This document is about the trials and tribulations dealing with Debian's postfix distribution. Frankly, it is a pain in the ass. In addition to the message below you have to make the file /etc/sasldb2 owned by postfix by issuing chown postfix /etc/sasldb2 I don't know the security nightmares possibly created by that, but then i'm not trying to run something with 99.998% uptime. This helped: http://www.ssc.com/pipermail/linux-list/2003-November/018655.html [SLL] Postfix-tls Debian Testing + SASL Brian Hatch bri at ifokr.org Fri Nov 14 23:07:09 PST 2003 * Previous message: [SLL] SuSE Sellers?? * Next message: [SLL] Postfix-tls Debian Testing + SASL * Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Since it took me a while today, figured I'd document what I needed to do when I upgraded Postfix-tls to get SASL working for authenticated mail relaying over SSL. Much of this may be extraneous, but it's what I have and it works. Goal: SMTP AUTH available iff coming over an SSL connection. Allow only PLAIN or LOGIN (not a problem since it's over SSL.) /etc/postfix/main.cf entries: smtpd_tls_cert_file = /etc/stunnel/mail.example.org.pem smtpd_tls_key_file = /etc/stunnel/mail.example.org.pem smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_use_tls = yes smtpd_enforce_tls = no smtpd_tls_auth_only = yes smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_sessionid_cache smtpd_tls_session_cache_timeout = 3600s # Needed RC4-SHA for my palm app, shame. smtpd_tls_cipherlist = HIGH:RC4-SHA:@STRENGTH # tlsmgr supports RNG and session id caching tls_random_exchange_name = /etc/postfix/prng_exch tls_random_source = dev:/dev/urandom smtpd_sasl_auth_enable = yes # don't dissallow plaintext smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = mail.example.org /etc/postfix/master.cf entries: # Vanilla port 25 smtp inet n - - - - smtpd # 465 - SSL-wrapped SMTP smtps inet n - y - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes # TLS manager (cache, etc.) tlsmgr fifo - - y 300 1 tlsmgr /etc/postfix/sasl/smtpd.conf # Old version (debian stable) used sasldb #pwcheck_method: sasldb # New version uses these two pwcheck_method: auxprop # don't offer Kerberos/etc. mech_list: plain login installed packages: ii libsasl-digestmd5-des 1.5.24-11 DIGEST-MD5 Authentication Module for SASL ii libsasl-gssapi-mit 1.5.27-3 Pluggable Authentication Modules for SASL - MIT GSSAPI ii libsasl-modules-plain 1.5.27-3.5 Basic Pluggable Authentication Modules for SASL ii libsasl2 2.1.12-1 Authentication abstraction library ii libsasl2-modules 2.1.12-1 Pluggable Authentication Modules for SASL ii libsasl7 1.5.27-3.5 Authentication abstraction library. ii sasl2-bin 2.1.12-1 Programs for manupulating the SASL users database (Some of these are certainly unnecessary for PLAIN/LOGIN use.) (Debian stable used 'sasl-bin' instead of 'sasl2-bin' etc.) create /etc/sasldb2 # saslpasswd2 -u mail.example.org blah Password: aoeu Again: aoeu # sasldblistusers2 blah at mail.example.org: userPassword copy sasldb2 into the chroot area # touch /var/spool/postfix/etc/sasldb2 # chown postfix /var/spool/postfix/etc/sasldb2 # chmod 600 /var/spool/postfix/etc/sasldb2 # cat /etc/sasldb2 > /var/spool/postfix/etc/sasldb2 Verify that SMTP AUTH is being offered $ stunnel -c -f -r mail.example.org:465 -D0 220 mail.example.org ESMTP ReegenMail EHLO example.org 250-mail.example.org 250-PIPELINING 250-SIZE 10240000 250-ETRN 250-AUTH LOGIN PLAIN 250-XVERP 250 8BITMIME the important line is the 250-AUTH one. Now, let's verify that we can actually log in to it: # determine the BASE64 encoded string to send: $ perl -MMIME::Base64 -e 'print encode_base64("blah\0blah\0aoeu"), "\n"\n"' YmxhaABibGFoAGFvZXU= $ cat > /tmp/smtp_session <