Recipe 20.7. Installing Cyrus-SASL for SMTP Authorization

 < Day Day Up > 

20.7.1 Problem

You want to add Cyrus-SASL to your mail server, so you can set up smtp-auth. You want your users to authenticate themselves, and you want Postfix to authenticate to an external relay.

20.7.2 Solution

RPM users need these packages:

  • cyrus-sasl-2.x

  • cyrus-sasl-plain-2.x

Debian users, see Recipe Recipe 20.8.


Before installing Cyrus-SASL, verify that your version of Postfix supports SASL and TLS. Run ldd on the smtpd executable to find out. Look for libsasl2, libssl, and libcrypto:

$ ldd /usr/lib/postfix/smtpd ...   libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x4006f000)   libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7 (0x4009e000)   libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0x4018f000) ...

If Postfix links to these libraries, go ahead and install Cyrus-SASL. If it doesn't, you have two options:

  • Rebuild Postfix from sources. Read the README and SASL_README files. Be sure to install Cyrus-SASL first, before compiling Postfix.

  • Replace your Postfix with an up-to-date RPM package that has everything built in.

After installing Postfix and Cyrus-SASL, start up saslauthd:

# /etc/init.d/saslauthd start

Now add these lines to main.cf:

smtpd_sasl_auth_enable = yes smtpd_sasl2_auth_enable = yes smtpd_sasl_security_options =noanonymous broken_sasl_auth_clients = yes smtpd_sasl_local_domain =$myhostname     smtpd_recipient_restrictions =          permit_sasl_authenticated          permit_mynetworks          reject_unauth_destination

and activate the changes:

# postfix reload

Then verify that Postfix sees the new SASL libraries:

$ telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain. Escape character is '^]'. 220 windbag.test.net ESMTP Postfix (Libranet/GNU) EHLO windbag.test.net 250-windbag.test.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250-XVERP 250 8BITMIME

The STARTTLS and AUTH lines are just what you want to see. Now you can move on to Recipe Recipe 20.9 for the next step.

20.7.3 Discussion

You can use AUTH LOGIN and PLAIN, because logins will be encrypted by TLS (see Recipe Recipe 20.9).

main.cf has over a hundred possible configuration options. Don't go nuts; it's not necessary to use all of them. Use the minimum needed to get the job done. You can check out many sample configurations in /usr/share/doc/postfix/examples/sample-smtpd.cf.gz.

smtpd_recipient_restrictions can have multiple options separated by commas, either all on one line or broken up into multiple lines. Each line must start with whitespace.

20.7.4 See Also

  • /usr/share/doc/postfix/examples/, for descriptions of all the main.cf options

  • /usr/share/doc/postfix/examples/sample-auth.cf.gz, for explanations of the authentication options

  • The Postfix book (/usr/share/doc/postfix/html/index.html)

     < Day Day Up > 


    Linux Cookbook
    Linux Cookbook
    ISBN: 0596006403
    EAN: 2147483647
    Year: 2004
    Pages: 434

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net