Postfix : SASL auth with PAM and passwd file
How to configure #Postfix to authenticate users with #SASL, #PAM and a custom #passwd file (#Debian Linux Jessie)
Here are the clues and hints I’d have been happy to find gathered in one single place to avoid such waste of time...
1) How to activate a PAM plugin in order to use a custom passwd file
Create the passwd file :
echo "firstname.lastname@example.org:"$( mkpasswd -m sha-512 "mypassword" ) > /etc/postfix/my_passwd_file
Install the PAM plugin :
apt-get install libpam-pwdfile
Activate it for the smtp service :
echo 'auth required pam_pwdfile.so pwdfile=/etc/postfix/my_passwd_file
account required pam_permit.so
session required pam_permit.so
password required pam_deny.so' > /etc/pam.d/smtp
Check that it works :
apt-get install pamtester
pamtester -v smtp email@example.com authenticate
It is supposed to ask for the password... and work :
pamtester: invoking pam_start(smtp, firstname.lastname@example.org, ...)
pamtester: performing operation - authenticate
pamtester: successfully authenticated
pamtester is as far as I can see in SF a not maintained project, but it is included as a standard package in Debian, which is a very good thing to test the authenticate chain from the very beginning.
I’ve actived the debug mode for PAM by creating a file in /etc :
You may delete it at the end.
Then, second step, the sasl auth daemon. I’ve tried before to directly tell sasl to use pam, but it was refusing to authenticate without beeing able to obtain any hint in the log files. saslauthd is far more verbose and it has helped me a lot to reach the goal.
2) Configure saslauthd
Follow the first recipe in the Debian page :
This recipe is almost correct for my passwd file. Except that by default, it separates the user name and the domain :
Sep 9 10:17:39 smtpout saslauthd: DEBUG: auth_pam: pam_authenticate failed: User not known to the underlying authentication module
Sep 9 10:17:39 smtpout saslauthd: do_auth : auth failure: [user=myuser] [service=smtp] [realm=mydomain.tld] [mech=pam] [reason=PAM auth error]
The solution is to add an option in the saslauthd config file :
And modify the “OPTIONS” line :
OPTIONS="-c -r -m /var/spool/postfix/var/run/saslauthd"
The “-r” option protects the mail address from being separated from its domain. Check “man saslauthd” :
-r Combine the realm with the login (with an ’@’ sign in between). e.g. login: “foo” realm: “bar” will get passed as login: “foo@bar”. Note that the realm will still be passed, which may lead to unexpected behavior for authentication mechanisms that make use of the realm, however for mechanisms which don’t, such as getpwent, this is the only way to authenticate domain-specific users sharing the same userid.
If you want to check saslauth, you may use :
testsaslauthd -u "email@example.com" -p "mypassword" -f /var/spool/postfix/var/run/saslauthd/mux -s smtp
3) Then, the last test : check that Postfix accepts to authenticate users...
Many blog posts explain how to test SMTP AUTH using telnet... But... they usually propose deprecated ways to encode the credentials...
In my case, the perl encoding for the user was wrong. I obtained a good encoding this way :
echo -n "firstname.lastname@example.org" | base64
echo -n "mypassword" | base64
#SMTP conversation :
user@localhost [~]# telnet exampledomain.com 25
Connected to exampledomain.com (184.108.40.206).
Escape character is '^]'.
220-server1.exampledomain.com ESMTP Exim 4.66 #1 Wed, 09 May 2007 23:55:12 +0200
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
250-server1.exampledomain.com Hello [220.127.116.11]
250-AUTH PLAIN LOGIN
235 Authentication succeeded
Don’t forget to check the logs, it’s useful to understand what’s wrong :