How to use Postfix SASL authentication

5
(1)

SMTP servers must decide whether an SMTP client is authorized to send e-mail that the server is responsible for.

Simple Authentication and Security Layer (SASL) Integration Postfix


This guide describes how to extend an MTA (Mail Transport Agent) Postfix on CentOS 7 with CyrusSASL for SMTP authentication (SMTP-Auth). After that, clients can send e-mail using SMTP-Auth. This manual is checked under CentOS Linux release 7.7.1908 (Core), with Postfix v2.10.1 and Cyrus-SASL 2.1.26. It is assumed that the postfix is already configured and Transport Layer Security (TLS) is implemented.

Postfix does not implement the SASL Library itself, but uses existing implementations as building blocks. This means that some SASL-related configuration files belong to Postfix, while other configuration files belong to the specific SASL implementation that Postfix will use.

How to Install Cyrus-SASL

When root install the packages with the following command:

yum install cyrus-sasl cyrus-sasl-plain -y

The individual SASL mechanisms are installed as RPMs.

The following is the integration for Postfix, for this purpose make the modification in the file /etc/postfix/master.cf:

===================================================================
 service type private unpriv chroot wakeup maxproc command + args
 (yes)   (yes)   (yes)   ( never) (100)
===================================================================
 smtps inet n - n - - smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

For Postfix to work with SASL, Postfix must not run in the chroot directory, line smtps at position 5 (n).

Configure SMTP-Auth for local users, we edit the Postfix file /etc/postfix/main.cf:

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = !gssapi, !login, static:all
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd

Cyrus-SASL is configured by two files. The first file /etc/sysconfig/saslauthd can be transferred:

# Directory in which to place saslauthd's listening socket, pid file, and so
# on.  This directory must already exist.
SOCKETDIR=/run/saslauthd
 
# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam
 
# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS=

The SASL mechanisms PLAIN and LOGIN, CRAM-MD5 and DIGEST-MD5 are often used, for which the configuration file /etc/sasl2/smtpd.conf is responsible, the deployment was also performed during installation:

pwcheck_method: saslauthd
mech_list: plain login CRAM-MD5 DIGEST-MD5

Now start Cyrus-SASL Library Daemon and activate the systemd autostart, then re-start Postfix:

systemctl start saslauthd
systemctl enable saslauthd
systemctl restart postfix 

SMTP Submission Support on port 587 is now enabled, and this can be verified with the following command:

ss -tuln4 | grep 587
tcp   LISTEN      0      100         *:587         *:*

To authenticate to the SMTP gateway, a user is now created to send e-mail through the MTA:

adduser -M -s /sbin/nologin User24
passwd User24

A local UserID is sufficient for our request here, Cyrus-SASL support LDAP and SQL to interact, for example, Kopano or an AD directory service.

Testing Cyrus-SASL SMTP-Auth

The mechanisms for authentication within STARTTLS can be verified with OpenSSL:

openssl s_client -connect mail.relayhost.net:587 -starttls smtp

In the output of openssl pass an EHLO:

EHLO Hans
 250-mail.relayhost.net
 250-PIPELINING
 250-SIZE 27262976
 250-ETRN
 250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
 250-ENHANCED STATUS CODES
 250-8BITMIME
 250 DSN

If OpenSSL is not available, telnet can also be used for this purpose, it is connected to the gateway mail.relayhost.net via port 587, PuTTY or KiTTY can also be used for this purpose.

KiTTY Configuration

Now we want to authenticate to the gateway (MTA). The user name and password must be transferred to the SMTP gateway in base64 encoded format, and enter the following command lines to obtain the base64 encoding for the user name and password.

echo -en "userxy" | base64
dXNlcnh5
echo -en "password" | base64
cGFzc3dvcmQ=

The SASL SMTP-Auth configuration and authentication is checked as follows by running the following lines in the terminal, after entering AUTH LOGIN to insert the user name encoded with Base64 and the password.

AUTH LOGIN
dXNlcnh5
cGFzc3dvcmQ=
telnet mail.relayhost.net 25
Trying mail.relayhost.net...
Connected to mail.relayhost.net
Escape character is 'A]'.
220 mail.relayhost.net ESMTP MAIL Service ready at Sat, 12 Mar 2019 09:26:12
EHLO smtp.example.com
250-smtp.example.com Hello
250-AUTH=LOGIN
250-AUTH LOGIN
250-TURN
250-SIZE 2097152
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCED STATUS CODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250 OK
AUTH LOGIN
334 VXClcm5hbWU6
dXNlcnh5
334 UGFzc4dvcmQ8
cGFzc3dvcmQ=
235 2.7.0 Authentication successful

The SMTP-Auth edition of Postfix with Cyrus-SASL.

Insert the above encoded credentials at the 334 prompts, here at line 24 as userxy and at line 26 our password.

  A 250 STARTTLS in the output shows the prerequisites that the plaintext username with password is transmitted to the SMTP gateway protected by STARTTLS.

Another easy way to test an SMTP gateway is SMTPConsole.

SMTPConsole

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

Leave a Reply

Your email address will not be published. Required fields are marked *