POSTFIX, authentification SASL et MySQL

enabling SMTP-AUTH on Postfix using the latest Debian packages.

Scenario
 You are running Debian etch 4.0 or Lenny.
 Your mail server is hosting multiple domains as described in http://www.postfix.org/VIRTUAL_READ....
 You are using MySQL as a backend for user authentication as described in http://www.postfix.org/MYSQL_README.html.

 Your users can authenticate on your pop3/imap server as :

You want to allow them to authenticate with SMTP-AUTH using the very same credentials.

The passwords of your users’ pop3/imap accounts are stored in the database in encrypted form (md5 in this example). You want to authenticate on a secure channel (TLS).

You want to run Postfix’s "smtp" service chroot’ed, i.e. you have a line like this in /etc/postfix/master.cf :

What you need :

Install the following packages :

note :
 postfix-tls doesnt exist anymore in debian 4.0 and Testing. Package Postifx is sufficient.
 libsasl2 is now libsasl2-2

How to set up the whole thing :

Create the file /etc/pam.d/smtp with the following content :

auth required pam_mysql.so user=postfix passwd=yourpass host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1 account sufficient pam_mysql.so user=postfix passwd=yourpass host=127.0.0.1 db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1

Change "yourpass" to match your grant table. Create /etc/postfix/sasl/smtpd.conf with the following content :

pwcheck_method: saslauthd mech_list: PLAIN LOGIN log_level: 5

Edit the file /etc/default/saslauthd like this :

START=yes MECHANISMS="pam" OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"

Now we’ll have to make the directory we just added in the previous step, chown it so Postfix can use it, and add the Postfix user to the sasl group.

create a link to keep everybody happy :

Add the following lines to /etc/postfix/main.cf :

smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes

Also remember to add "permit_sasl_authenticated" under "smtpd_recipient_restrictions" as follow :

Open /etc/init.d/postfix, search for the FILES variable and add etc/postfix/sasl/smtpd.conf to the list :

Restart Postfix and start saslauthd :

verifier que les parametres sont bien passés au demon saslauthd :

 Enable TLS

on prendra comme exemple le domaine starbridge.org

Pour un serveur en production, il serait préférable d’utiliser un véritable certificat fourni et signé par une autorité de certification de confiance. (payant).

On édite la configuration de ssl pour pouvoir signer des certificats sur 10 ans, au lieu d’1 an par défaut :

vi /etc/ssl/openssl.cnf on change la ligne default_days en

default_days = 3650

On crée le Certificat Racine :

on entre les parametres requis, on choisis un pass phrase de son choix et on laisse "challenge password" vide.

CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .......++++++ .........................................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Paris Locality Name (eg, city) []:Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]:Starbridge Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:starbridge.org Email Address []:tonio@starbridge.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 84:7c:ce:d2:f7:cf:df:6c Validity Not Before: Nov 13 16:44:33 2007 GMT Not After : Nov 12 16:44:33 2010 GMT Subject: countryName = FR stateOrProvinceName = Paris organizationName = Starbridge commonName = starbridge.org emailAddress = tonio@starbridge.org X509v3 extensions: X509v3 Subject Key Identifier: B9:04:A3:81:E5:5D:D6:82:72:F4:6E:0C:FB:3F:E2:62:1B:EF:B9:57 X509v3 Authority Key Identifier: keyid:B9:04:A3:81:E5:5D:D6:82:72:F4:6E:0C:FB:3F:E2:62:1B:EF:B9:57 DirName:/C=FR/ST=Paris/O=Starbridge/CN=starbridge.org/emailAddress=tonio@starbridge.org serial:84:7C:CE:D2:F7:CF:DF:6C X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Nov 12 16:44:33 2010 GMT (1095 days) Write out database with 1 new entries Data Base Updated

Ce certificat racine sert à signer les certificats. Il est localisé dans le répertoire /demoCA.

On crée maintenant une clé privée pour le serveur ainsi qu’un certificat public non signé.

et on entre les parametres comme ci dessous :

Generating a 1024 bit RSA private key .............++++++ .............++++++ writing new private key to 'starbridge-key.pem' You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Paris Locality Name (eg, city) []:Paris Organization Name (eg, company) [Internet Widgits Pty Ltd]:Starbridge Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:starbridge.org Email Address []:tonio@starbridge.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Note : le paramètre le plus important est le Common Name qui doit être le meme que le nom avec lequel se connecte les clients sur le serveur. Ici j’ai pris le nom de domaine du serveur de mail : starbridge.org mais cela peut etre le FQDN : spike.starbridge.org.

On signe maintenant ce certificat public avec le certificat racine :

Voici la sortie de la signature :

Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 84:7c:ce:d2:f7:cf:df:6d Validity Not Before: Nov 13 16:51:32 2007 GMT Not After : Nov 10 16:51:32 2017 GMT Subject: countryName = FR stateOrProvinceName = Paris organizationName = Starbridge commonName = starbridge.org emailAddress = tonio@starbridge.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 05:2A:A9:90:6F:2A:80:F7:E3:EF:2B:F9:44:9D:8E:CF:C3:16:18:EF X509v3 Authority Key Identifier: keyid:B9:04:A3:81:E5:5D:D6:82:72:F4:6E:0C:FB:3F:E2:62:1B:EF:B9:57 Certificate is to be certified until Nov 10 16:51:32 2017 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

On copie maintenant le certificat et la clé dans postfix :

On ajoute ceci au /etc/postfix/main.cf :

smtp_tls_CAfile = /etc/postfix/tls/cacert.pem smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/spool/postfix/smtp_tls_session_cache smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/tls/starbridge-key.pem smtpd_tls_cert_file = /etc/postfix/tls/starbridge-cert.pem smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom

On redémarre Postfix :

On vérifie le fonctionnement depuis un client mail configuré pour l’authentification SASL sur un chiffrement TLS avec les mêmes identifiants que pour la connexion IMAP (ne pas oublier le @starbridge.org).

Pour le type d’authentication, il faut sélectionner "en clair" (le terme dépend du client mail).

C’est le chiffrage de la connexion par le TLS qui sécurisera le transfert du password.

C’est pour cela qu’il ne faut pas dissocier TLS et authentification.

 Random thoughts

Q. : Can Postfix query the MySQL db directly ? A. : No.

Q. : Why do you use libpam-mysql ? saslauthd natively supports SQL. A. : Because saslauthd only supports unencrypted password if you use a sql db as an authentication backend. That’s the reason for interfacing saslauthd with PAM. PAM, in turn, can use just anything.

Q. : My friend told me that /etc/postfix/sasl/smtpd.conf should contain

"pwcheck_method : pam" A. : That was true for SASL < 2.x. Now you have to use saslauthd.

Q. : Why do you run saslauthd with the -r flag ? A. : Because my users authenticate as "user@domain", not "user". If you are in trouble check /var/log/auth.log .

Q. : Why did you move saslauthd’s socket to

/var/spool/postfix/var/run/saslauthd ?

A. : Because the smtp service runs chroot’ed.

Q. : Why did you add etc/postfix/sasl/smtpd.conf to the FILES variable ? A. : Because Postfix needs to access that file from inside the chroot. The init.d script copies the latest copy of that file inside the chroot at every restart.

Q. : How does the authentication chain work ? A. : Postfix connects to saslauthd via socket, which in turn asks PAM to authenticate the user which in turn queries the relevant MySQL table.

Q. : Are there any alternatives to libpam-mysql ? A. : Perhaps it’s possible to use authdaemon from the Courier package.

Q. : Why do you use 127.0.0.1 instead of localhost ?

A. : In order to use a TCP socket instead of a unix socket. This way we don’t have to put MySQL’s unix socket inside Postfix’s chroot.

article original : http://www.nervous.it/txt/Postfix-S... adapté pour la debian 4.0 par tonio