Loading ...
Sorry, an error occurred while loading the content.
 

Adding SASL to existing Postfix installation on FreeBSD

Expand Messages
  • Mark Goodge
    I ve been asked to add SASL authentication to an existing Postfix server used for outbound mail. For a variety of reasons (but primarily because it integrates
    Message 1 of 3 , Oct 2, 2008
      I've been asked to add SASL authentication to an existing Postfix server
      used for outbound mail. For a variety of reasons (but primarily because
      it integrates more easily with MySQL), we're planning to use Dovecot as
      the authentication server.

      I've installed Dovecot, and it works OK. (The server doesn't normally
      act as a POP/IMAP server, but I enabled it temporarily so that I could
      ensure Dovecot was authenticating correctly before trying to use it as
      the backend for Postfix). But I can't get Postfix to use SASL.

      The server is running on FreeBSD and postfix was installed from ports,
      so, to add SASL support, I shut down Postfix and ran 'make deinstall',
      'make config' to add Dovecot to the configuration, and then 'make
      reinstall' to rebuild it. A 'make showconfig' shows that Dovecot is now
      in the config:

      ===> The following configuration options are available for postfix-2.4.0,1:
      PCRE=on "Perl Compatible Regular Expressions"
      SASL2=off "Cyrus SASLv2 (Simple Auth. and Sec. Layer)"
      DOVECOT=on "Dovecot SASL authentication method"
      SASLKRB=off "If your SASL req. Kerberos select this option"
      SASLKRB5=off "If your SASL req. Kerberos5 select this option"
      SASLKMIT=off "If your SASL req. MIT Kerberos5 select this option"
      TLS=off "Enable SSL and TLS support"
      BDB=off "Berkeley DB (choose version with WITH_BDB_VER)"
      MYSQL=on "MySQL maps (choose version with WITH_MYSQL_VER)"
      PGSQL=off "PostgreSQL maps (choose with DEFAULT_PGSQL_VER)"
      OPENLDAP=off "OpenLDAP maps (choose ver. with WITH_OPENLDAP_VER)"
      CDB=off "CDB maps lookups"
      NIS=off "NIS maps lookups"
      VDA=off "VDA (Virtual Delivery Agent)"
      TEST=off "SMTP/LMTP test server and generator"
      ===> Use 'make config' to modify these settings

      (Previously, 'make showconfig' listed DOVECOT=off)

      I've then added these lines to main.cf:

      smtpd_sasl_auth_enable = yes
      smtpd_sasl_type = dovecot
      smtpd_sasl_path = /var/run/dovecot/auth-client

      and under smtpd_recipient_restrictions, added
      permit_sasl_authenticated

      (The path to the Dovecot auth-client file is correct, and Postfix is not
      running chrooted so there's no problem reading a file in that location)

      However, when I start Postfix, I get these errors in maillog:

      warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in

      and issuing an EHLO command from a manual SMTP connection doesn't show
      authentication as an option.

      postconf -a and postconf -A both return nothing.

      For reference, here's the full postconf -n output:

      command_directory = /usr/local/sbin
      config_directory = /usr/local/etc/postfix
      daemon_directory = /usr/local/libexec/postfix
      debug_peer_level = 2
      disable_vrfy_command = yes
      html_directory = no
      mail_owner = postfix
      mailbox_size_limit = 1024000000
      mailq_path = /usr/local/bin/mailq
      manpage_directory = /usr/local/man
      message_size_limit = 40960000
      mynetworks = [various IP ranges]
      newaliases_path = /usr/local/bin/newaliases
      queue_directory = /var/spool/postfix
      readme_directory = no
      relay_domains = $transport_maps
      sample_directory = /usr/local/etc/postfix
      sendmail_path = /usr/local/sbin/sendmail
      setgid_group = maildrop
      smtpd_client_connection_rate_limit = 60
      smtpd_client_event_limit_exceptions = 127.0.0.0/8
      smtpd_discard_ehlo_keywords = silent-discard, dsn
      smtpd_recipient_restrictions = permit_mynetworks
      reject_non_fqdn_recipient permit_sasl_authenticated
      reject_unauth_destination reject
      smtpd_sasl_auth_enable = yes
      smtpd_sasl_path = /var/run/dovecot/auth-client
      smtpd_sasl_type = dovecot
      smtpd_sender_restrictions = check_sender_access
      mysql:/usr/local/etc/postfix/sender.cf check_sender_access
      mysql:/usr/local/etc/postfix/sender_smtpout.cf
      reject_non_fqdn_hostname reject_non_fqdn_sender reject
      unknown_local_recipient_reject_code = 550
      virtual_mailbox_limit = 1024000000

      Any clues as to what I'm doing wrong here? Or is this more likely to be
      an issue with the FreeBSD ports distribution?

      Thanks

      Mark
      --
      http://mark.goodge.co.uk - my pointless blog
      http://www.good-stuff.co.uk - my less pointless stuff
    • Wietse Venema
      Mark Goodge: [FreeBSD ports stuff] ... Then the FreeBSD ports stuff is broken. If you look in the Postfix conf/makedefs.out file, you will probably find that
      Message 2 of 3 , Oct 2, 2008
        Mark Goodge:
        [FreeBSD ports stuff]
        > However, when I start Postfix, I get these errors in maillog:
        >
        > warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in

        Then the FreeBSD ports stuff is broken.

        If you look in the Postfix conf/makedefs.out file, you will probably
        find that they failed to include a line that says -DUSE_SASL_AUTH.

        To work around this, build with Cyrus SASL support even though
        you will never use it, and configure Dovecot in main.cf.

        Wietse
      • Mark Goodge
        ... That s what I suspected. ... Spot on. ... Actually, I solved the problem by updating to the current version in ports, so the bug has obviously been fixed
        Message 3 of 3 , Oct 2, 2008
          Wietse Venema wrote:
          > Mark Goodge:
          > [FreeBSD ports stuff]
          >> However, when I start Postfix, I get these errors in maillog:
          >>
          >> warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
          >
          > Then the FreeBSD ports stuff is broken.

          That's what I suspected.

          > If you look in the Postfix conf/makedefs.out file, you will probably
          > find that they failed to include a line that says -DUSE_SASL_AUTH.

          Spot on.

          > To work around this, build with Cyrus SASL support even though
          > you will never use it, and configure Dovecot in main.cf.

          Actually, I solved the problem by updating to the current version in
          ports, so the bug has obviously been fixed since the original install on
          this machine. But thanks for the pointer, that was exactly what I needed.

          Mark
          --
          http://mark.goodge.co.uk - my pointless blog
          http://www.good-stuff.co.uk - my less pointless stuff
        Your message has been successfully submitted and would be delivered to recipients shortly.