4.4. Saslauthd
Prev Chapter 4. Postfix Next

4.4. Saslauthd

Since we want to allow users to log in to our mail server so they can send emails, we need to configure some kind of protection. First we need to make sure users can log in using the same username and password as the one they will be using for checking email.

For this, we are going to use Saslauthd. Saslauthd will also use the same database we already created to verify user credentials.

apt-get install libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql

Open /etc/default/saslauthd with nano and change START=no to START=yes. At the end of the file we need to change OPTIONS=”-c -m /var/run/saslauthd” to

OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"

This change needs to be made because Postfix on Debian is run under chroot so it needs access to saslauthd socket and adding of -r parameter is needed because otherwise username is not passed correctly from Postfix to saslauthd.

We also need to create this directory

mkdir -p /var/spool/postfix/var/run/saslauthd

and one symbolic link (because Postfix on Debian is running from a chrooted environment and other applications you maybe using on your server (including testsaslauthd for testing if saslauthd is working correctly) are not aware of us changing the saslauthd directory).

rm -rf /var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd
[Warning]Warning

If you do not delete /var/run/saslauthd before creating a symbolic link the link will we created in /var/run/saslauthd/saslauthd and testing SASL with testsaslauthd will result in an error: "connect() : No such file or directory 0".

We also need to create two more files:

nano /etc/pam.d/smtp
auth    required   pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=mailbox usercolumn=username passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=mailbox usercolumn=username passwdcolumn=password crypt=1
nano /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true

We need to add Postfix to the sasl group so it can access the saslauthd process we just created:

adduser postfix sasl

Restart Postfix and sasl

/etc/init.d/postfix restart
/etc/init.d/saslauthd restart

Now, we can check is saslauthd is working correctly.

testsaslauthd -s smtp -u root@example.com -p newpassword

Ofcourse use your own credentials here. Authentification should work.

atlantis:~# testsaslauthd -s smtp -u root@example.com -p newpassword
0: OK "Success."

If you do not get “Success.” as a response, check that you have a symbolic link in /var/run/ named saslauthd and that it points to /var/spool/postfix/var/run/saslauthd.

We have to change permissions to these two files as well:

chgrp sasl /etc/pam.d/smtp
chmod 640 /etc/pam.d/smtp
chgrp postfix /etc/postfix/sasl/smtpd.conf
chmod 640 /etc/postfix/sasl/smtpd.conf

We also need to tell Postfix to allow authenticated users to send mail. Edit /etc/postfix/main.cf and add

smtpd_sender_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    permit_tls_clientcerts

Restart Postfix and sasl.

/etc/init.d/postfix restart
/etc/init.d/saslauthd restart
Prev Up Next
4.3. MySQL Home 4.5. Preventing unwanted access