PostfixAndSASL - Debian Wiki

/PostfixAndSASL

  • Postfix : SASL auth with PAM and passwd file

    How to configure #Postfix to authenticate users with #SASL, #PAM and a custom #passwd file (#Debian Linux Jessie)

    Here are the clues and hints I’d have been happy to find gathered in one single place to avoid such waste of time...

    1) How to activate a PAM plugin in order to use a custom passwd file

    Create the passwd file :

    echo "myuser@mydomain.tld:"$( mkpasswd -m sha-512 "mypassword" ) > /etc/postfix/my_passwd_file

    Install the PAM plugin :
    apt-get install libpam-pwdfile

    Activate it for the smtp service :
    echo 'auth            required        pam_pwdfile.so pwdfile=/etc/postfix/my_passwd_file
    account         required        pam_permit.so
    session         required        pam_permit.so
    password        required        pam_deny.so' > /etc/pam.d/smtp

    Check that it works :
    apt-get install pamtester
    pamtester -v smtp myuser@mydomain.tld authenticate

    It is supposed to ask for the password... and work :

    pamtester: invoking pam_start(smtp, myuser@mydomain.tld, ...)
    pamtester: performing operation - authenticate
    Password:
    pamtester: successfully authenticated

    pamtester is as far as I can see in SF a not maintained project, but it is included as a standard package in Debian, which is a very good thing to test the authenticate chain from the very beginning.

    I’ve actived the debug mode for PAM by creating a file in /etc :

    touch /etc/pam_debug

    You may delete it at the end.

    Then, second step, the sasl auth daemon. I’ve tried before to directly tell sasl to use pam, but it was refusing to authenticate without beeing able to obtain any hint in the log files. saslauthd is far more verbose and it has helped me a lot to reach the goal.

    2) Configure saslauthd

    Follow the first recipe in the Debian page :
    https://wiki.debian.org/PostfixAndSASL

    This recipe is almost correct for my passwd file. Except that by default, it separates the user name and the domain :

    Sep 9 10:17:39 smtpout saslauthd[829]: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
    Sep 9 10:17:39 smtpout saslauthd[829]: do_auth : auth failure: [user=myuser] [service=smtp] [realm=mydomain.tld] [mech=pam] [reason=PAM auth error]

    The solution is to add an option in the saslauthd config file :

    vi /etc/default/saslauthd-postfix

    And modify the “OPTIONS” line :

    OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"

    The “-r” option protects the mail address from being separated from its domain. Check “man saslauthd” :

    -r Combine the realm with the login (with an ’@’ sign in between). e.g. login: “foo” realm: “bar” will get passed as login: “foo@bar”. Note that the realm will still be passed, which may lead to unexpected behavior for authentication mechanisms that make use of the realm, however for mechanisms which don’t, such as getpwent, this is the only way to authenticate domain-specific users sharing the same userid.

    If you want to check saslauth, you may use :

    testsaslauthd -u "myuser@mydomain.tld" -p "mypassword" -f /var/spool/postfix/var/run/saslauthd/mux -s smtp

    3) Then, the last test : check that Postfix accepts to authenticate users...

    Many blog posts explain how to test SMTP AUTH using telnet... But... they usually propose deprecated ways to encode the credentials...

    https://www.ndchost.com/wiki/mail/test-smtp-auth-telnet

    In my case, the perl encoding for the user was wrong. I obtained a good encoding this way :

    echo -n "myuser@mydomain.tld" | base64
    echo -n "mypassword" | base64

    #SMTP conversation :

    user@localhost [~]# telnet exampledomain.com 25
    Trying 1.1.1.1...
    Connected to exampledomain.com (1.1.1.1).
    Escape character is '^]'.
    220-server1.exampledomain.com ESMTP Exim 4.66 #1 Wed, 09 May 2007 23:55:12 +0200
    220-We do not authorize the use of this system to transport unsolicited,
    220 and/or bulk e-mail.
    EHLO exampledomain.com
    250-server1.exampledomain.com Hello  [1.1.1.2]
    250-SIZE 52428800
    250-PIPELINING
    250-AUTH PLAIN LOGIN
    250-STARTTLS
    250 HELP
    AUTH LOGIN
    334 VXNlcm5hbWU6
    dXNlcm5hbWUuY29t
    334 UGFzc3dvcmQ6
    bXlwYXNzd29yZA==
    235 Authentication succeeded

    Don’t forget to check the logs, it’s useful to understand what’s wrong :

    tail /var/log/auth.log
    tail /var/log/syslog
    tail /var/log/mail.log

    References :
    https://github.com/tiwe-de/libpam-pwdfile
    http://pamtester.sourceforge.net
    https://wiki.debian.org/PostfixAndSASL
    https://www.ndchost.com/wiki/mail/test-smtp-auth-telnet