Mail Server - Secure Connection - Configuring saslauthd


Now that we've configured Postfix to use MySQL, we can begin creating the means to use secure connections with our mail server. We do this by using saslauthd.

Contents

Saslauthd

Eh?

Saslauthd is quite simply (and from the 'man' page):

"a daemon process that handles plaintext authentication requests on behalf of the SASL library."

Or to put it in even plainer English: You need this log on.

Editing saslauthd

Let's go ahead and edit the main saslauthd file:

sudo nano /etc/default/saslauthd

The first line to edit is the first you come across and starts saslauthd on login (the default is set to no):

# Should saslauthd run automatically on startup? (default: no)
START=yes

The second thing we need to change is the options defined at the bottom of the file.

The default looks like this:

#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/run/saslauthd"

Well, we are running Postfix so let's follow their advice and change the options to read:

#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

Note we added the '-r' option as we parse users by the whole domain (user@example.com) and not just 'user'.

The eagle eyed amongst you will have noticed that we just defined an OPTION to a directory that does not exist.

Well, let's rectify that by creating it:

sudo mkdir -p /var/spool/postfix/var/run/saslauthd

MySQL

Remember that we are using MySQL to hold the information on our domains, emails and users, etc.

As such, the authorisation process for each user needs to know where to get the information from (i.e. the user and password).

As such, we need to create two simple files to allow the authorisation process access to the db holding the relevant data:

sudo nano /etc/pam.d/smtp

We need to enter the relevant details for the db.

In my case I entered:

auth    required   pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1
account sufficient pam_mysql.so user=mailadmin passwd=newpassword host=127.0.0.1 db=mail table=users usercolumn=email passwdcolumn=password crypt=1

This allows the auth process to access the db to check the email and password (note we have defined the password column of the table to be encrypted. When we add users, we will ensure the password is entered into the table in an encrypted format.

And finally, we need to create a second file:

sudo nano /etc/postfix/sasl/smtpd.conf

The contents are very similar to those just entered:

pwcheck_method: saslauthd
mech_list: plain login
allow_plaintext: true
auxprop_plugin: sql
sql_engine: mysql sql_hostnames: 127.0.0.1 sql_user: mailadmin sql_passwd: newpassword sql_database: mail sql_select: select password from users where email = '%u@%r'

Again, fairly self explanatory, but the contents simply define how to login and check the details (saslauthd) and how to access the database containing the user details.

Users

As with all things Linux, permissions to execute certain actions and to read certain files are all based around users and groups.

As such, we need to add postfix to the sasl group so it can access the saslauthd process we just setup.

This is done very simply:

sudo adduser postfix sasl

 

Restart

So far, we have added and edited and had a good time with the configuration files. As such we need to restart the process to ensure any changes are picked up and acted on:

sudo /etc/init.d/postfix restart
sudo /etc/init.d/saslauthd restart

Summary

Adding saslauthd details and defining the database means that Postfix has access to the authorisation process and that any requests to log into the mail server can be process securely. Next up, we'll create the SSL certificate for our mail server.

Previous Article
Next Article



Was this content helpful?




© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER