View Single Post
  #1   (View Single Post)  
Old 4th May 2008
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 115
Default Working Configuration for Openbsd 4.0 - Postfix - SASL - TLS

Some old stuff..
Might be helpful to some one..


OS: OpenBSD 4.0
MTA: Postfix w/sasl
Imap: Dovecot

packages installed (via ports)
Code:
cyrus-sasl-2.1.21p2 RFC 2222 SASL (Simple Authentication and Security Layer)
dovecot-1.0.rc15    compact IMAP/POP3 server
expat-2.0.0         XML 1.0 parser written in C
gettext-0.14.5p1    GNU gettext
help2man-1.29       GNU help2man
libiconv-1.9.2p3    character set conversion library
libltdl-1.5.22p1    GNU libtool system independent dlopen wrapper
libtool-1.5.22p0    generic shared library support script
logsentry-1.1.1p2   logfile auditing tool
metaauto-0.5        wrapper for gnu auto*
pcre-6.4p1          perl-compatible regular expression library
postfix-2.3.2-sasl2 fast, secure sendmail replacement
wget-1.10.2p0       retrieve files from the web via HTTP, HTTPS and FTP
relevant PF rules
Code:
TCP_OPTIONS = "flags S/SA keep state"

pass in log on $ext_if inet proto tcp from any to any port smtp \
       $TCP_OPTIONS
pass in log on $ext_if inet proto tcp from any to any port imaps \
       $TCP_OPTIONS
pass in log on $ext_if inet proto tcp from any to any port 465 \
       $TCP_OPTIONS
Postfix and Dovecot were easy to setup but I had issues
with SASL.
After much googling I found many answers, but
none that fit my situation.

I found some of the answers here but after much trial and error
I narrowed it down..

Pls comment/correct where necessary..

Much Thanks..
rk.

Scenario:
I connect to the DoveCot Imap Server remotely via ssl/tls
connection using a ThunderBird client.
I also want to send mail "from" the remote email server
via ssl.

I installed and configured Postfix with the following (additional)
SASL/TLS options:

main.cf (note: the dovecot.pem were generated from the dovecot script after modifying /etc/ssl/dovecot-openssl.cnf)
Code:
# TLS additions
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/dovecotcert.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination 
# Authentication with SASL
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain
master.cf
Code:
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
added to /etc/services and /var/spool/postfix/etc/services
Code:
smtps           465/tcp    #smtp protocol over TLS/SSL
Added SASL authenticated users using this command
Code:
saslpasswd2 -c -u <domain-name>.com -a smtpauth <username>
Then the *tricky* part that I had been chasing...

I had to copy the sasldb2.db to

/var/spool/postfix/etc/sasldb2.db

and chown it _postfix.

Granted when I add another use I have to manually add them
via the saslpasswd2 command.. but since there are only going
to be a few users that is not an issue..

It now works..!!! Wooot...

Lessons learned:
Postfix is chrooted under OpenBSD.

I was chasing this errror:
warning: SASL authentication failure: no user in db
among other SASL errors..

finally
postconf -n

Code:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /etc/postfix
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
html_directory = /usr/local/share/doc/postfix/html
inet_interfaces = $myhostname, localhost
mail_owner = _postfix
mailq_path = /usr/local/sbin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = <my-domain>.com
myhostname = bsdbox.<my-domain>.com
mynetworks = 192.168.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/local/sbin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix/readme
sample_directory = /etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/dovecotcert.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
Hope this helps others.. it has been very frustrating for me..

Note:
the smtpd.conf you may have found in your searching is not
needed in OpenBSD.

rk
Reply With Quote