Authed Outgoing SMTP with Postfix and MySQL

From Wiki

Jump to: navigation, search

This page shows the main elements of configuring postfix and saslauth to authenticate users from a MySQL database.

I think this request sparked off from gmail having the ability to let people send emails through their own smtp server (as opposed to googles).

Contents

Main Files

1. /etc/postfix/main.cf

smtpd_tls_auth_only = yes
#added to force people to use tls as opposed to sending passwords as plaintext.

########################### Usual TLS config and smtp configs here
# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = myserver
broken_sasl_auth_clients = yes

2. /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

3. /etc/default/saslauthd

MECHANISMS="pam"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"  # The -r tries to resolve a domain. E.g: username@domain.com. Without the -r, just a username is required for auth.

4. /etc/pam.d/smtp

#only one of below is required.
#auth required pam_mysql.so user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=0  #Plain text password in the MySQL db
#auth required pam_mysql.so user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3  #md5 password in MySQL db
auth required pam_mysql.so user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 debug  #append debug to end shows extra information in /var/log/auth.log

Extra Debugging

To see what was happenning I had to turn on extra logging. 1. Verbose Postfix Logging:

vi /etc/postfix/master.cf
#change
smtp      inet  n       -       -       -       -       smtpd
#to
smtp      inet  n       -       -       -       -       smtpd -v

To see the logs, look in: /var/log/mail.info

2. Verbose MySQL Logging:

vi /etc/mysql/my.cnf
#uncomment the following two lines:
general_log_file        = /var/log/mysql/mysql.log
general_log             = 1

To see the logs, look in: /var/log/mysql/mysql.log

3. Verbose PAM Auth Logging:

vi /etc/pam.d/smtp
#auth required pam_mysql.so user=mail passwd=password db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=3 debug
#append on debug to the end.

Things I had to do

I had to run a strace on saslauthd as it just was not giving me enough information.

ps -eaf | grep sasl
strace -p 11231

This led me to finding "/lib/security/pam_mysql.so (No such file or directory)" Volia.

apt-get install libpam-mysql

I configured saslauth to use sasldb first to check it worked. It involved editing /etc/default/saslauth and changing mechanisms to "sasldb".

I put the password in MySQL in plain text and then used: auth required pam_mysql.so user=mail passwd=foo db=mail table=smtp_users usercolumn=user passwdcolumn=pass crypt=0

I created the md5 hash of password "123456" which is: e10adc3949ba59abbe56e057f20f883e and put this in the mysql db manually and then authed using crypt=3

I had to go: adduser postfix sasl This was to allow postfix access to sasl in the chroot.

Do a quick test for unauthed relays and external relays etc. etc. https://www.dnsexit.com/Direct.sv?cmd=testMailServer

Useful References

Crypt Methods and PAM-MySQL usage: http://lists.andrew.cmu.edu/pipermail/cyrus-sasl/2007-March/001024.html

Other References

http://www.howtoforge.com/forums/archive/index.php/t-12797.html

http://www.rmacd.com/howto/saslauthd-postfix-debian-etch-configuration.php Suggests using /etc/postfix/sasl/smtp.conf to communicate with MySQL without sasl.

http://www.howtoforge.com/virtual_postfix_mysql_quota_courier_p2

http://osdir.com/ml/fedora-list/2009-06/msg03110.html Gives information on a testsaslauthd utility. It saying "connect() : No such file or directory" to me.

http://ubuntuforums.org/showthread.php?t=1489737 Unused. Reference only.

http://www.postfix.org/SASL_README.html and http://www.greens.org/~cls/linux/howtos/smtp-auth-saslauthd.html

http://forums.fedoraforum.org/showthread.php?t=113802 and http://www.howtoforge.org/forums/showthread.php?t=7201 and http://www.irbs.net/internet/postfix/0508/1633.html and http://www.web-cyradm.org/pipermail/web-cyradm/2003-April/015717.html and http://www.howtoforge.com/forums/showthread.php?t=22730 Information on saslauth in a chroot jail.

http://www.nervous.it/txt/Postfix-SMTP-AUTH-4-DUMMIES.html

http://danielmiessler.com/study/postfix/ Information on using saslauth and sasldb for a flat file for smtp users.

http://www.howtoforge.com/forums/archive/index.php/t-2199.html


To Do

Test all of the above again on a vanilla setup. Rinse lather and repeat.


Misc

The MySQL Table for auth:

root@host:~# mysql
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 159
Server version: 5.1.48-1 (Debian)

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use mail
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> desc smtp_users;
+-------+-------------+------+-----+---------+-------+
| Field | Type        | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| user  | varchar(50) | NO   | PRI | NULL    |       |
| pass  | varchar(32) | NO   |     | NULL    |       |
+-------+-------------+------+-----+---------+-------+
2 rows in set (0.00 sec)
Personal tools