Recipe 20.9. Setting Up smtp-auth to Authenticate Users

20.9.1 Problem

You want your users, especially remote users, to have to authenticate themselves to your Postfix server to prevent unauthorized relaying.

20.9.2 Solution

You'll need four things:

• Cyrus-SASL2

• OpenSSL

• Postfix compiled to support Cyrus-SASL

• A server certificate and keys

See Recipe 20.7 if you have not installed Cyrus-SASL. When SASL is installed and working, the next step is to generate an SSL server certificate. Find and enter the /ssl/misc directory:

# cd /usr/lib/ssl/misc

# ls

CA.pl  c_info  c_name  der_chop  CA.sh  c_hash  c_issuer  demoCA

The script that generates the keys is CA.pl (or, you might see CA.sh, which is a wrapper for CA.pl that adds a little extra functionality). Choose one and make a backup copy:

# cp  CA.sh  CA.sh-old

Edit the script, adding the -nodes flag everywhere there is a $REQ line:

-newcert)

    # create a certificate

    $REQ -new -nodes -x509 -keyout newreq.pem -out newreq.pem $DAYS

...

-newreq)

    # create a certificate request

    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS

    RET=$?

...

else

    echo "Making CA certificate ..."

    $REQ -new -nodes -x509 -keyout ${CATOP}/private/$CAKEY \

       -out ${CATOP}/$CACERT $DAYS

This eliminates the creation of a passphrase. You may not want to have to enter a passphrase every time the server restarts, or have an unattended reboot stall because it's waiting for a passphrase. You may skip this step and use a passphrase; obviously, using a passphrase increases security.

Now generate your new certificate:

# ./CA.sh -newca

# ./CA.sh -newreq

# ./CA.sh -sign

The result, after much output, is newreq.pem, newcert.pem, and demoCA/cacert.pem. Copy these to /etc/postfix:

# cp newcert.pem /etc/postfix/

# cp newreq.pem /etc/postfix/

# cp demoCA/cacert.pem /etc/postfix/

Next, add these lines to /etc/postfix/main.cf:

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

smtpd_tls_key_file = /etc/postfix/newreq.pem

smtpd_tls_cert_file = /etc/postfix/newcert.pem

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_loglevel = 3

smtpd_tls_received_header = yes

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

Activate the changes:

# postfix reload

and test the server:

$ telnet localhost 25

Trying 127.0.0.1...

Connected to localhost.localdomain.

Escape character is '^]'.

220 windbag.test.net ESMTP Postfix (Libranet/GNU)

EHLO windbag.test.net

250-windbag.test.net

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-XVERP

250 8BITMIME

STARTTLS

S: 220 Ready to start TLS

Now configure your user's mail clients, and you're done. Most mail clients can be configured to store the login and password, so all your users need to do is click the send button.

20.9.3 Discussion

Postfix installations are pretty consistent across the various package formats and Linux distributions, but it's still a good idea to verify all the filepaths in /etc/postfix/main.cf.

20.9.4 See Also

• /usr/share/doc/postfix/examples/, for descriptions of the main.cf options

• /usr/share/doc/postfix/examples/sample-auth.cf.gz, for the explanations of the authentication options