Hi All,

I've been trying for several days to set up an email server using Postfix and secured against spammers with SMTP AUTH using the RPMs included with Red Hat 9. So far no luck. POP3 and IMAP are already secured.

Although I'm not 100% sure I think I'm using the Cyrus implementation of SASL to enable SMTP AUTH. The problem is I cannot get the Postfix server to require authentication before accepting mail for delivery.

I have yet to find a decent tutorial on how to do this with Redhat. Red Hat's own documentation is from 2000 and doesn't even mention SMTP AUTH.

Here's what I've looked at
http://tldp.org/HOWTO/Postfix-Cyrus-Web-cyradm-HOWTO/
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/
http://www.thecabal.org/~devin/postfix/smtp-auth.txt
http://dudle.linuxroot.org/docs/postfix_cyrus/

None of them has been able to answer my quesitons. I find it hard to believe that no one else on Red Hat is using this setup.

What I've done so far is add this to the end of my main.cf file
# Other configurable parameters
# server
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_recipient_restrictions = permit_sasl_authenticated, check_relay_domains
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_client_restrictions = permit_sasl_authenticated
smtpd_delay_reject = yes
# client
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass

I've also removed Postfix from the chroot jail to ensure it can read the libraries it needs.

This triggers authentication in Thunderbird 0.6 but won't authenticate. Outlook express can send anything without authentication. I've set up a SASL database and it does get accessed when Thunderbird tries to send. Why the authentication fails I don't know.

Can anyone point me in the right direction?

Thanks!

Not that I know anything about Postfix and SMTP Authentication, but do you have any error messages you could post just in case another JL member can possibly help?

mdwatts,

This is one of the big problems I'm having. Since the SASL authentication doesn't get triggered there is no error message. It's as if there is no authentication requirement at all.

When a client connects Postfix sends a bunch of messages beginning with 250 to tell the client what services are available. The AUTH service is one of these and Thunderbird will use it but Outlook does not. Postfix isn't requiring it's use so a message can be sent anywhere without authenticating. I need some sort or REQUIRE AUTH setting so that unauthorized messages are rejected. It should be permit_sasl_authenticated but obviously it's not working and I haven't been able to find a list of settings for SASL with Postfix anywhere.

Do you know of a forum frequented by Red Hat admins I could ask about this?

Originally posted by CanadaMan

Do you know of a forum frequented by Red Hat admins I could ask about this?

Does Redhat or Fedora have any user forums listed on their sites? You could try searching G4L ( www.google.com/linux ) for 'redhat forum' to see if you can spot one.

Following your tip to google linux, I tried restricting my searches to the redhat.com domain. A search for Postfix and SASL popped up some threads on their mailing lists. After a bit of digging I found a post with a link to, of all things, a bug report attachment on bugzilla.redhat.com.

https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=94312

It seems to be exactly what I'm looking for although I haven't gotten it working yet. It's a little confusing as to using pam vs sasldb but I think it's one or the other and not both at the same time.

Another thing I've discovered is that the settings seem to be buried in the sample config files provided in /usr/share/doc/postfix-1.1.12/samples. I've never seen that before.

RIght now I think the requirement for SASL is there. I can't send/relay mail to another host without authenticating. But now I can't get authentication to work with Thunderbird. Not sure why. The error messages I get in /var/log/maillog are

May 26 16:45:34 foo postfix/smtpd[5987]: warning: xxx.xxx.197.55: hostname
55.foo.com verification failed: Host not found
May 26 16:45:34 foo postfix/smtpd[5987]: connect from unknown[xxx.xxx.197.55]
May 26 16:45:46 foo postfix/smtpd[5987]: warning: unknown[xxx.xxx.197.55]:
SASL CRAM-MD5 authentication failed
May 26 16:45:57 foo postfix/smtpd[5987]: lost connection after AUTH from unknown[xxx.xxx.197.55]
May 26 16:45:57 foo postfix/smtpd[5987]: disconnect from unknown[xxx.xxx.197.55]

I don't think the 55.foo.com verification failed is a big problem as it's covered under mynetworks_style=subnet. But why the authentication fails escapes me. Thunderbird 0.6 on Linux should support this.

I'll keep working on it but any ideas would be great.

Thanks!

Originally posted by CanadaMan

I don't think the 55.foo.com verification failed is a big problem as it's covered under mynetworks_style=subnet. But why the authentication fails escapes me. Thunderbird 0.6 on Linux should support this.

I'll keep working on it but any ideas would be great.


Have you verified that Thunderbird 0.6 does indeed support SMTP Authentication? Tried other Linux email clients that are known to support SMTP Auth?

Though I'm not running a mail server at home, at one time I had to switch from using Kmail as my email client to Sylpheed as the version of Kmail at that time did not support SMTP Auth (which my ISP now required) and Sylpheed did. Now that Kmail (KDE 3) supports SMTP Authentication, I've switched back to Kmail.

Thunderbird does support SMTP authentication. My ISP requires it and I use TB ;)

I finally go this working. And wouldn't you know it the answer was right in front of me the whole time.

This document
/usr/share/doc/postfix-1.1.12/README-Postifx-SASL-RedHat.txt

was all I needed to find. Just follow the instructions. Never mind that Red Hat never mentions it anywhere. I found it purely by accident. There are also some important settings detailed in the various sample files in the sample directory. In no particular order. (grep, anyone?)

The moral here is to look not only at the man pages but also at the docs installed by the RPM. And run a find command for the protocol name just for fun.

Originally posted by CanadaMan
I finally go this working. And wouldn't you know it the answer was right in front of me the whole time.

This document
/usr/share/doc/postfix-1.1.12/README-Postifx-SASL-RedHat.txt

was all I needed to find. Just follow the instructions. Never mind that Red Hat never mentions it anywhere. I found it purely by accident. There are also some important settings detailed in the various sample files in the sample directory. In no particular order. (grep, anyone?)

The moral here is to look not only at the man pages but also at the docs installed by the RPM. And run a find command for the protocol name just for fun.

Reading the documentation installed with the package is something I often suggest here.

Mine (SuSE) would be
/usr/share/doc/packages/postfix/README_FILES/SASL_README

That plus all the HOW-TO's installed in /usr/share/doc/howto. My distro must install around half a gig of documentation.

Good job and glad you got it working.