Complete Virtual Mail Server/SMTP Authentication

Introducing
So far only localhost is allowed to send mail. Unfortunately postfix cannot work with courier-authlib directly. An intermediary solution exists however,. There are three ways cyrus-sasl can get authentication information. Either directly from the database, locally or remotely. A setup using this approach would look like this. courier-imap -> courier-authlib --\ +--> database postfix --> cyrus-sasl ---/

Making things only slightly more complex, cyrus-sasl can be used to communicate through courier-authlib and thus letting courier-authlib do the authentication.

courier-imap ---\ +-> courier-authlib -> database postfix -> cyrus-sasl --/

Ideally the last option would be used solution, as one authentication back-end would be used, courier-authlib. The cyrus-sasl plugin to talk to courier-authlib however will only work via a unix socket and thus if courier-authlib is not running on the same host as cyrus-sasl this would not work. The first approach should thus only be used if courier-authlib can not be used.

Installing cyrus-sasl
A key feature of cyrus-sasl that is required is the crypt useflag. It needs to be enabled or crypted passwords from the database cannot be authenticated with. Cyrus-sasl with the correct useflag should have been pulled in earlier whilst emerging postfix. Note that the Gentoo patch to support crypted passwords directly from the database is not available for >cyrus-sasl-2.1.23, therefore go via courier-authlib when using such a version.

Configuring postfix with cyrus-sasl
Postfix needs a few options to tell it to use sasl in its. These are not mentioned in the config file so they should be added.

with authdaemond
Postfix queries the socket created by authdaemond which is protected by the mail user and group and thus postfix needs to be granted access.

Next cyrus-sasl needs to be told to authenticate with authdaemond.

Testing
To verify sasl support telnet can be used to check for the AUTH statement.

Next test is to use a remote host and try to login to send a test message.

If perl with the base64 module is installed, it can be used to generate base64 encoded data. Otherwise base64 conversion can be done online. Again, be very careful when using production data on untrusted sites.

Wrapping it up
Once everything is working as expected, debugging can be disabled (or the line can be removed entirely even).

Optional smtpd_sasl_authenticated_header can be disabled again. It is very handy for tracking down mailing issues from users. It can however be potentially a security issue, as mentioned above, the users login name is written in the header. On the other hand, if the login name is the local_part of the e-mail address or even the e-mail address then the login name is are already known anyway so no big harm there, right? Some caution is advised, but it shouldn't be a huge issue.