The BBQ Stand


newly constructed bbq stand.

Sysadmin: authenticated email submission

Recently I had the need to configure secure authenticated email submission on one of the systems I look after.

Currently I look after a number of email servers that follow the standard configuration pattern of:

  • postfix with TLS
  • virtual email acocunts
  • postfixadmin
  • database
  • courier imap with SSL.

What was needed is that clients be able to submit email for delivery to wherever via the email server based on thier virtual email account (imap/pop3) credentials.

What is required for this is to use SASL to query the imapd with the supplied username and password, and on successful authentication advise postfix email daemon that the auth is ok, and it is ok to take the email and route it.

here are the changes ncessary to make that work.

Step 1: Install sasl – on my Debian Linux servers I installed sasl2-bin, libsasl2-modules, libsasl2-2 packages which on Debian Lenny are based on SASL 2.1.22 with some extra distribution supplied security and bug-fix patches rolled in.

Step 2: Configure saslauthd:
Edit /etc/default/saslauthd to provide the the authentication layer. here is mine:

# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.

# Should saslauthd run automatically on startup? (default: no)

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)

# Which authentication mechanisms should saslauthd use? (default: pam)
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
# Only one option may be used at a time. See the saslauthd man page
# for more information.
# Example: MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"

OPTIONS="-r -c -O localhost -m /var/spool/postfix/var/run/saslauthd"

Step 3: Configure Postfix to listen on the submission port.
This is done by editing /etc/postfix/ file. here is what I did:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
-o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o broken_sasl_auth_clients=yes

-o smtpd_client_restrictions=permit_sasl_authenticated,reject

Step 4: Make postfix accept mail from SASL authenticated sources:

Edit /etc/postfix/ and add “permit_sasl_authenticated” to the “smtpd_recipient_restrictions”

Step 5: configure postfix to use SASL authentication
In directory /etc/postfix/sasl add file smtpd.conf

Mine contains these config stanzas:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Step 6: Make sure that user postfix is a mebmer of the sasl group.

Edit the /etc/group file or use your favourite tool to do this. This is necessary so that the mail server daemon can read the SASL authentication daemon responses.

Step 7: Restart postfix and sasl daemons and test.

a nice surprise from

The nice folk at  sent me this email:

“To kickstart your Christmas mission of reminding friends, family and devoted fans about your excellent work, we have made a magic voucher that will take 15% off your work, and your work only. There really hasn’t been a better time to find a digital soapbox and shout long and hard about yourself and your art. Tweet, blog, forward this email, write a newsletter, or send a telegram.”

so here it is, my

the 15% discount code:  tmc-au_is_on_sale_0170 and it is valid until 14 NOV 2010

My Portfolio

Calendar for 2011

I have been uploading photographs to for several months now.

Recently I have decided to use their facilities to publish a 2011 wall calendar with sunset pictures as the main theme.  I now have several printed copies in my hands and I am impressed with the look, and with the quality of the print job.  They will make excellent Christmas presents <evil grin>

If you like the idea, go and have a look 🙂 Finally On-line

I got the domain name some time ago with the intention of running a blog/personal website that would serve as a space for me to talk about me and the kind of things I do, and the things I care about.

However over the years there was always something that got in the way, so much so, nothing got done.

Finally I got a spare 15 minutes to set this thing up, so I did.