This is yet another SMTP AUTH setup guide. It is based on my experiences using Postfix 2.1.5 and CMU Cyrus SASL (saslauthd) 2.1.19 on a Debian (Sarge) system to authenticate against an OpenLDAP server. I’m assuming that Postfix and LDAP are already configured. Installing saslauthd
I installed the SASL packages in Debian by running:
# apt-get install sasl2-bin libsasl2-modules
Alternately, you can obain the cyrus-sasl source from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/ and build saslauthd yourself:
# tar xzvf cyrus-sasl.tag.gz # cd cyrus-sasl # ./configure --with-ldap # make # make install
In Debian, configuration defaults for startup scripts are often in /etc/default/. saslauthd is no exception. Edit /etc/default/saslauthd as needed, e.g.:
# This needs to be uncommented before saslauthd will be run automatically START=yes
# You must specify the authentication mechanisms you wish to use. # This defaults to "pam" for PAM support, but may also include # "shadow", "sasldb", "kerberos5", etc. # See saslauthd(8) for more mechanisms. MECHANISMS=ldap
# Location of main config file CONFIG_FILE="/etc/saslauthd.conf"
Then edit /etc/saslauthd.conf to specify the LDAP servers and search base:
ldap_servers: ldap://ldap.example.edu/ ldap_search_base: dc=example,dc=edu
Now you’re ready to run saslauthd. In Debian, the init script is /etc/init.d/saslauthd Start saslauthd with /etc/init.d/saslauthd start. (To stop saslauthd, run /etc/init.d/saslauthd stop.)
First verify that saslauthd is running with ps aux | grep sasl. (Note: for LDAP support the process should be running as /usr/sbin/saslauthd -a ldap.) Then use testsaslauthd to test authentication against the LDAP server. Run:
# testsaslauthd -u username -p password
If it’s working, you should see
0: OK "Success."0: OK "Success."
In Debian postfix is run by user postfix, whose home directory is /var/spool/postfix/. The postfix user must have access to saslauthd. Use vigrp to add user postfix to the sasl group and move the saslauthd directory:
# mkdir -p /var/spool/postfix/var/run # mv /var/run/saslauthd /var/spool/postfix/var/run
Specify the password check method by editing /etc/postfix/sasl/smtpd.conf:
Finally, edit /etc/postfix/main.cf. Add the following lines:
smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = broken_sasl_auth_clients = yes
Additionally, you must add permit_sasl_authenticated to the smtpd_receipient_restrictions stanza. For example:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
Check the postfix configuration syntax by running /etc/init.d/postfix check. If there is no output, the configuration is valid. Restart postfix with /etc/init.d/postfix restart (or reload the configuration with /etc/init.d/postfix reload and wait for the config file to be reloaded). Testing
Verify that postfix is running and has authentication enabled by telneting to port 25 on the mail server (telnet mail.example.edu 25). You should see something like:
Trying 10.0.0.17... Connected to mail. Escape character is '^]'. 220 mail.example.edu ESMTP Postfix (Debian/GNU)
Once connected, type ehlo localhost You should see something like:
250-mail.example.edu 250-PIPELINING 250-SIZE 31457280 250-VRFY 250-ETRN 250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5 250 8BITMIME
The important part is the AUTH lines. Use ^] to disconnect.
The last step is to test with a mail client. mutt requires a patch, so I used pine. This required me to change one line in my existing .pinerc config file:
(where username is a valid username).
While testing, use tail -f /var/log/mail.log to watch for errors. See also