Sysadmin: authenticated email submission

Recently I had the need to configure secure authenticated email submission on one of the systems I look after.

Currently I look after a number of email servers that follow the standard configuration pattern of:

  • postfix with TLS
  • virtual email acocunts
  • postfixadmin
  • database
  • courier imap with SSL.

What was needed is that clients be able to submit email for delivery to wherever via the email server based on thier virtual email account (imap/pop3) credentials.

What is required for this is to use SASL to query the imapd with the supplied username and password, and on successful authentication advise postfix email daemon that the auth is ok, and it is ok to take the email and route it.

here are the changes ncessary to make that work.

Step 1: Install sasl – on my Debian Linux servers I installed sasl2-bin, libsasl2-modules, libsasl2-2 packages which on Debian Lenny are based on SASL 2.1.22 with some extra distribution supplied security and bug-fix patches rolled in.

Step 2: Configure saslauthd:
Edit /etc/default/saslauthd to provide the the authentication layer. here is mine:

# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.

# Should saslauthd run automatically on startup? (default: no)

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)

# Which authentication mechanisms should saslauthd use? (default: pam)
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
# Only one option may be used at a time. See the saslauthd man page
# for more information.
# Example: MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"

OPTIONS="-r -c -O localhost -m /var/spool/postfix/var/run/saslauthd"

Step 3: Configure Postfix to listen on the submission port.
This is done by editing /etc/postfix/ file. here is what I did:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o broken_sasl_auth_clients=yes

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

Step 4: Make postfix accept mail from SASL authenticated sources:

Edit /etc/postfix/ and add “permit_sasl_authenticated” to the “smtpd_recipient_restrictions”

Step 5: configure postfix to use SASL authentication
In directory /etc/postfix/sasl add file smtpd.conf

Mine contains these config stanzas:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Step 6: Make sure that user postfix is a mebmer of the sasl group.

Edit the /etc/group file or use your favourite tool to do this. This is necessary so that the mail server daemon can read the SASL authentication daemon responses.

Step 7: Restart postfix and sasl daemons and test.

Leave a Reply

Your email address will not be published.