Martin Allan Jensen wrote:
Hi all,
The company I work for have approximately nine mail servers, including
Postfix, qmail, sendmail and exim.
They would like to make ONE SMTP relay host server so that all their
customers can use their SMTP server to send mail through.
The customers already get their incoming mail through their mail servers.
I fail to see a way to make this possible without creating an entirely
open relay, or creating a database with usernames and passwords and
use SASL.
Does anybody know if it is possible to make the SMTP host contact the
mail server and verify that the sender email exists on their incoming
mail server? Or is there another setup recommended?
I'll attach my notes RE setting up SMTP access using SASL - the only
thing which pops into mind is that SASL can possibly authenticate
against your own DB - or possibly against IMAP or POP3 for each of the
mail servers in turn.
Sounds like a tough one - maybe time to get all the servers to auth
against LDAP - surely it's an idea to have a central DB of all the users.
Kevin
---++ Overview
We want to enable users to be able to send email via the server from any
location. For this we will enable SMTP AUTH - this will enable the
users to use the server to relay mail providing they provide their
username and password.
Most of the following steps were taken from 'The Book of Postfix' from
No Starch Press.
Postfix can use SASL as an authentication mechanism - and SASL can in
turn use the local accounts to verify credentials.
The basic SASL libraries are installed when Postfix is installed on
Debian Etch - it is necessary to add the libsasl2-modules package to
enble SASL to authenticate using the main methods. Postfix has SASL
support built in by default.
SASL can authenticate as a command line program - but if it is called by
Postfix then SASL will not be able to authenticate against /etc/passwd
because Postfix does not run as root. Therefore we will install
sasl2-bin and this will install the saslauthd daemon which runs as
root. Therefore, Postfix can query the saslauthd daemon which it turn
queries the local account database.
After installing libsasl2-modules and sasl2-bin...
Edited /etc/default/saslauthd and set START=yes.
Then started the daemon with /etc/init.d/sasldauthd restart.
Then followed instructions which came with sasl2-bin in the DEBIAN doc
file. See
# most /usr/share/doc/sasl2-bin/README.Debian
NB - Postfix is installed chrooted by default on Debian Etch - see the
Postfix Debian doc. This means that the following steps need to be taken.
These are the instructions:
<verbatim>
If you run a chrooted server such as Postfix and wish to use saslauthd, you
must place the saslauthd socket ("mux") inside the Postfix chroot. You must
also set correct overrides for the run directory inside the chroot, using
dpkg-statoverride. Finally, you must add the postfix user to the sasl
group.
These steps ensure that the Debian subsystems know how you want things
to be
laid out.
To place the saslauthd socket inside the Postfix chroot, edit
/etc/default/saslauthd and set OPTIONS like this (you may omit -c):
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
To set the run directory using dpkg-statoverride, run this command as root:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
Finally, to add the postfix user to the sasl group:
adduser postfix sasl
The init script will automatically create the run directory with the
permissions you have set using dpkg-statoverride. Please note that you must
also configure Postfix correctly. There are many options related to
SASL. See
the Postfix documentation for how to do this.
</verbatim>
Then restarted saslauthd - this seemed to take a while to restart but
eventually gets restarted.
Then tested that authentication is working with
<verbatim>
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username
-p password
</verbatim>
and
<verbatim>
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username
-p badpassword
</verbatim>
The first should be ok and the second should fail.
This shows that SASL is authenticating against a backend (which is
currently set to use PAM). This seems to check against the local user
accounts which is what is required.
Now we need to get Postfix to authenticate SMTP connections against SASL
- more specifically against saslauthd.
The following parameters were added to /etc/postfix/main.cf.
<verbatim>
# Setting up SMTP authentication.
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,
permit_mynetworks, reject_unauth_destination
</verbatim>
The file /etc/postfix/sasl/smtpd.conf needed to be created with the
following contents. This is actually a configuration file for SASL - it
uses small config files specific for the programs using its services.
It also seems to dictate which authentication mechanisms get offered to
the clients by Postfix.
<verbatim>
# Global parameters
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
</verbatim>
The restarted Postfix and saslauthd.
It should now be possible for clients to send email using the server -
they can use TLS if required.
For extra security it is possible to force all users to use TLS when
connecting. This provides an encrypted tunnel for all traffic.
This means that the users can use their email account credentials to use
the server to send emails.
-- Main.KevinBailey - 28 Jan 2008
I tried google a lot, but I can't seem to find anything that points me
in the right direction - someone else surely must have run into this
scenario before?
Looking forward to hear from you, a link, or even some rough notes
would be nice.
Thank you very much...
--
Martin
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4440 (20090919) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
--
*Kevin Bailey*
Director/Programmer - Freeway Projects Limited
Web: www.freewayprojects.com <http://www.freewayprojects.com/>
Email: kbai...@freewayprojects.com <mailto:kbai...@freewayprojects.com>
Phone: +44 (0)1752 267090
