{"id":94,"date":"2008-10-22T23:51:43","date_gmt":"2008-10-22T16:51:43","guid":{"rendered":"http:\/\/blog.iwayvietnam.com\/tuanta\/2008\/10\/22\/configure-postfix-for-authenticated-simple-mail-transfer-protocol-smtp\/"},"modified":"2008-10-22T23:59:45","modified_gmt":"2008-10-22T16:59:45","slug":"configure-postfix-for-authenticated-simple-mail-transfer-protocol-smtp","status":"publish","type":"post","link":"https:\/\/blog.iwayvietnam.com\/tuanta\/2008\/10\/configure-postfix-for-authenticated-simple-mail-transfer-protocol-smtp\/","title":{"rendered":"Configure Postfix for authenticated Simple Mail Transfer Protocol (SMTP)"},"content":{"rendered":"

Postfix can be configured to relay mail for users at remote locations with a valid username and password combination. Following this guide will allow Authenticated SMTP and passwords to be sent in plain text. A secure transport layer should be implemented to ensure that usernames and passwords can not be eavesdropped while in transit.<\/p>\n

Authenticated SMTP requires users who are not in the “mynetwork” directive within \/etc\/postfix\/main.cf<\/tt> to supply a valid username and password before the mail server will forward mail.<\/p>\n

This configuration requires Postfix to be installed and be configured to accept incoming mail on an Internet facing interface.<\/p>\n

    \n
  1. Open \/etc\/postfix\/main.cf<\/tt> with your editor and add the line smtpd_sasl_auth_enable = yes<\/tt>
    \n\n\n
    \n
    \r\nsmtpd_sasl_auth_enable = yes<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n
    This line informs Postfix to enable SMTP AUTH when users not in the mynetwork directive attempt to send mail using this Postfix mail server to users not in the domain which Postfix has been configured to listen on.<\/li>\n
  2. Also in \/etc\/postfix\/main.cf<\/tt>, add smtpd_sasl_security_options=noanonymous<\/tt>
    \n\n\n
    \n
    \r\nsmtpd_sasl_security_options=noanonymous<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n
    This disables anonymous style logins for SMTP AUTH.  Without this line anyone will be able to use your machine as an open relay.<\/strong><\/li>\n
  3. Again in \/etc\/postfix\/main.cf<\/tt>, add the smtpd_recipient_restrictions<\/tt> as specified below:
    \n\n\n
    \n
    \r\nsmtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,\r\n\r\nreject_unauth_destination, check_relay_domains<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n
    This line sets the restrictions for clients attempting to relay mail through your mail server.<\/li>\n
  4. Edit \/etc\/sysconfig\/saslauthd<\/tt> and set the value of MECH<\/tt> (Abbrevition of the word mechanism) to pam<\/tt>:
    \n\n\n
    \n
    \r\nMECH=pam<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n
    Setting this value to pam<\/tt>, sets saslauthd<\/tt> to use the local Plugguable Authentication Modules (PAM) subsystem to validate each username and password.<\/li>\n
  5. Ensure that saslauthd<\/tt> will start on boot by adding it to the third and fifth runlevels.
    \n\n\n
    \n
    \r\n\/sbin\/chkconfig --level 35 saslauthd on<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/li>\n
  6. Start or restart the saslauthd<\/tt> service:
    \n\n\n
    \n
    \r\n\/sbin\/service saslauthd start\r\n\r\n\/sbin\/service saslauthd restart<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/li>\n
  7. Finally start or restart Postfix:
    \n\n\n
    \n
    \r\n\/sbin\/service postfix start\r\n\r\n\/sbin\/service postfix restart<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n<\/li>\n<\/ol>\n
    The Postfix server should now be started and allow relaying of mail from authenticated clients. You can confirm this by connecting to the mail server using the telnet application.<\/p>\n
    Most communication with the mail server can be done in plain text, but the authentication information must be encoded in Base64.<\/p>\n
    You can generate this information by modifying the line below, replacing the username and password with a valid username and password that can be authenticated by the Postfix server.<\/p>\n
    <\/tt><\/p>\n
    perl -MMIME::Base64 -e 'print encode_base64(\"usernameusernamepassword\");'<\/strong><\/tt><\/pre>\n
    <\/tt><\/p><\/blockquote>\n
    It should produce a string similar to the format below.<\/p>\n\n\n
    \n
    \r\n\u00a0    dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ=<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n
    Do not loose the generated string as it will be used shortly.<\/p>\n
    Authentication can be tested by connecting to the mail server with telnet and manually entering the SMTP information.<\/p>\n
    In the example below the section in bold is what should be typed. Replace the string after AUTH PLAIN with the Base64 string created above<\/p>\n\n\n
    \n
    \r\n# telnet mail.example.com 25<\/strong>\r\nTrying 127.0.0.1...\r\nConnected to mail.example.com (123.123.123.123).\r\nEscape character is '^]'.\r\n220 mail.example.com ESMTP Postfix\r\nEHLO anotherhost.com <\/strong>\r\n250-mail.example.com\r\n250-PIPELINING\r\n250-SIZE 10240000\r\n250-VRFY\r\n250-ETRN\r\n250-STARTTLS\r\n250-AUTH PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5\r\n250-XVERP\r\n250 8BITMIME\r\nAUTH PLAIN dXNlcm5hbWUAdXNlcm5hbWUAcGFzc3dvcmQ= <\/strong>\r\n235 Authentication successful\r\nQUIT <\/strong>\r\n221 Bye<\/pre>\n<\/td>\n<\/tr>\n<\/table>\n
    The line “250-AUTH PLAIN LOGIN GSSAPI DIGEST-MD5 CRAM-MD5” shows that the Postfix server allows users to authenticate.<\/p>\n
    For more information, visit the  Red Hat Postfix HOWTO<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
    Postfix can be configured to relay mail for users at remote locations with a valid username and password combination. Following this guide will allow Authenticated SMTP and passwords to be sent in plain text. A secure transport layer should be implemented to ensure that usernames and passwords can not be eavesdropped while in transit. AuthenticatedContinue reading “Configure Postfix for authenticated Simple Mail Transfer Protocol (SMTP)”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,41,4,34],"tags":[],"class_list":["post-94","post","type-post","status-publish","format-standard","hentry","category-linux","category-postfix","category-tips","category-weekly-tips","entry"],"_links":{"self":[{"href":"https:\/\/blog.iwayvietnam.com\/tuanta\/wp-json\/wp\/v2\/posts\/94"}],"collection":[{"href":"https:\/\/blog.iwayvietnam.com\/tuanta\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.iwayvietnam.com\/tuanta\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.iwayvietnam.com\/tuanta\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.iwayvietnam.com\/tuanta\/wp-json\/wp\/v2\/comments?post=94"}],"version-history":[{"count":0,"href":"https:\/\/blog.iwayvietnam.com\/tuanta\/wp-json\/wp\/v2\/posts\/94\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.iwayvietnam.com\/tuanta\/wp-json\/wp\/v2\/media?parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.iwayvietnam.com\/tuanta\/wp-json\/wp\/v2\/categories?post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.iwayvietnam.com\/tuanta\/wp-json\/wp\/v2\/tags?post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}