To authenticate users on the SMTP server, we will use their credentials (email address / password).
This principle is used by Gmail and allows our users only to send emails through our SMTP server.
Thus, a hacker will not be able to spam by using our server because he does not have an email address on our server.
To authenticate our users, we will use the MySQL database managed by "postfixadmin" because she contains the email addresses and encrypted passwords of our users.
Because passwords are encrypted for security in the database MySQL, we will not be unable to use the "sql" plugin of SASL.
As mentioned in the documentation "Postfix SASL".
To authenticate users of the SMTP server, using their encrypted passwords in the MySQL database, we have to go through a "pam_mysql" plugin used by SASL.
In summary, here is the connection diagram to the SMTP server : Postfix <-> Cyrus SASL <-> saslauthd <-> pam <-> pam_mysql <-> MySQL.
Now that you know the theory, let's practice.
For safety, make a update of the list of packages :
First, install the Cyrus SASL packages for SASL authentication.
apt-get install libsasl2-modules sasl2-bin
Then, the "pam_mysql" package that will allow SASL to connect to the MySQL database through the "PAM" authentication.
apt-get install libpam-mysql
For Postfix, change the "/etc/postfix/main.cf" file by adding this :
smtpd_sasl_local_domain = $myhostname smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_path = smtpd smtpd_sasl_type = cyrus smtpd_sasl_authenticated_header = yes
Change the restriction "smtpd_recipient_restrictions" in this file (/etc/postfix/main.cf) like this:
These restrictions allow you to :
If it isn't already done, enter your domain name (eg domain.com) as "myhostname".
myhostname = informatiweb-tuto.net
Then, add the "postfix" user to the "sasl" group.
adduser postfix sasl
Then, type this command :
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
To link SASL and Postfix, create the "/etc/postfix/sasl/smtpd.conf" file.
pwcheck_method: saslauthd log_level: 3 mech_list: PLAIN LOGIN
For SASL, edit the file "/etc/default/saslauthd" like this :
START=yes MECHANISMS="pam" # Don't forget the "-r" at the end of the line OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
For the "pam_mysql" plugin, create the "/etc/pam.d/smtp" file.
auth required pam_mysql.so user=postfix passwd=postfix host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 account sufficient pam_mysql.so user=postfix passwd=postfix host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1
Note : the "user" and "passwd" are the account credentials to use to connect to the "postfix" database on the "MySQL" server.
Now, restart the "Postfix" mail server (which also serves as the SMTP server) and the "SASL" authentication server.
service postfix restart service saslauthd restart
If this appears, it's good :
root@debian:/home/informatiweb# service postfix restart [ ok ] Stopping Postfix Mail Transport Agent: postfix. [ ok ] Starting Postfix Mail Transport Agent: postfix. root@debian:/home/informatiweb# service saslauthd restart [ ok ] Stopping SASL Authentication Daemon: saslauthd. [ ok ] Starting SASL Authentication Daemon: saslauthd.
For now, SMTP authentication works, but isn't mandatory. This is normal because we use port 25.
Information on restrictions for Postfix :
As mentioned in the Postfix documentation, local users can send messages using the command "sendmail".
This function doesn't use your SMTP server (Postifx). Therefore, the restrictions that you apply to the SMTP server doesn't affect those users. To prevent users from using this command, you must use the "authorized_submit_users" option.
Note : This principle is the same for the php "mail" function.
Here are some ways to use this option :
# No local user can send mail using the "sendmail" command. authorized_submit_users= # Only root can send mail using the "sendmail" command. authorized_submit_users=root # Only root and the web server (and PHP scripts because PHP is a module attached to the web server) can send mail using the "sendmail" command. authorized_submit_users=root, www-data
Note : If you have configured Roundcube with the default SMTP configuration, you must allow the www-data user (user running the web server "Apache") in this option or reconfigure it to use authentication over port 587.
Since we used the restriction "reject_unauth_destination", sending an email to an external server will not be possible over port 25. (For the port 587, authenticated clients can do this.)
Note : You must test this directly on your server (or on a ssh session) because many Internet service providers (ISPs) block the port 25 to prevent infected PC send spam unknowingly. This also prevents you from doing this test from the outside.
root@debian:~# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. 220 informatiweb-tuto.net ESMTP Postfix (Debian/GNU) ehlo informatiweb-tuto.net 250-informatiweb-tuto.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:<firstname.lastname@example.org> 250 2.1.0 Ok rcpt to:<email@example.com> 554 5.7.1 <firstname.lastname@example.org>: Relay access denied
If this error also occurs on your server, it's good.
To require users to authenticate within standard, you must use the submission port (587).
For this, you need to edit the "/etc/postfix/master.cf" file by uncommenting the following lines :
submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject
Then, add the following line to replace the global rule "smtpd_recipient_restrictions" (the one defined in the "main.cf" file) by that, for the port 587 :
For now, port 25 doesn't need authentication and submission port (587) is configured to allow only authenticated clients.
Then, restart the "postfix" service.
service postfix restart
Note : If authentication "SMTP" doesn't work and the following error appears in the file "/var/log/mail.log" is probably a problem due to Postfix chroot. Check the path in the "/etc/default/saslauthd" file and the configuration shown in step 10 of the tutorial.
postfix/smtpd: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
That said, none of the protocols is still secured by SSL or TLS.
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.