SMTP relay host

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

SMTP relay host

Martin Allan Jensen
Hi all,

The company I work for have approximately nine mail servers, including
Postfix, qmail, sendmail and exim.
They would like to make ONE SMTP relay host server so that all their
customers can use their SMTP server to send mail through.
The customers already get their incoming mail through their mail servers.

I fail to see a way to make this possible without creating an entirely
open relay, or creating a database with usernames and passwords and use
SASL.
Does anybody know if it is possible to make the SMTP host contact the
mail server and verify that the sender email exists on their incoming
mail server? Or is there another setup recommended?

I tried google a lot, but I can't seem to find anything that points me
in the right direction - someone else surely must have run into this
scenario before?

Looking forward to hear from you, a link, or even some rough notes would
be nice.

Thank you very much...

--
Martin


__________ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Sven Hoexter
On Sat, Sep 19, 2009 at 03:06:29PM +0200, Martin Allan Jensen wrote:

Hi,

> They would like to make ONE SMTP relay host server so that all their  
> customers can use their SMTP server to send mail through.
> The customers already get their incoming mail through their mail servers.
>
> I fail to see a way to make this possible without creating an entirely  
> open relay, or creating a database with usernames and passwords and use  
> SASL.

Does that mean that those customers run their mailserver on dynamic IP
addresses? Otherwise I'd use the IP address/domain of the customers as
the criteria.

Sven
--
If God passed a mic to me to speak
I'd say stay in bed, world
Sleep in peace
   [The Cardigans - 03:45: No sleep]
Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Martin Allan Jensen
Sven Hoexter wrote:
> Does that mean that those customers run their mailserver on dynamic IP
> addresses? Otherwise I'd use the IP address/domain of the customers as
> the criteria.
>
> Sven
>  
Hi Sven,

Yes, I'm sorry, forgot to give that information. They might be running
dynamic IP adresses/domains, so that is not a possibility.

Thank you for your reply.

--
Martin


__________ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Sahil Tandon
In reply to this post by Martin Allan Jensen
On Sat, 19 Sep 2009, Martin Allan Jensen wrote:

> The company I work for have approximately nine mail servers, including
> Postfix, qmail, sendmail and exim.  They would like to make ONE SMTP
> relay host server so that all their customers can use their SMTP
> server to send mail through.  The customers already get their incoming
> mail through their mail servers.
>
> I fail to see a way to make this possible without creating an entirely
> open relay, or creating a database with usernames and passwords and
> use SASL.  Does anybody know if it is possible to make the SMTP host
> contact the mail server and verify that the sender email exists on
> their incoming mail server? Or is there another setup recommended?

You must setup SASL and only let authenticated users relay through this
new server.  Forget about contacting the other mail servers to verify
that the sender email exists; that is in no way a form of
authentication.

> Looking forward to hear from you, a link, or even some rough notes
> would be nice.

http://www.postfix.org/SASL_README.html

--
Sahil Tandon <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Martin Allan Jensen
Sahil Tandon wrote:
> You must setup SASL and only let authenticated users relay through this
> new server.  Forget about contacting the other mail servers to verify
> that the sender email exists; that is in no way a form of
> authentication.
> http://www.postfix.org/SASL_README.html
>  
You are probably right - the company just don't have a centralized
authentication mechanism, so SASL would be a huge project to implement.
Unless of course somebody knows of a way to make SASL connect to their
incoming mailserver with the credentials the user provided, and
authorize the user from that?

Anyway thank you for the link, and your opinion.

--
Martin


__________ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Justin's Mailing Lists
In reply to this post by Martin Allan Jensen
Martin Allan Jensen wrote:

> Hi all,
>
> The company I work for have approximately nine mail servers, including
> Postfix, qmail, sendmail and exim.
> They would like to make ONE SMTP relay host server so that all their
> customers can use their SMTP server to send mail through.
> The customers already get their incoming mail through their mail servers.
>
> I fail to see a way to make this possible without creating an entirely
> open relay, or creating a database with usernames and passwords and
> use SASL.
> Does anybody know if it is possible to make the SMTP host contact the
> mail server and verify that the sender email exists on their incoming
> mail server? Or is there another setup recommended?
>
> I tried google a lot, but I can't seem to find anything that points me
> in the right direction - someone else surely must have run into this
> scenario before?
>
> Looking forward to hear from you, a link, or even some rough notes
> would be nice.
>
> Thank you very much...
>
> --
> Martin
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4440 (20090919) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>

Q. Why nine email servers? Can you not make a case to rationalise to one
email server with a hot/warm/cold spare, and use an
http://workaround.org/ispmail type setup or Zimbra.

Regards

Justin

Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Ansgar Wiechers
In reply to this post by Martin Allan Jensen
On 2009-09-19 Martin Allan Jensen wrote:

> The company I work for have approximately nine mail servers, including
> Postfix, qmail, sendmail and exim.
> They would like to make ONE SMTP relay host server so that all their
> customers can use their SMTP server to send mail through.
> The customers already get their incoming mail through their mail
> servers.
>
> I fail to see a way to make this possible without creating an entirely
> open relay, or creating a database with usernames and passwords and
> use SASL.

You could put your customers on a private network not accessible by the
public (and I mean "VPN" kind of private here rather than RFC 1918 kind
of private). However, that's just moving authentication and encryption
to a different layer.

Why do you want to avoid using SASL anyway?

> Does anybody know if it is possible to make the SMTP host contact the  
> mail server and verify that the sender email exists on their incoming  
> mail server? Or is there another setup recommended?

I'm not sure if I understand you correctly here. Do you mean something
like Callback Verification [1]? You could do that, but how's that going
to protect your MTA from being abused as an open relay in your scenario?
Any unauthenticated host is not trustworthy and can tell you whatever
they want.

> I tried google a lot, but I can't seem to find anything that points me
> in the right direction - someone else surely must have run into this
> scenario before?

I'd doubt it. Just use SASL and get it over with.

[1] http://en.wikipedia.org/wiki/Callback_verification

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Martin Allan Jensen
Ansgar Wiechers wrote:
> You could put your customers on a private network not accessible by the
> public (and I mean "VPN" kind of private here rather than RFC 1918 kind
> of private). However, that's just moving authentication and encryption
> to a different layer.
>
> Why do you want to avoid using SASL anyway?
>
>  
SASL and VPN would mean that all customers would need a separate account
for their outgoing mail, and that would be a too big project to go ahead
with.
As most of their servers is BlueOnyx it is not really possible to make a
centralized user / password database.
And as the BlueOnyx is a collection of mail, ftp, web, *server they
would like to not have a centralized mail platform.

I was just thinking about another option. I might be able to make a
small program that analyzes the logfiles for each server, puts it in a
database with a timestamp, and then make it a POP/IMAP before SMTP. That
would be secure enough right?

Thank you all for your interest in my problem so far!!

--
Martin


__________ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Michael Orlitzky-2
Martin Allan Jensen wrote:

>
> SASL and VPN would mean that all customers would need a separate account
> for their outgoing mail, and that would be a too big project to go ahead
> with.
> As most of their servers is BlueOnyx it is not really possible to make a
> centralized user / password database.
> And as the BlueOnyx is a collection of mail, ftp, web, *server they
> would like to not have a centralized mail platform.
>
> I was just thinking about another option. I might be able to make a
> small program that analyzes the logfiles for each server, puts it in a
> database with a timestamp, and then make it a POP/IMAP before SMTP. That
> would be secure enough right?

If your customers have POP3/IMAP accounts, there is already a database
of usernames and passwords *somewhere*. Query that.
Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Martin Allan Jensen
Michael Orlitzky wrote:
>
> If your customers have POP3/IMAP accounts, there is already a database
> of usernames and passwords *somewhere*. Query that.
>
>
Yes there is - actually there is about six different ones - so making a
system that could talk to all those authentication mechanisms would take
me years to develop. That's why I am looking for something simpler.

--
Martin


__________ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Egoitz Aurrekoetxea Aurre-2
In reply to this post by Martin Allan Jensen
Hi,

Just create sasl account for allowing to relay to those authenticated  
users. But be very careful on what you're users send though it because  
if you're custommers start sending mail considered spam  in two weeks  
or less you're outgoingn servers are dead because no server will want  
to talk to it. I advise you setting some little aggressive antispam  
policies on it and just to reject mail for unauthenticated users. Set  
unless two Postfix smtpd machines in round-robin through dns (with a  
small TTL) and you're done. Just it.

Bye :)


El 19/09/2009, a las 16:17, Martin Allan Jensen escribió:

> Ansgar Wiechers wrote:
>> You could put your customers on a private network not accessible by  
>> the
>> public (and I mean "VPN" kind of private here rather than RFC 1918  
>> kind
>> of private). However, that's just moving authentication and  
>> encryption
>> to a different layer.
>>
>> Why do you want to avoid using SASL anyway?
>>
>>
> SASL and VPN would mean that all customers would need a separate  
> account for their outgoing mail, and that would be a too big project  
> to go ahead with.
> As most of their servers is BlueOnyx it is not really possible to  
> make a centralized user / password database.
> And as the BlueOnyx is a collection of mail, ftp, web, *server they  
> would like to not have a centralized mail platform.
>
> I was just thinking about another option. I might be able to make a  
> small program that analyzes the logfiles for each server, puts it in  
> a database with a timestamp, and then make it a POP/IMAP before  
> SMTP. That would be secure enough right?
>
> Thank you all for your interest in my problem so far!!
>
> --
> Martin
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus  
> signature database 4440 (20090919) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>

Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Paul Beard-2
In reply to this post by Martin Allan Jensen
On Sep 19, 2009, at 7:30 AM, Martin Allan Jensen <[hidden email]>  
wrote:

> Yes there is - actually there is about six different ones - so  
> making a system that could talk to all those authentication  
> mechanisms would take me years to develop. That's why I am looking  
> for something simpler.


Looking up usernames in 6 passwd files or 1 isn't that complex, is it?
--
If this was a real .signature it would be more interesting.


Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Michael Orlitzky-2
In reply to this post by Martin Allan Jensen
Martin Allan Jensen wrote:

> Michael Orlitzky wrote:
>>
>> If your customers have POP3/IMAP accounts, there is already a database
>> of usernames and passwords *somewhere*. Query that.
>>
>>
> Yes there is - actually there is about six different ones - so making a
> system that could talk to all those authentication mechanisms would take
> me years to develop. That's why I am looking for something simpler.
>
> --
> Martin

Judging by the website, BlueOnyx uses MySQL to store its account
information. Both Cyrus and Dovecot SASL support querying MySQL
databases, so you wouldn't have to write anything. Dovecot, at least
(I'm not sure about Cyrus), supports multiple databases queried one
after another:

   http://wiki.dovecot.org/Authentication/MultipleDatabases

You would simply create a configuration file for each POP3/IMAP database.
Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Egoitz Aurrekoetxea Aurre-2
In reply to this post by Paul Beard-2
This option :

"I was just thinking about another option. I might be able to make a  
small program that analyzes the logfiles for each server, puts it in a  
database with a timestamp, and then make it a POP/IMAP before SMTP.  
That would be secure enough right?"

Is not valid for doing all you're customers mail machines to connect  
to a relayhost, because machines connecting to relay host smtpd server  
are not doing any pop against nothing. Take a list of users in all  
databases, do a small table in mysql set the primary key properly  
(refresh table with changes with cron several times per day, 2 or 3)  
and set a dedicated mysql machine and another one in backup  
replicating from the master and not be queried. And you should move  
with this structure the mail without serious problems. I think you're  
more worried about authentication wich is pretty easy and forgotten  
about other problems... like spam I said... because if you have so  
huge number of users you should control what are they doing and here  
you should be perhaps more skillful. I'm working on a new project for  
helping Postfix preventing spam and rejecting it quite easy (not just  
through spamassassin, that is not enough) in some months I'll have it  
available and opened under BSD license too as Postfix quota reject.

Any help just talk here :)
Bye!!!


El 19/09/2009, a las 16:49, Paul Beard escribió:

> On Sep 19, 2009, at 7:30 AM, Martin Allan Jensen <[hidden email]>  
> wrote:
>
>> Yes there is - actually there is about six different ones - so  
>> making a system that could talk to all those authentication  
>> mechanisms would take me years to develop. That's why I am looking  
>> for something simpler.
>
>
> Looking up usernames in 6 passwd files or 1 isn't that complex, is it?
> --
> If this was a real .signature it would be more interesting.
>
>

Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Martin Allan Jensen
Egoitz Aurrekoetxea Aurre wrote:

> Is not valid for doing all you're customers mail machines to connect
> to a relayhost, because machines connecting to relay host smtpd server
> are not doing any pop against nothing. Take a list of users in all
> databases, do a small table in mysql set the primary key properly
> (refresh table with changes with cron several times per day, 2 or 3)
> and set a dedicated mysql machine and another one in backup
> replicating from the master and not be queried. And you should move
> with this structure the mail without serious problems. I think you're
> more worried about authentication wich is pretty easy and forgotten
> about other problems... like spam I said... because if you have so
> huge number of users you should control what are they doing and here
> you should be perhaps more skillful. I'm working on a new project for
> helping Postfix preventing spam and rejecting it quite easy (not just
> through spamassassin, that is not enough) in some months I'll have it
> available and opened under BSD license too as Postfix quota reject.

I will try to do that. It's just that some users are in MySQL, some in
passwd, some in BerkeleyDB, and so on.
But I guess it is the only stable solution.

Thank you all for your opinions.

Have a nice weekend.

--
Martin
Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Egoitz Aurrekoetxea Aurre-2
No matter where they are... do a script that takes users from wherever  
they are and dump them to a file... later find differences between the  
last file you dumped and from within just dumped.... then just do  
INSERT or UPDATE of those users... it's important not to load  
databases... so only do this twice or thice a day and avoid writting  
nothing on the tables queried by relayhost machines. Create a table  
with two fields user and pass, primary key user, and be generous with  
mysql cache (set the mysql slave too as said before). Later for smtpd  
redundancy set two smtpd and create a roundrobin balanced A record  
with TTL of 120 seconds or so... and set you're customer mail machines  
to send all mail to this balanced A record by authenticating each  
server with it's user in you're machines. If you see a customer  
machine is affecting to you're performance reject it's mails with 4xx  
till you see what to do. This is for performance.

Now for controlling spam :

Query several rbl in background and see how they talk to you... if 3  
or 4 of not very important or trustable are talking about you probably  
you're sending some spam and if you don't correct it or check it  
unless you perhaps end in spamhaus and so... you could too check for  
rejecting directly spamcop and spamhaus rbl. For those users wich you  
thing they're sending spam or similar check with spamassassin and  
amavis they're mail... if mail has more than 7 of spam score....  
either reject, send to another place... bounce or whatever you want  
but don't send to destionation. If a IP is sending you more than  
perhaps depends on the number of mails moved by the connecting server  
to you're machines but... if more than 20% of mail is spam per  
hour.... reject them with 4xx saying that server is busy or  
something... and later check how many bounces have they get because  
incorrect rcpt or so... and how many mails are sending now from the  
normal average they send... check if they're sending mailing lists...  
or whatever.... and till you don't know exactly what they're doing to  
allow them to relay through you're server.

This are my advises :).

2.0.0 Bye

El 19/09/2009, a las 17:56, Egoitz Aurrekoetxea Aurre escribió:

> No matter where they are... do a script that takes users from  
> wherever they are and dump them to a file... later find differences  
> between the last file you dumped and from within just dumped....  
> then just do INSERT or UPDATE of those users... it's important not  
> to load databases... so only do this twice or thice a day and avoid  
> writting nothing on the tables queried by relayhost machines. Create  
> a table with two fields user and pass, primary key user, and be  
> generous with mysql cache (set the mysql slave too as said before).  
> Later for smtpd redundancy set two smtpd and create a roundrobin  
> balanced A record with TTL of 120 seconds or so... and set you're  
> customer mail machines to send all mail to this balanced A record by  
> authenticating each server with it's user in you're machines. If you  
> see a customer machine is affecting to you're performance reject  
> it's mails with 4xx till you see what to do. This is for performance.
>
> Now for controlling spam :
>
> Query several rbl in background and see how they talk to you... if 3  
> or 4 of not very important or trustable are talking about you  
> probably you're sending some spam and if you don't correct it or  
> check it unless you perhaps end in spamhaus and so... you could too  
> check for rejecting directly spamcop and spamhaus rbl. For those  
> users wich you thing they're sending spam or similar check with  
> spamassassin and amavis they're mail... if mail has more than 7 of  
> spam score.... either reject, send to another place... bounce or  
> whatever you want but don't send to destionation. If a IP is sending  
> you more than perhaps depends on the number of mails moved by the  
> connecting server to you're machines but... if more than 20% of mail  
> is spam per hour.... reject them with 4xx saying that server is busy  
> or something... and later check how many bounces have they get  
> because incorrect rcpt or so... and how many mails are sending now  
> from the normal average they send... check if they're sending  
> mailing lists... or whatever.... and till you don't know exactly  
> what they're doing to allow them to relay through you're server.
>
> This are my advises :).
>
> 2.0.0 Bye
>
>
>
>
> El 19/09/2009, a las 17:33, Martin Allan Jensen escribió:
>
>> Egoitz Aurrekoetxea Aurre wrote:
>>> Is not valid for doing all you're customers mail machines to  
>>> connect to a relayhost, because machines connecting to relay host  
>>> smtpd server are not doing any pop against nothing. Take a list of  
>>> users in all databases, do a small table in mysql set the primary  
>>> key properly (refresh table with changes with cron several times  
>>> per day, 2 or 3) and set a dedicated mysql machine and another one  
>>> in backup replicating from the master and not be queried. And you  
>>> should move with this structure the mail without serious problems.  
>>> I think you're more worried about authentication wich is pretty  
>>> easy and forgotten about other problems... like spam I said...  
>>> because if you have so huge number of users you should control  
>>> what are they doing and here you should be perhaps more skillful.  
>>> I'm working on a new project for helping Postfix preventing spam  
>>> and rejecting it quite easy (not just through spamassassin, that  
>>> is not enough) in some months I'll have it available and opened  
>>> under BSD license too as Postfix quota reject.
>>
>> I will try to do that. It's just that some users are in MySQL, some  
>> in passwd, some in BerkeleyDB, and so on.
>> But I guess it is the only stable solution.
>>
>> Thank you all for your opinions.
>>
>> Have a nice weekend.
>>
>> --
>> Martin
>

Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Stan Hoeppner
In reply to this post by Martin Allan Jensen
Martin Allan Jensen put forth on 9/19/2009 8:06 AM:

> Hi all,
>
> The company I work for have approximately nine mail servers, including
> Postfix, qmail, sendmail and exim.
> They would like to make ONE SMTP relay host server so that all their
> customers can use their SMTP server to send mail through.
> The customers already get their incoming mail through their mail servers.
>
> I fail to see a way to make this possible without creating an entirely
> open relay, or creating a database with usernames and passwords and use
> SASL.

I fail to understand why this is considered anything remotely beyond simple to moderate difficulty.  If I understand you correctly (maybe I don't) all the communication you're referring to is server to server (MTA<->MTA).  There will be no desktop PCs (MUAs) directly submitting mail to your new "master relay server", correct?  If this is the case, setting up a http://www.postfix.org/STANDARD_CONFIGURATION_README.html#firewall should do the trick with little fuss.

The only "difficult" part is that you would have setup a local SASL username and password for each remote MTA that will connect to relay mail.  Even if the remote MTA count ("your customers") is 250, this is still utterly simple to accomplish, _assuming_ that the other MTA admins aren't brain dead individuals.  Have each remote MTA connect with the proper SASL username and password in order to relay mail.

Like I say, if there are no desktop PCs in the mix, this is absolutely simple to accomplish, and without going through a multitude of databases to pull out usernames and passwords for thousands of users.  But, like I said, maybe I'm not fully comprehending your post.  It was pretty sparse on detail and clarity, regarding the actual _structure_ (think network diagram) of what you're trying to do.

--
Stan
Reply | Threaded
Open this post in threaded view
|

Re: SMTP relay host

Kevin Bailey
In reply to this post by Martin Allan Jensen
Martin Allan Jensen wrote:
Hi all,

The company I work for have approximately nine mail servers, including Postfix, qmail, sendmail and exim.
They would like to make ONE SMTP relay host server so that all their customers can use their SMTP server to send mail through.
The customers already get their incoming mail through their mail servers.

I fail to see a way to make this possible without creating an entirely open relay, or creating a database with usernames and passwords and use SASL.
Does anybody know if it is possible to make the SMTP host contact the mail server and verify that the sender email exists on their incoming mail server? Or is there another setup recommended?

I'll attach my notes RE setting up SMTP access using SASL - the only thing which pops into mind is that SASL can possibly authenticate against your own DB - or possibly against IMAP or POP3 for each of the mail servers in turn.

Sounds like a tough one - maybe time to get all the servers to auth against LDAP - surely it's an idea to have a central DB of all the users.

Kevin

---++ Overview

We want to enable users to be able to send email via the server from any location.  For this we will enable SMTP AUTH - this will enable the users to use the server to relay mail providing they provide their username and password.

Most of the following steps were taken from 'The Book of Postfix' from No Starch Press.

Postfix can use SASL as an authentication mechanism - and SASL can in turn use the local accounts to verify credentials.

The basic SASL libraries are installed when Postfix is installed on Debian Etch - it is necessary to add the libsasl2-modules package to enble SASL to authenticate using the main methods.  Postfix has SASL support built in by default.

SASL can authenticate as a command line program - but if it is called by Postfix then SASL will not be able to authenticate against /etc/passwd because Postfix does not run as root.  Therefore we will install sasl2-bin and this will install the saslauthd daemon which runs as root.  Therefore, Postfix can query the saslauthd daemon which it turn queries the local account database.

After installing libsasl2-modules and sasl2-bin...

Edited /etc/default/saslauthd and set START=yes.

Then started the daemon with /etc/init.d/sasldauthd restart.

Then followed instructions which came with sasl2-bin in the DEBIAN doc file.  See

# most /usr/share/doc/sasl2-bin/README.Debian

NB - Postfix is installed chrooted by default on Debian Etch - see the Postfix Debian doc.  This means that the following steps need to be taken.

These are the instructions:

<verbatim>
 If you run a chrooted server such as Postfix and wish to use saslauthd, you
 must place the saslauthd socket ("mux") inside the Postfix chroot. You must
 also set correct overrides for the run directory inside the chroot, using
 dpkg-statoverride. Finally, you must add the postfix user to the sasl group.
 These steps ensure that the Debian subsystems know how you want things to be
 laid out.

 To place the saslauthd socket inside the Postfix chroot, edit
 /etc/default/saslauthd and set OPTIONS like this (you may omit -c):
  OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

 To set the run directory using dpkg-statoverride, run this command as root:
  dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

 Finally, to add the postfix user to the sasl group:
  adduser postfix sasl

 The init script will automatically create the run directory with the
 permissions you have set using dpkg-statoverride. Please note that you must
 also configure Postfix correctly. There are many options related to SASL. See
 the Postfix documentation for how to do this.
</verbatim>

Then restarted saslauthd - this seemed to take a while to restart but eventually gets restarted.

Then tested that authentication is working with

<verbatim>
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username -p password
</verbatim>

and

<verbatim>
# testsaslauthd -f /var/spool/postfix/var/run/saslauthd/mux -u username -p badpassword
</verbatim>

The first should be ok and the second should fail.

This shows that SASL is authenticating against a backend (which is currently set to use PAM).  This seems to check against the local user accounts which is what is required.

Now we need to get Postfix to authenticate SMTP connections against SASL - more specifically against saslauthd.

The following parameters were added to /etc/postfix/main.cf. 

<verbatim>
# Setting up SMTP authentication.
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
</verbatim>

The file /etc/postfix/sasl/smtpd.conf needed to be created with the following contents.  This is actually a configuration file for SASL - it uses small config files specific for the programs using its services.  It also seems to dictate which authentication mechanisms get offered to the clients by Postfix.

<verbatim>
# Global parameters
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
</verbatim>

The restarted Postfix and saslauthd.

It should now be possible for clients to send email using the server - they can use TLS if required.

For extra security it is possible to force all users to use TLS when connecting.  This provides an encrypted tunnel for all traffic.

This means that the users can use their email account credentials to use the server to send emails.





-- Main.KevinBailey - 28 Jan 2008





I tried google a lot, but I can't seem to find anything that points me in the right direction - someone else surely must have run into this scenario before?

Looking forward to hear from you, a link, or even some rough notes would be nice.

Thank you very much...

--
Martin


__________ Information from ESET NOD32 Antivirus, version of virus signature database 4440 (20090919) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



--
Kevin Bailey
Director/Programmer - Freeway Projects Limited
Web: www.freewayprojects.com
Email: [hidden email]
Phone: +44 (0)1752 267090