Postfix + SASL2(using pam mech) + TLS HOWTO for FreeBSD
By: Ben Haga
If you have reached this page, you have found the HOWTO on how to create a working Postfix version 2 server running with SMTP AUTH (using SASL2 + PAM) and using TLS to get a secure connection to the server. Why must we have all of this security? Because it is always good to have as much security as possible. Even if you are the only user on your home network and you receive three mails a day from remote sources. You never know when someone is browsing your network and snooping for files you would rather keep private. But to be honest, this HOWTO is mostly for people who are running mail services for a group of people and would rather use SMTP AUTH than the classic "mynetworks=..." specifications. This way, you know what people are getting on your server and you know that you have granted them access to be retrieving mail. So let us get started.
Install Cyrus-SASL2 / Postfix
Go ahead and install Cyrus-SASL2 before you do anything else. You can either do this through ports by:
- # cd /usr/ports/security/cyrus-sasl2
- # make install
- # cd /usr/ports/security/cyrus-sasl2-saslauthd
- # make install
- ... or compile it yourself. If you have the source untarred into a directory, go ahead and do this:
- # ./configure && make && make install
- This will go ahead and configure, make, and install Cyrus-SASL2 for you. For this document, we are going to use the ports only for Postfix, so please read the INSTALL file that comes with Postfix if you plan on compiling them manually. Now, if you are using ports, go ahead and do:
- # cd /usr/ports/mail/postfix
- # make install
- This will begin the setup process and ask you which things you would like to compile into Postfix. It is recommended that you have IPv6 support, but only add it in if it you really intend on using it. Onto the required options... you will need SASL2 to be checked (done by using your keyboard arrows to get down to it, then press the space bar). And as far as this tutorial is concerned, it is also required to put a check next to SSL and TLS support. If you would like to put in MySQL or PostgreSQL support you may do so, but configuring that is beyond the scope of this documentation.
Configuration of Cyrus-SASL2
The first thing we shall do is create a symlink for /usr/local/lib/sasl2 to /usr/lib/sasl2 by doing this:
- # ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
- This creates a symbolic link from /usr/lib/sasl2 to /usr/local/lib/sasl2 directory which is necessary because SASL2's modules by default look for themselves and their counterparts in /usr/lib/sasl2. Now, moving on we will have to edit smtpd.conf, which can be found in /usr/local/lib/sasl2. If you do not have one, go ahead and create it with your favorite editor. Now we go ahead and add these following lines for PAM authentication which by the way, does not use CRAM-MD5 as I am told that CRAM-MD5 is for comparing plaintext passwords, and for this HOWTO, we are doing everything encrypted. The lines to put in smtpd.conf are as follows:
- pwcheck_method: saslauthd
- mech_list: plain login
- For reference's sake, plain is not actually needed, but I leave it in there just in case we need to make a plaintext authentication somewhere down the road. You may take it out if you would like. The first line tells SASL2 to look at saslauthd (which we will configure in just a moment to go to PAM for authentication of users) for authentication of the user. Now, to touch all of the bases, SASL2 wants to have a database located at /etc/sasldb2.db even though we are not actually going to use it (and please do not use it, because it stores passwords in plain text for anyone to read, depending on the permissions of the file). If one has not been created and put in place by the installation process, go ahead and add one by creating some fake user and password with "saslpasswd2 -c some_fake_user".
Now to start up the saslauthd daemon. All you have to do to start it is run "saslauthd -a pam" and it should start without a hitch (if it does not, ensure that PAM support is working with SASL2 altogether by checking if the configure script configured it with PAM support; it is the default, but it does not always work). Now go ahead and open up /etc/rc.local or create one if it does not exist and put "/usr/local/sbin/saslauthd -a pam" so it will start whenever you boot the machine.
That completes our SASL2 configuration, now it is onto Postfix to see if we cannot get this working!
Creating Keys and CA Certifications for TLS/SSL
This part can be a bit tricky, so in light of that, I will refer you to a truly excellent HOWTO on creating certs and even having them signed by yourself. The link for that is here. I would highly recommend that you put those in /usr/local/etc/postfix/ssl/ so they are easy to access and you will have no hard time remembering where they are.
This part can be rather long. I will try to keep it short, but there is much to do. If you already know how to configure main.cf for everything such as $mydomain and all of that, just go ahead to the next paragraph; else, please keep reading for that information. Okay, go ahead and open up main.cf in your favorite browser (should be in /usr/local/etc/postfix/main.cf). You will see that there are a lot of comments in there and commented out options. It is a good idea to leave most of the comments in there for a later date in case that you would like to add more fucntionality or create transport maps, etc. The things we are to be concerned with in the HOWTO are myhostname (set to the hostname of your mail server, in my case it is mail.tuximus.mine.nu), mydomain (set to the domain name your server is on, in my case that would be tuximus.mine.nu), mydestination (this makes sure that you can relay the mail to your mailbox or maildir), and myorigin (this sets the name of the origin label put in outgoing mail, I put this as tuximus.mine.nu firstly because that is my domain, and secondly, because it looks better than an internal address, if Postfix decided to set that as myorigin). Now that was not so bad was it? Let us get to the TLS and SASL configuration!
Okay, I prefer to put the following information at the bottom of my configuration file under a label "## TLS and SASL ##", but it is really up to you, it will make no difference in how the functionality will load, since every line has the same precedence. Here is what to put:
- smtp_sasl_auth_enable = yes
- smtpd_sasl_auth_enable = yes
- smtpd_sasl_security_options = noanonymous
- smtpd_sasl_local_domain =
- broken_sasl_auth_clients = yes
- smtp_sasl_password_maps = hash:/etc/sasldb2
- smtpd_recipient_restrictions = \
- permit_sasl_authenticated, \
- permit_mynetworks, \
- smtp_use_tls = yes
- smtpd_use_tls = yes
- smtp_tls_note_starttls_offer = yes
- smtpd_tls_key_file = /usr/local/etc/postfix/ssl/CA/key-cert.pem
- smtpd_tls_cert_file = /usr/local/etc/postfix/ssl/CA/key-cert.pem
- smtpd_tls_CAfile = /usr/local/etc/postfix/ssl/CA/cacert.pem
- smtpd_tls_loglevel = 1
- smtpd_tls_received_header = yes
- smtpd_tls_session_cache_timeout = 3600s
- tls_random_source = dev:/dev/urandom
- You may wish to change a few of these settings such as the locations of your TLS certs, keys, etc. However, this should be pretty close to what you are going to use for your environment. Notice, it is not a mistake that there are two lines of sasl_auth_enable, you must have one with a prefix of smtp and smptd for it to work. Please note that the smtp_sasl_local_domain is intentionally left blank, otherwise it will not authenticate anything. Also note the hash entry for /etc/sasldb2, this must be left in (although it won't be used for authentication) or your maillog will be full of complaints about how it could not read it.
Well, if this does not work, go ahead and feel free to email me at tuximus [at] tuximus.mine.nu to make adjustments to whatever does not work. Always be sure that everything is running correctly such as saslauthd and postfix. Remember, once you change the configuration in main.cf or master.cf, you *must* reload or stop and start Postfix by doing:
- # postfix reload
- # postfix stop ; postfix start
- Other than that, that should be it. Best of luck!