StartTLS and SMTP-Authorization
Most email client software supports authorization over SSL. It can be used to authorize our users and
allow them to use our SMTP server to send emails. Usually it's very usefull for traveling users that
use dynamic IP address of local ISP.
Known software that supports authorization:
- MS Outlook Express
- Mozilla
- Netscape
Authentification modules
Postfix can use Cyrus SASL authentfication mechanism. It's a daemon that accepts connects and checks
usernames/passwords at its database. In our case we enable MySQL support at Cyrus SASL to use MySQL tables
of postfix. Download pam_mysql-0.5.tar.gz ( you can use google.com to find this module by exact name ) or you can
download this module from http://smartcgi.com/dist/postfix/src/auth/
tar -xzvf pam_mysql-*
cd pam_mysql*
If you have your MySQL installed from sources you need to change path to mysql's libraries. Open
Makefile at your favorite editor and change compiler's options to:
export LD_D='gcc -shared -Xlinker -x -L/usr/local/lib/mysql -lz'
Then compile and install as usually. Copy MySQL PAM module into PAM's library directoy
make
make install
cp pam_mysql.so /lib/security/
Create a file /etc/pam.d/smtp with following lines to authorize users from mysql.
auth sufficient pam_mysql.so user=postfix passwd=pass123 db=postfix \
table=users usercolumn=email passwdcolumn=passwd crypt=1
account sufficient pam_mysql.so user=postfix passwd=pass123 db=postfix \
table=users usercolumn=email passwdcolumn=passwd crypt=1
Cyrus SASL authorization module
Download Cyrus SASL version 2 from http://freshmeat.net or you can take from smartcgi.com site
at http://smartcgi.com/dist/postfix/src/auth/
We recommend to download cyrus-sasl-2.1.9, cuz newer versions have problems to authorize users that
have '@', for example 'jack@domain.com'. Install as usually and make symlink for libraries:
./configure
--with-saslauthd --disable-krb4 \
--disable-cram --disable-otp \
--disable-digest --disable-ntlm --enable-login \
--disable-gssapi --disable-digest --disable-cram
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
Create file /usr/local/lib/sasl/smtpd.conf with single line and make symlinks for libraries
pwcheck_method: saslauthd
To keep our files secure change mode of them:
chmod 600 /usr/local/lib/sasl/smtpd.conf
chown 0.0 /usr/local/lib/sasl/smtpd.conf
mkdir -p /var/state/saslauthd
Add /usr/local/lib/sasl2 into /etc/ld.so.conf and run command
ldconfig -v | grep sasl
You should see something like following:
[root@b1]# ldconfig -v|grep sasl
libsasl.so.7 -> libsasl.so.7.1.8
libsasl2.so.2 -> libsasl2.so.2.0.17
/usr/local/lib/sasl2:
libsasldb.so.2 -> libsasldb.so.2.0.17
[root@b1]#
Create Cyrus-SASL startup script /etc/init.d/sasl
#!/bin/sh
# chkconfig: 3 80 30
# description: SASL
case "$1" in
start)
echo -n "Starting Cyrus-SASL: "
/usr/local/sbin/saslauthd -a pam
;;
stop)
echo -n "Shutting down Cyrus-SASL: "
/usr/bin/killall saslauthd
;;
restart)
$0 stop
$0 start
;;
*)
echo -n "Usage: $0 {start|stop|restart"
exit 1
esac
exit 0
You can take this startup script at http://smartcgi.com/dist/postfix/init.d/
Add this script into startup config and run it.
chkconfig --add sasl
chkconfig sasl on
chmod 700 /etc/init.d/sasl
/etc/init.d/sasl start
If you have installed everything correctly you should see
[root@box1] ps x | grep sasl
25606 ? S 0:00 /usr/local/sbin/saslauthd -a pam
25607 ? S 0:00 /usr/local/sbin/saslauthd -a pam
25608 ? S 0:00 /usr/local/sbin/saslauthd -a pam
25609 ? S 0:00 /usr/local/sbin/saslauthd -a pam
25610 ? S 0:00 /usr/local/sbin/saslauthd -a pam
26266 ttyp4 S 0:00 grep sasl
[root@box1]#
List of content
- Introduction
- Misc software installation
- Antivirus software
- Antispam - SpamAssassin installation
- Postfix installation
- COPYRIGHT
| 
Home
