Today I needed to configure one of dedicated servers with postfix boxes to use SASL. This time I decided to use saslauthd instead of pwcheck, as I always did before

Let’s start with installing the packages :

$ sudo apt-get install postfix-tls sasl2-bin libsasl2 libsasl2-modules

 

Now edit /etc/default/saslauthd:

START=yes
MECHANISMS="pam"

 

saslauthd is not started after package installation (we’ll do it later)!
Next file to edit is /etc/postfix/sasl/smtpd.conf (you have to create it):

pwcheck_method: saslauthd

 

Ok, let’s add some lines in /etc/postfix/main.cf to enable SASL:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions =
    permit_sasl_authenticated,
    permit_mynetworks,
    reject_unauth_destination

 

postfix does a chroot so it can’t communicate with saslauthd. This is the tricky part:

$ sudo rm -r /var/run/saslauthd/
$ sudo mkdir -p /var/spool/postfix/var/run/saslauthd
$ sudo ln -s /var/spool/postfix/var/run/saslauthd /var/run
$ sudo chgrp sasl /var/spool/postfix/var/run/saslauthd
$ sudo adduser postfix sasl

 

Now restart postfix and start saslauthd

$ sudo /etc/init.d/postfix restart
$ sudo /etc/init.d/saslauthd start

 

Finally we test it using telnet. We need perl to generate the string for the SASL authentication


$ perl -MMIME::Base64 -e 'print encode_base64("username");'
dXNlcm5hbWU=
$ perl -MMIME::Base64 -e 'print encode_base64("password");'
cGFzc3dvcmQ=

 

Then use telnet:

$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 localhost ESMTP Mailserver
ehlo localhost
250-localhost
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250-AUTH=NTLM LOGIN PLAIN DIGEST-MD5 CRAM-MD5
250 8BITMIME
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlcm5hbWU=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 Authentication successful

 

If it doesn’t work check you logfiles. If you get something like this:

SASL authentication failure: cannot connect to saslauthd server: Permission denied 

 

SASL authentication failure: cannot connect to saslauthd server: No such file or directory

 

SASL LOGIN authentication failed: generic failure

 

then check the permissions in /var/spool/postfix/var/run/saslauthd




coded by nessus