16

I'd like to run Postfix on a Debian VPS to send e-mails from my application. The application (running on other VPSes) would connect to Postfix via SMTP. Postfix does not have to handle incoming email; it's just about sending the outgoing messages.

To prevent being an open relay, SASL authentication should be used. However, I don't want to run Dovecot or MySQL for SASL authentication.

How can I setup SASL authentication using a simple file (containing usernames and passwords)?

I already found a similar question; however, no satisfying answers where given there.

Community
  • 1
Jonathan
  • 411

4 Answers4

19

Postfix currently supports only two SASL authentication methods. One of the is Dovecot, which you don't want. The other is Cyrus, which is about as close to what you want as it's possible to get without rewriting Postfix. It does involve running a separate authentication daemon (saslauthd), but the authentication file is easy to edit and update.

The basics for using Cyrus SASL can be found at the postfix documentation site, but here's a short description. Please look at the link if anything's confusing in any way!

Start by installing Cyrus SASL with the plugin sasldb. (How to do that is left as an exercise for the reader; presumably there's a package in whatever package system your brand of unix is using.) Since the communication between Postfix and SASL will take place via a unix domain socket, you may want to add postfix to the SASL group, and make sure that that group has read and execute permissions to the directory /var/run/saslauthd.

Configure SASL

Configure SASL to use sasldb by editing /etc/sasl2/smtpd.conf:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM

The sasldb plugin means that sasl will use a Berkeley DB file for usernames and passwords. You add users with the command saslpasswd2: 

$ saslpasswd2 -c -u example.com username
Password:
Again (for verification):

Note that you specify a domain together with the username, and the user will need to use "username@example.com" rather than just "username" when authenticating.

You can verify what users have been entered by running sasldblistusers2.

Start saslauthd, and verify that the authentication works by doing

testsaslauthd -u username@example.com -p password

Configure Postfix

Once that is done, tell Postfix to use SASL and to tell Cyrus that it's SMTP that it's authenticating, by editing /etc/postfix/main.cf to contain

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd

Then, reload postfix, and you should be set.

AndreasM
  • 1,113
Jenny D
  • 28,400
  • 21
  • 80
  • 117
2

Just clarifying a few things,

Creating an account in sasldb:

% saslpasswd2 -c -u fqdn username

Testing authentication:

% testsaslauthd -u username -p password

(note: the username is not followed by the fqdn)

I would also like to add that creating a root account

% saslpasswd2 -c -u example.com root

will not let you authenticate,

% testsaslauthd -u root -p some_password
0: NO "authentication failed"

But this is not a bug. It is just a safety feature.

いちにち
  • 121
1

To prevent being an open relay, SASL authentication should be used.

SASL is only one of numerous ways to prevent this. Another would be to whitelist the IPs you use on the other VPSes, or to require TLS client certificates (this can be said to be the most secure way.)

Just set up a signing CA on the postfix machine, and sign one certificate per VPS you wish to submit email.
Then require full client certificate verification for all submitted mail; disable any other methods of submission.

What you ask is not possible, as postfix does not support SASL directly.

adaptr
  • 16,746
-1

If you don't need to handle incoming mail, then don't bother with authentication. Just block incoming traffic with a firewall, and/or restrict it to localhost only. 

 inet_interfaces = 127.0.0.1

No more open relay issue, and you also avoid complicating things for applications that need to send mail through postfix.

mc0e
  • 5,979