Talk:Complete Virtual Mail Server/SMTP Authentication

Todo
Several things that can be concidered todo for this section. A section to add postgres authentication directly cyrus-sasl, dovecot-sasl, which can be extra interesting when dovecot imap is used instead of cyrus sasl.

Using cyrus-sasl with courier-authlib
courier-imap ---\ +-> courier-authlib -> database postfix -> cyrus-sasl --/

I had to compile cyrus-sasl without database support (USE= -mysql -berkdb -postgres) to get the authentication working. I hope this helps somebody.

Postfix 2.10
Since postfix 2.10 (http://www.postfix.org/announcements/postfix-2.10.0.html), the smtpd_relay_restrictions and the smtpd_recipient_restrictions have been separated. the config should be something like that:


 * smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 * smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks

I got errors with the above. a better relay_restrictions is : disable_vrfy_command = yes smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_sasl_authenticated permit_mynetworks, check_client_access hash:/usr/local/etc/postfix/broken_helo_clients, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, reject_invalid_helo_hostname

smtpd_client_restrictions = permit_sasl_authenticated permit_mynetworks, check_client_access hash:/usr/local/etc/postfix/broken_helo_clients, reject_unknown_client_hostname

smtpd_sender_restrictions = permit_sasl_authenticated reject_non_fqdn_sender, reject_unknown_sender_domain

smtpd_relay_restrictions = permit_sasl_authenticated permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks, permit_sasl_authenticated

smtpd_data_restrictions = reject_unauth_pipelining

Using PAM pgsql
I had difficulties authenticating smtp connections using this setup.

From: Postfix SASL Howto :
 * The sql auxprop plugin is a generic SQL plugin. It provides access to credentials stored in a MySQL, PostgreSQL or SQLite database. This plugin requires that SASL client passwords are stored as plaintext.
 * If you must store encrypted passwords, you cannot use the sql auxprop plugin. Instead, see section "Using saslauthd with PAM", and configure PAM to look up the encrypted passwords with, for example, the pam_mysql module. You will not be able to use any of the methods that require access to plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-MD5.

To get the pam_pgsql setup working the following is required:

Lemmerk (talk) 08:30, 13 February 2014 (UTC)

cyrus-sasl fail
I cannot get even cyrus-sasl to compile.

Calculating dependencies... done! [ebuild  R    ] dev-libs/cyrus-sasl-2.1.26-r9  USE="authdaemond*"

>>> Failed to execute postinst for dev-libs/cyrus-sasl-2.1.26-r9 >>> Jobs: 1 of 1 complete                          Load avg: 1.09, 0.38, 0.22

* Messages for package dev-libs/cyrus-sasl-2.1.26-r9: * FAILED postinst: 1 * ERROR: dev-libs/cyrus-sasl-2.1.26-r9::gentoo failed (postinst phase): *  Failed to generate sasldb2

/var/tmp/portage/dev-libs/cyrus-sasl-2.1.26-r9/temp/build.log: No such file or directory
 * 1) less /var/tmp/portage/dev-libs/cyrus-sasl-2.1.26-r9/temp/build.log

Will file a bugreport. See https://bugs.gentoo.org/show_bug.cgi?id=192753#c10

Rico666 (talk) 09:25, 25 June 2015 (UTC)