Copyright © 2002, 2003, 2004 Patrick Koetter
|Revision 1.42||June, 22 2004||PK|
|Fixed a typo in Section 7. Thanks to Jim Woodworth.|
|Revision 1.41||April, 4. 2004||PK|
|Updated the link to SASL Clients. Thanks to Michael Bunk.|
|Revision 1.4||October, 1. 2003||PK|
|Added some debug information to tell if saslauthd was started correctly.|
|Revision 1.3||July, 31. 2003||PK|
|Added short explanations for Cyrus-SASL-2.x users.|
|Revision 1.2.2||April, 15 2003||PK|
|Added english wishlist to provide english interface for payment process.|
|Revision 1.2.1||April, 8. 2003||PK|
|Added link to my wishlist, removed downloadable formats because the number of wget clients doesn't decrease.|
|Revision 1.2||March, 13. 2003||PK|
|Rewrote the source to DocBook XML, Added SMTP AUTH for mail servers, Added a Mini-FAQ section|
|Revision 1.1.1||May, 11. 2002||PK|
|Fixed misleading path statement in SASL RPM install (reported by Frank Jones)|
|Revision 1.1||May, 10. 2002||PK|
|Beefed up TLS support, cleanup, fixed lots of mistypings|
|Revision 1.0||May, 09. 2002||PK|
|Initial Version for RedHat Users (without Authentication for Mailservers)|
Table of Contents
This HOWTO will help you deploy SMTP AUTH for Postfix. It will explain installation, configuration and use of the softwares needed (Cyrus-SASL, TLS and Postfix) for this solution.
Postfix 2.x and Cyrus-SASL-2.x users!
This HOWTO was written for Postfix 1.x and Cyrus-SASL-1.5.x. With the arrival of Cyrus-SASL-2.x some minor, but important changes were made to configuration options.
For now I put these changes as important notes, just as this one, in this HOWTO until I find time to rewrite it completely. At the earliest this will be after Ralf and I have finished the Postfix Book.
This HOWTO will help you deploy a method that is called SMTP AUTH in conjunction with Postfix. It will explain installation, configuration and use of the softwares needed (Cyrus-SASL©, TLS and Postfix©) for this solution. Before you decide on using this method, read if you can do with less.
If you want to relay messages from everywhere in the world using only one (your) SMTP server you usually run into trouble. The servers relay permissions check your IP if it belongs to a trusted network (e.g. a range of IP Addresses). From the SMTP servers point of view you try to send from an untrusted network when you dial-up.
Each time a user wants to relay from an IP Address unknown to the system, she adds the IP to the relay net, restarts the SMTP server and sends her mail. After messaging is done she removes the IP and restarts the SMTP server once more.
This is by far the most insecure solution. Though possible, you would have to permit shell access to users and teach them how to deal with the system. It won't work for those who focus on the computing and not the computer...
A service/script runs on the SMTP server that will add IPs of users that have successfully authenticated to their POP3 or IMAP server. The service/script will write the IP of those users to a file or database. Since they are valid users to the pop/imap server they must also be valid users to the SMTP server. When they send messages after the pop/imap the SMTP server also looks up the file or database that the pop/imap server has written to and if the IP is found in there the client may relay messages. After a certain period the IP expires and is removed from the file/database.
This will not work easily with common Mail clients, as not all of them come with built-in support for SMTP-After-POP. There are workarounds on the net, but solution may require expensive configuration and/or constant support.
This approach uses a totally different, IP independent method. Instead of checking the IP of the Mail client and comparing it to a range of permitted IP Addresses, the Mail client authenticates itself providing username and password to the mail server (or sharing a secret with it). These credentials are compared to a source that the mail server has access to and if valid data has been provided, the mail server will permit relaying.
This HOWTO will help you to enable Postfix to provide SMTP AUTH using Cyrus-SASL©. Read about the benefits of using SMTP AUTH and how SMTP AUTH is being processed before you will find out what steps you will have to go to deploy your specific SMTP AUTH solution.