and SSL) on Debian

11. Secure SMTP server with an authentication using SASL

To authenticate users on the SMTP server, we will use their credentials (email address / password).
This principle is used by Gmail and allows our users only to send emails through our SMTP server.
Thus, a hacker will not be able to spam by using our server because he does not have an email address on our server.

To authenticate our users, we will use the MySQL database managed by "postfixadmin" because she contains the email addresses and encrypted passwords of our users.

Because passwords are encrypted for security in the database MySQL, we will not be unable to use the "sql" plugin of SASL.
As mentioned in the documentation "Postfix SASL".

To authenticate users of the SMTP server, using their encrypted passwords in the MySQL database, we have to go through a "pam_mysql" plugin used by SASL.
In summary, here is the connection diagram to the SMTP server : Postfix <-> Cyrus SASL <-> saslauthd <-> pam <-> pam_mysql <-> MySQL.

Now that you know the theory, let's practice.

For safety, make a update of the list of packages :

Bash

apt-get update

First, install the Cyrus SASL packages for SASL authentication.

Bash

apt-get install libsasl2-modules sasl2-bin

Then, the "pam_mysql" package that will allow SASL to connect to the MySQL database through the "PAM" authentication.

Bash

apt-get install libpam-mysql

For Postfix, change the "/etc/postfix/main.cf" file by adding this :

Plain Text

smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_path = smtpd
smtpd_sasl_type = cyrus
smtpd_sasl_authenticated_header = yes

Change the restriction "smtpd_recipient_restrictions" in this file (/etc/postfix/main.cf) like this:

Plain Text

smtpd_recipient_restrictions=reject_unauth_destination, reject_unauth_pipelining

These restrictions allow you to :

• reject_unauth_destination : to receive mail that is for you
• reject_unauth_destination : but also to send emails that are sent by your users
• to not be an open relay and thus prevent your server sends spam to external mail servers.

If it isn't already done, enter your domain name (eg domain.com) as "myhostname".

Plain Text

myhostname = informatiweb-tuto.net

Then, add the "postfix" user to the "sasl" group.

Bash

adduser postfix sasl

Then, type this command :

Bash

dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

To link SASL and Postfix, create the "/etc/postfix/sasl/smtpd.conf" file.

Plain Text

pwcheck_method: saslauthd
log_level: 3
mech_list: PLAIN LOGIN

For SASL, edit the file "/etc/default/saslauthd" like this :

Plain Text

START=yes
MECHANISMS="pam"
# Don't forget the "-r" at the end of the line
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

For the "pam_mysql" plugin, create the "/etc/pam.d/smtp" file.

Plain Text

auth required pam_mysql.so user=postfix passwd=postfix host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=postfix passwd=postfix host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1

Note : the "user" and "passwd" are the account credentials to use to connect to the "postfix" database on the "MySQL" server.

Now, restart the "Postfix" mail server (which also serves as the SMTP server) and the "SASL" authentication server.

Bash

service postfix restart
service saslauthd restart

If this appears, it's good :

Bash

root@debian:/home/informatiweb# service postfix restart
[ ok ] Stopping Postfix Mail Transport Agent: postfix.
[ ok ] Starting Postfix Mail Transport Agent: postfix.
root@debian:/home/informatiweb# service saslauthd restart
[ ok ] Stopping SASL Authentication Daemon: saslauthd.
[ ok ] Starting SASL Authentication Daemon: saslauthd.

For now, SMTP authentication works, but isn't mandatory. This is normal because we use port 25.

Information on restrictions for Postfix :
As mentioned in the Postfix documentation, local users can send messages using the command "sendmail".
This function doesn't use your SMTP server (Postifx). Therefore, the restrictions that you apply to the SMTP server doesn't affect those users. To prevent users from using this command, you must use the "authorized_submit_users" option.
Note : This principle is the same for the php "mail" function.

Here are some ways to use this option :

Plain Text

# No local user can send mail using the "sendmail" command.
authorized_submit_users=
# Only root can send mail using the "sendmail" command.
authorized_submit_users=root
# Only root and the web server (and PHP scripts because PHP is a module attached to the web server) can send mail using the "sendmail" command.
authorized_submit_users=root, www-data

Note : If you have configured Roundcube with the default SMTP configuration, you must allow the www-data user (user running the web server "Apache") in this option or reconfigure it to use authentication over port 587.

12. Telnet test

Since we used the restriction "reject_unauth_destination", sending an email to an external server will not be possible over port 25. (For the port 587, authenticated clients can do this.)
Note : You must test this directly on your server (or on a ssh session) because many Internet service providers (ISPs) block the port 25 to prevent infected PC send spam unknowingly. This also prevents you from doing this test from the outside.

Bash

root@debian:~# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 informatiweb-tuto.net ESMTP Postfix (Debian/GNU)
ehlo informatiweb-tuto.net
250-informatiweb-tuto.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<webmaster@informatiweb-tuto.net>
250 2.1.0 Ok
rcpt to:<toto@gmail.com>
554 5.7.1 <toto@gmail.com>: Relay access denied

If this error also occurs on your server, it's good.

13. Activating the submission port (587)

To require users to authenticate within standard, you must use the submission port (587).
For this, you need to edit the "/etc/postfix/master.cf" file by uncommenting the following lines :

Plain Text

submission inet n       -       -       -       -       smtpd
 -o smtpd_sasl_auth_enable=yes
 -o smtpd_client_restrictions=permit_sasl_authenticated,reject

Then, add the following line to replace the global rule "smtpd_recipient_restrictions" (the one defined in the "main.cf" file) by that, for the port 587 :

Plain Text

 -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

For now, port 25 doesn't need authentication and submission port (587) is configured to allow only authenticated clients.
Then, restart the "postfix" service.

service postfix restart

Note : If authentication "SMTP" doesn't work and the following error appears in the file "/var/log/mail.log" is probably a problem due to Postfix chroot. Check the path in the "/etc/default/saslauthd" file and the configuration shown in step 10 of the tutorial.

Plain Text

postfix/smtpd[25644]: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory

That said, none of the protocols is still secured by SSL or TLS.