Postfix as a SASL authenticated, TLS enabled Relay

Postfix is a well established, open source mail transfer agent (MTA) that routes and delivers email. One of its main strengths compared to other MTAs like Sendmail, is its ease of operation and fairly straight forward, plain text configuration.

Postfix routes mail only from clients in trusted networks, from clients that have authenticated with SASL, or to domains that are configured as authorized relay destinations.[1]

In this post we are going to configure Postfix as a SMTP relay to Mailgun's edge SMTP API (although this will work to any other SMTP endpoint, given the correct credentials) using Simple Authentication Security Layer (SASL) on Ubuntu Linux.

First, let's install some prerequisites and the postfix server:

$ apt install libsasl2-modules sasl2-bin postfix

To verify what SASL plugins the Postfix installation supports, run:

$ postconf -a cyrus dovecot $ postconf -A cyrus

From the above output we can see that the server side of Postfix supports both Cyrus and Dovecot SASL, where the client side supports only Cyrus SASL, at least in this prepackaged version of Postfix.

There are two important configuration files that drive the Postfix server - master.cf and main.cf.

The master.cf configures all of Postfix subsystems like smtpd, the queue, relay, cleaned etc. This is where we specify if the Postfix subsystem will run in a jailed environments, if we desire verbose logging and on what ports (besides port 25) we would like the SMTP server to listen to.

Here's an example showing SMTP running in a chroot jail using verbose logging and listening on port 25 AND 2525:

$ head -13 /etc/postfix/master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - 1000 smtpd -v 2525 inet n - y - 1000 smtpd

The main.cf configuration file specifies a small subset of all configuration options that control most of Postfix . Parameters not explicitly specified are left at their default values [2].

Bellow is a working configuration of Postfix as a Relay, using TLS and SASL for authentication, with some tuning parameters as an example:

$ cat /etc/postfix/main.cf

# General smtpd_banner = SMTP at Your Compmany biff = no append_dot_mydomain = no readme_directory = no

# TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/yourcompany.org.crt smtpd_tls_key_file=/etc/ssl/certs/yourcompany.org.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# Server smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination myhostname = postfix-server.yourcompany.org alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname mydestination = $myhostname, postfix-server.yourcompany.org, localhost.yourcompany.org, $mydomain, localhost mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = ipv4

# Client relayhost = [smtp.mailgun.org] smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous #smtp_tls_security_level = encrypt smtpd_tls_auth_only = no header_size_limit = 4096000 broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes

# Tuning default_process_limit = 100 smtpd_client_connection_count_limit = 600 in_flow_delay = 0s initial_destination_concurrency = 400 default_destination_concurrency_limit = 600 smtp_destination_concurrency_limit = 600

Please see [2] for detailed explanation on what all of the above configuration options do, but for the purpose of this post let's focus on the Client side of the config, responsible for authenticating Postfix with the upstream SMTP server to which it will relay mail.

First, we specify the upstream server we want our Postfix server to relay to (line 30). Next, we enable SASL and specify the credential file that will be used to pass to the relay host (lines 31 and 32).

The plain text sasl_passwd file looks like the following:

$ cat /etc/postfix/sasl_passwd [smtp.mailgun.org] [email protected]:credentials_for_domain_from_mailgun [smtp.other.org] [email protected]:credentials_for_user_2 [smtp1.other.org] [email protected]:credentials_for_user_2

The first column contains the destination SMTP server to which Postfix will relay mail to. The second column specifies the credentials for the user domain (e.g. [email protected]).

To generate a hashed version of the file run:

$ chmod 600 /etc/postfix/sasl_passwd $ postmap /etc/postfix/sasl_passwd $ ls -la /etc/postfix/sasl_passwd* -rw------- 1 root root 362 Mar 19 21:19 /etc/postfix/sasl_passwd -rw------- 1 root root 12288 Mar 19 21:23 /etc/postfix/sasl_passwd.db

The file should be secured and only read by root (Postfix reads that file before it chroots and drops privileges).

Next, let's configure SASL on the server side of our Postfix installation - this will be authenticating SMTP request coming from the sending clients.

SASL is implemented separately from Postfix. Postfix uses client libraries to communicate with SASL enabled backends (Cyrus SASL's libsasl). There are various SASL implementations like Cyrus SASL and Dovecot, authentication backends and mechanisms, some requiring just a static file, others LDAP, or database access, and yet others connecting to a SASL password verification service, such as saslauthd.

To keep things simple we are going to use the Cyrus SASL with the sasldb auxiliary property plugin (auxprop), which is a static file on disk that does not require the use of the saslauthd service [3].

The configuration for the plugin looks like the following:

$ cat /etc/postfix/sasl/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN

The third line specifies the authentication mechanisms that the plugin will expose and allow.

Next, we need to create the credentials for a client that will be allowed to connect to the Postfix server:

$ saslpasswd2 -c -u yourdomain.org user $ sasldblistusers2 [email protected]: userPassword $ cp /etc/sasldb2 /var/spool/postfix/etc/ $ chown postfix:sasl /var/spool/postfix/etc/sasldb2 $ chmod 660 /var/spool/postfix/etc/sasldb2

Because the packaged Postfix on Ubuntu runs in a chroot environment, we need to copy the password database so that Postfix can read it and adjust permissions (lines 5 and 6) and restart Postfix.

To test, connect to Postfix using telnet, netcat, swaks, or your favorite tool, and you should be able to see the enabled authentication methods:

./swaks --auth --server postfix-server.yourcompany.org --port 25 --au [email protected] --ap password_token_or_api_key --from [email protected] --to [email protected] --h-Subject: "Testing SMTP relay" --body 'Testing Postfix SASL relay' === Trying postfix-server.yourcompany.org:25... === Connected to postfix-server.yourcompany.org. <- 220 SMTP at Your Company -> EHLO user <- 250-AUTH PLAIN LOGIN <- 250-SIZE 52428800 <- 250-8BITMIME <- 250-ENHANCEDSTATUSCODES <- 250-SMTPUTF8 <- 250 STARTTLS -> AUTH LOGIN <- 334 VXNlcm5hbWU6 -> a29uc3RsdfhbnRpbkBwbdfsf3N0Z3VusdfLmNvbQ== <- 334 UGFzc3dvcmQ6 -> ZWI2M2Y0sdNzc1ZTRkYzZjMWUsdf2YWUwYjhkNDZhZWI2ZmYtYjljMTVmNGMtOffDgwNTk5NDE= <- 235 2.0.0 OK -> MAIL FROM:<[email protected]> <- 250 Sender address accepted -> RCPT TO:<[email protected]> <- 250 Recipient address accepted -> DATA <- 354 Continue -> Date: Thu, 19 Mar 2020 15:55:33 -0500 -> To: [email protected] -> From: [email protected] -> Subject: Testing SMTP relay -> X-Mailer: swaks v20130209.0 jetmore.org/john/code/swaks/ -> -> Testing Postfix SASL relay -> -> . <- 250 Great success -> QUIT <- 221 See you later. === Connection closed with remote host.

This minimal setup should be enough to create a TLS, SASL enabled Postfix relay.

If you prefer to use more scalable authentication backend such as LDAP or Postgres, you can use many of the available auxprop plugins, for example:

$ cat /etc/postfix/sasl/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sql mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM sql_engine: pgsql sql_hostnames: 127.0.0.1, 192.0.2.1 sql_user: username sql_passwd: secret sql_database: dbname sql_select: SELECT password FROM users WHERE user = '%u@%r'

To leverage the saslauthd Cyrus SASL password verification service, we need the following configuration:

$ cat /etc/default/saslauthd START=yes PWDIR="/var/spool/postfix/var/run/saslauthd" PARAMS="-m ${PWDIR}" PIDFILE="${PWDIR}/saslauthd.pid" DESC="SASL Authentication Daemon" NAME="saslauthd" MECHANISMS="sasldb" MECH_OPTIONS="" THREADS=5 OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

In the above configuration the saslauthd process will use the sasldb file on disk as its authentication mechanism. In this case communication between the Postfix SMTP server - the Cyrus SASL's libsasl - and the saslauthd server happens over a UNIX-domain socket.

On Ubuntu, due to the fact that Postfix runs in a chroot environment we need to ensure it can talk to the saslauthd service:

$ dpkg-statoverride --force --update --add root sasl 755 /var/spool/postfix/var/run/saslauthd $ ln -s /etc/default/saslauthd /etc/saslauthd $ systemctl start saslauthd $ systemctl status saslauthd ● saslauthd.service - LSB: saslauthd startup script Loaded: loaded (/etc/init.d/saslauthd; bad; vendor preset: enabled) Active: active (running) since Wed 2020-03-18 19:31:33 UTC; 4 days ago Docs: man:systemd-sysv-generator(8) Process: 1333 ExecStart=/etc/init.d/saslauthd start (code=exited, status=0/SUCCESS) Tasks: 5 Memory: 5.0M CPU: 30ms CGroup: /system.slice/saslauthd.service ├─1463 /usr/sbin/saslauthd -a sasldb -c -m /var/spool/postfix/var/run/saslauthd -n 5 ├─1464 /usr/sbin/saslauthd -a sasldb -c -m /var/spool/postfix/var/run/saslauthd -n 5 ├─1465 /usr/sbin/saslauthd -a sasldb -c -m /var/spool/postfix/var/run/saslauthd -n 5 ├─1466 /usr/sbin/saslauthd -a sasldb -c -m /var/spool/postfix/var/run/saslauthd -n 5 └─1467 /usr/sbin/saslauthd -a sasldb -c -m /var/spool/postfix/var/run/saslauthd -n 5

Mar 18 19:31:33 postfix-server systemd[1]: Starting LSB: saslauthd startup script... Mar 18 19:31:33 postfix-server saslauthd[1333]: * Starting SASL Authentication Daemon saslauthd Mar 18 19:31:33 postfix-server saslauthd[1463]: detach_tty : master pid is: 1463 Mar 18 19:31:33 postfix-server saslauthd[1463]: ipc_init : listening on socket: /var/spool/postfix/var/run/saslauthd/mux Mar 18 19:31:33 postfix-server saslauthd[1333]: ...done. Mar 18 19:31:33 postfix-server systemd[1]: Started LSB: saslauthd startup script. $

To examine the complete configuration, run:

$ saslfinger -s saslfinger - postfix Cyrus sasl configuration Mon Mar 23 16:23:13 UTC 2020 version: 1.0.4 mode: server-side SMTP AUTH

-- basics -- Postfix: 3.1.0 System: Ubuntu 16.04.3 LTS \n \l

-- smtpd is linked to -- libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007f3c9db22000)

-- active SMTP AUTH and TLS parameters for smtpd -- broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_tls_auth_only = no smtpd_tls_cert_file = /etc/ssl/certs/yourcompany.org.crt smtpd_tls_key_file = /etc/ssl/certs/yourcompany.org.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes

-- listing of /usr/lib/sasl2 -- total 16 drwxr-xr-x 2 root root 4096 Mar 17 14:17 . drwxr-xr-x 71 root root 4096 Mar 18 06:52 .. -rw-r--r-- 1 root root 4 Mar 17 14:17 berkeley_db.active -rw-r--r-- 1 root root 4 Jan 28 11:32 berkeley_db.txt

-- listing of /etc/postfix/sasl -- total 12 drwxr-xr-x 2 root root 4096 Mar 18 13:58 . drwxr-xr-x 3 root root 4096 Mar 23 14:16 .. -rw-r--r-- 1 root root 70 Mar 18 13:58 smtpd.conf

-- content of /etc/postfix/sasl/smtpd.conf -- pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN

-- active services in /etc/postfix/master.cf -- # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) smtp inet n - y - 1000 smtpd -v 2525 inet n - y - 1000 smtpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}

-- mechanisms on localhost -- 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN

-- end of saslfinger output --

[1]. http://www.postfix.org/SMTPD_ACCESS_README.html
[2]. http://www.postfix.org/postconf.5.html
[3]. https://www.cyrusimap.org/sasl/sasl/developer/plugprog.html#auxiliary-property-auxprop-plugins

Postfix as a SASL authenticated, TLS enabled Relay

Postfix as a SASL authenticated, TLS enabled Relay

Recommend

Postfix邮件系统-小白陈的博客

Postfix's default relay settings might be trouble

Connecting to freenode with irssi using SASL

Configure WeeChat WebSocket relay with TLS

password based authentication without TLS using SASL

Implementing TLS for postfix

Postfix别名邮件与SASL验证 - ZywOo

Kafka开启SASL认证【windowe详细版】 - Acelin_H

Kafka,Zookeeper集群使用SASL认证

SASL - 简单认证和安全层

About Joyk