Previous Section  < Day Day Up >  Next Section

Recipe 20.7. Installing Cyrus-SASL for SMTP Authorization

20.7.1 Problem

You want to add Cyrus-SASL to your mail server, so you can set up smtp-auth. You want your users to authenticate themselves, and you want Postfix to authenticate to an external relay.

20.7.2 Solution

RPM users need these packages:

  • cyrus-sasl-2.x

  • cyrus-sasl-plain-2.x

Debian users, see Recipe Recipe 20.8.


Before installing Cyrus-SASL, verify that your version of Postfix supports SASL and TLS. Run ldd on the smtpd executable to find out. Look for libsasl2, libssl, and libcrypto:

$ ldd /usr/lib/postfix/smtpd

...

  libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x4006f000)

  libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0x4009e000)

  libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4018f000)

...

If Postfix links to these libraries, go ahead and install Cyrus-SASL. If it doesn't, you have two options:

  • Rebuild Postfix from sources. Read the README and SASL_README files. Be sure to install Cyrus-SASL first, before compiling Postfix.

  • Replace your Postfix with an up-to-date RPM package that has everything built in.

After installing Postfix and Cyrus-SASL, start up saslauthd:

# /etc/init.d/saslauthd start

Now add these lines to main.cf:

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

smtpd_sasl_security_options =noanonymous

broken_sasl_auth_clients = yes

smtpd_sasl_local_domain =$myhostname

   

smtpd_recipient_restrictions =

         permit_sasl_authenticated

         permit_mynetworks

         reject_unauth_destination

and activate the changes:

# postfix reload

Then verify that Postfix sees the new SASL libraries:

$ telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.localdomain.

Escape character is '^]'.

220 windbag.test.net ESMTP Postfix (Libranet/GNU)

EHLO windbag.test.net

250-windbag.test.net

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-AUTH LOGIN PLAIN

250-AUTH=LOGIN PLAIN

250-XVERP

250 8BITMIME

The STARTTLS and AUTH lines are just what you want to see. Now you can move on to Recipe Recipe 20.9 for the next step.

20.7.3 Discussion

You can use AUTH LOGIN and PLAIN, because logins will be encrypted by TLS (see Recipe Recipe 20.9).

main.cf has over a hundred possible configuration options. Don't go nuts; it's not necessary to use all of them. Use the minimum needed to get the job done. You can check out many sample configurations in /usr/share/doc/postfix/examples/sample-smtpd.cf.gz.

smtpd_recipient_restrictions can have multiple options separated by commas, either all on one line or broken up into multiple lines. Each line must start with whitespace.

20.7.4 See Also

  • /usr/share/doc/postfix/examples/, for descriptions of all the main.cf options

  • /usr/share/doc/postfix/examples/sample-auth.cf.gz, for explanations of the authentication options

  • The Postfix book (/usr/share/doc/postfix/html/index.html)

    Previous Section  < Day Day Up >  Next Section