Cyberwizzard.nl

Welcome to my world

Postfix and Cyrus SASL authentication

It has been a while since I’ve had the time to blog about something. Mainly that is because my study is demanding a lot of time and because I am working on some new thing which keep me pretty occupied. I will write about those things some other time.

Right, on to Postfix and Cyrus SASL. Most of my servers are running some flavor of *nix and because I started to like the low effort CentOS needs to keep running, I rebuild all my Gentoo based systems (which took hours to compile and then manually upgrade thanks to the ever changing configuration of a gazillion programs) to CentOS versions – including my Postfix + Courier-IMAP + MySQL mail system. This setup is pretty common as the first guide I found on the HowTo forge for CentOS 5.x was almost verbatim what I had done while porting from Gentoo to CentOS. Also, see the Gentoo guide I used to set it all up (also usable for CentOS).

The only thing I never got going – because I never needed it – was SMTP authentication. Now, when other people send mail to your server they will not need to authenticate: the server is the end-point for the email and as such it will accept any mail sent to the domains hosted on it. So when do you need authentication? When you want to relay.

Now, relaying has a bad name on the internet, try to Google for it and see what comes up. But relaying itself is not a fluke, its a solution. In my case, I have 2 reasons for relaying.

First, at work and at my parents, I can send mail just fine using the ISP mail servers (which I have to change every time I switch locations *sigh*) but the mail servers are a bit too well educated. My domain is currently an alias (CName to be exact) for a DynDNS address. When sending mail, the mail servers resolve and expand the domain I claim to send from and rewrite the address. This means that sending to mailing lists becomes impossible and other people wonder what a ath.cx address is…

Secondly, at home I can’t send mail at all because the idiots at my ISP (I will write about the woes another time) told their mail servers that the server had to match the sender (domain wise). Because of the fact that I am not allowed to link the DNS to my IP directly, this will resolve in - yet again – 2 different domains and in this case the mail is bounced back to me.

In both cases it would be very handy to be able to just send mail using my own mail server as it will deliver mail directly to the correct remote servers, using the correct names etc.

On a side note, the government has decided that is would be a great idea to store all mail traffic for everyone in the country to fight crime. As usual, declaring such a policy will simply tell everyone who is planning to blow up stuff to use alternate means of communication – most of it being encrypted and voiding the whole purpose. To that end, I like the idea of using my own mail server on an encrypted channel so my mail remains private and let everyone listening in what dark secrets I send around. (On a side note: yes, the server to server communication can not be encrypted unless both servers know how to – but the first bit is safe).

Now, on with the details. I assume you have Postfix running with MySQL, so it is delivering mail to a maildir on your server or forwarding it somewhere else. Courier (IMAP/POP3/whatever) is running as well and can access the mail delivered for Postfix and as such, your whole mail server is up and running. Now comes the catch: Courier has a authentication library which should be able to authenticate against MySQL. Most installations will use Cyrus SASL instead because it has more features (and in my case was easier to set up as I am using postfixAdmin to administrate the server).

You NEED Cyrus SASL 2 with the SQL plugin installed, if you use Courier Authlib you need a different guide or change the authlib you are using. If you use CentOS like me, run: ‘yum install cyrus-sasl-sql’ to grab the right plugin.

Now, open up ‘/usr/lib/sasl2/smtpd.conf’ to create the specific SASL authentication file for Postfix. On a side note: in my case, I didn’t have to start the service for this to work. Anyway, insert this:

pwcheck_method: authdaemond 
log_level: 2 
authdaemond_path: /var/spool/authdaemon/socket

The first line tells Postfix to use the Cyrus SASL daemon (instead of the Courier Authlib one). The second line is optional but is handy when debugging, increase if things don’t work so you can see what is happening. The 3rd line is crucial: this is the path to the socket of the Cyrus SASL daemon. On CentOS 5.x you should have it here, on other distributions you need to search for the socket and put it in there.

Now you have set up the SASL authentication settings, it is time to tell Postfix to check the SASL pipeline when someone tries to authenticate. Add the following to your main.cf:

# SASL settings 
broken_sasl_auth_clients = yes 
smtpd_sasl_auth_enable = yes 
smtpd_sasl_authenticated_header = yes 
smtpd_sasl_security_options = noanonymous 
smtpd_sasl_local_domain = 
# Used by SASL to identify the Postfix client 
smtpd_sasl_path = smtpd

These settings are pretty safe, won’t turn your box into an open relay (the bad sort of relaying abused by spammers) and will still make it possible to use pretty much every mail client out there. Note the last line: that line sets the key word when Postfix will try to authenticate: that is why the SASL configuration is called smtpd.conf. Another reason to use this name is the fact the smtpd is the name of the daemon that will request authentication and on some distributions, it will automatically search for that name.

Now safe, restart postfix and try to authenticate (set your mail client to connect to your server when sending mail and to use the same username and password you need when recieving mail). If everything went well, you can now send mail to anyone, from anywhere using your very own address and just one mail server!

If you get this:

[postfix/smtpd] warning: SASL authentication failure: cannot connect to Courier authdaemond: Connection refused

…you have a problem. Ignore the bit that says Courier authdaemond – you are trying to connect to Cyrus but Postfix doesn’t know this and as you are using the Courier interface, it will tell you something that is incorrect. The message means that it couldn’t find the socket, it is not allowed to access the socket or a similar issue is preventing it from working.

Step 1: Do NOT hardlink the socket to the SASL directory to include it into the Postfix root jail. This will work as long as the system is up: if the authlib daemon is restarted, it will recreate the socket and your hardlink will be dead – sending you off on a goose chase (guess how I found out that one… afterwards I also found this conversation about it)

Step 2: Make sure the socket file is where you told Postfix it would be. Try restarting all services and make sure the timestamp on the socket changed when you restarted everything. If it didn’t change, you are referring to the wrong file. Try to delete it, restart everything again and you won’t see it reappear. Search for it again and fix the path in the smtpd.conf file.

Step 3: When accessing the socket, you need more than read and write access to the socket. You also need r/w access to a random regular file in the directory holding the socket. This is how sockets work and if I understand correctly, a hidden file is used once a program opens the socket to continue the session – hence you need to be allowed to create that file. On CentOS, open ‘/etc/group’, find the line that says ‘daemon:…’ and add ‘postfix’ to that line, use a comma if one or more names are on that line already. Now Postfix is part of the daemon group which owns the socket directory on CentOS. If you have a different distribution, find out who owns the directory, who is running postfix (usually this is the user + group ‘postfix’ or ‘mail’) and fix it.

Step 4: Restart all services or the whole system if you get here. Read the log files again looking for hints what went wrong. If you still have problems, try to Google for it or leave a comment.

Good luck!