Pank's Blog

Postfix-SMTP-AUTH-TLS-Howto (Update v2)

舊版 Postfix-SMTP-AUTH-TLS-Howto
更新一些檔案, 步驟大至相同

取得檔案
wget http://www.openssl.org/source/openssl-0.9.7e.tar.gz
wget ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.20.tar.gz
wget http://archive.mgm51.com/mirrors/postfix-source/official/postfix-2.1.5.tar.gz
wget ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.18-2.1.3-0.9.7d.tar.gz

解壓檔案
tar zxf openssl-0.9.7e.tar.gz
tar zxf cyrus-sasl-2.1.20.tar.gz
tar zxf postfix-2.1.5.tar.gz
tar zxf pfixtls-0.8.18-2.1.3-0.9.7d.tar.gz

編譯 openssl
cd openssl-0.9.7e
./config
make
make install

編譯 cyrus-sasl-2
cd ../cyrus-sasl-2.1.20
./configure --enable-anon --enable-plain --enable-login --with-saslauthd=/var/run/saslauthd --with-pam --with-openssl=/usr/local/ssl --with-plugindir=/usr/local/lib/sasl2 --enable-cram --enable-digest
make
make install
(若已有裝 libsasl2 rpm, 需移除, 然後 ln -fs /usr/local/lib/libsasl2.so.2.0.20 /usr/lib/libsasl2.so.2)

[ -d /usr/lib/sasl2 ] && mv /usr/lib/sasl2 /usr/lib/sasl2_orig
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
printf "pwcheck_method:saslauthd\nmech_list: plain login digest-md5\n" > /usr/local/lib/sasl2/smtpd.conf

編譯 postfix (含 tls patch)
cd ../postfix-2.1.5
useradd postfix
groupadd postdrop
patch -p1 < ../pfixtls-0.8.18-2.1.3-0.9.7d/pfixtls.diff
(仍可套用在 postfix 2.1.5)
make makefiles CCARGS="-DHAS_SSL -DUSE_SASL_AUTH -I/usr/local/include/sasl -I/usr/local/ssl/include" AUXLIBS="-L/usr/local/ssl/lib -L/usr/local/lib -R/usr/local/lib -lsasl2 -lssl -lcrypto"
make
make install
(全部用預設值按 enter 即可)
cp /etc/postfix/aliases /etc/
newaliases
mkdir -p /var/spool/postfix/etc
cd /etc
cp localtime services hosts resolv.conf /var/spool/postfix/etc
mkdir -p /var/run/saslauthd
(mux socket file 存放處)

產生 certificate files for TLS
cd /etc/postfix
openssl req -new -x509 -nodes -out smtpd.pem -keyout smtpd.pem -days 3650

編輯 /etc/postfix/main.cf 加入下列
# SASL
smtpd_recipient_restrictions=permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable=yes
smtpd_sasl_security_options=noanonymous
broken_sasl_auth_clients=yes
# TLS
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/smtpd.pem
smtpd_tls_cert_file = /etc/postfix/smtpd.pem
smtpd_tls_CAfile = /etc/postfix/smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

啟動 postfix 及 saslauthd
postfix start
saslauthd -a shadow -m /var/run/saslauthd

測試
telnet localhost 25

220 pank.idv.tw ESMTP Postfix
ehlo 0
250-pank.idv.tw
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5
250-XVERP
250 8BITMIME

看起來正常, 再測試認證, 使用者名稱 pank, 密碼 test
取得編碼後字串 printf 'pank\0pank\0test' | mmencode
得到 cGFuawBwYW5rAHRlc3Q=
(使用這個方法測試時, 用數字 0-7 開頭的密碼會認證錯誤, 原因不明.
而事實上, 使用上述密碼在 smtp auth 上是沒問題的)

telnet localhost 25

220 pank.org ESMTP Postfix
ehlo 0
250-pank.org
250-PIPELINING
250-SIZE 10485760
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN DIGEST-MD5
250-AUTH=LOGIN PLAIN DIGEST-MD5
250-XVERP
250 8BITMIME
auth plain cGFuawBwYW5rAHRlc3Q=
235 Authentication successful

已正常運作

若是 failed, 就看 log 查原因

ref. Postfix/TLS - A TLS extension for POSTFIX

FAQ
Q: make postfix failed, db* not found
A: install libdb* and libdb*devel (e.g. libdb3.3-3.3.11-17mdk.i586.rpm, libdb3.3-devel-3.3.11-17mdk.i586.rpm)
Q: warning: SASL authentication failure: cannot connect to saslauthd server: No such file or directory
A: 1. 可能用到原本 rpm 的 libsasl2, 需先移除, 然後 ln -fs /usr/local/lib/libsasl2.so.2.0.20 /usr/lib/libsasl2.so.2
  2. smtpd run chrooted, There are two ways to fix this:
    1. Unset the 'chroot' flag in master.cf for smtpd on port 25
    2. Use a Linux bind mount to make the socket accessible within the chroot.

Posted by pank at January 3, 2005 04:13 PM