Some old stuff..
Might be helpful to some one..
OS: OpenBSD 4.0
MTA: Postfix w/sasl
Imap: Dovecot
packages installed (via ports)
Code:
cyrus-sasl-2.1.21p2 RFC 2222 SASL (Simple Authentication and Security Layer)
dovecot-1.0.rc15 compact IMAP/POP3 server
expat-2.0.0 XML 1.0 parser written in C
gettext-0.14.5p1 GNU gettext
help2man-1.29 GNU help2man
libiconv-1.9.2p3 character set conversion library
libltdl-1.5.22p1 GNU libtool system independent dlopen wrapper
libtool-1.5.22p0 generic shared library support script
logsentry-1.1.1p2 logfile auditing tool
metaauto-0.5 wrapper for gnu auto*
pcre-6.4p1 perl-compatible regular expression library
postfix-2.3.2-sasl2 fast, secure sendmail replacement
wget-1.10.2p0 retrieve files from the web via HTTP, HTTPS and FTP
relevant PF rules
Code:
TCP_OPTIONS = "flags S/SA keep state"
pass in log on $ext_if inet proto tcp from any to any port smtp \
$TCP_OPTIONS
pass in log on $ext_if inet proto tcp from any to any port imaps \
$TCP_OPTIONS
pass in log on $ext_if inet proto tcp from any to any port 465 \
$TCP_OPTIONS
Postfix and Dovecot were easy to setup but I had issues
with SASL.
After much googling I found many answers, but
none that fit my situation.
I found some of the answers here but after much trial and error
I narrowed it down..
Pls comment/correct where necessary..
Much Thanks..
rk.
Scenario:
I connect to the DoveCot Imap Server remotely via ssl/tls
connection using a ThunderBird client.
I also want to send mail "from" the remote email server
via ssl.
I installed and configured Postfix with the following (additional)
SASL/TLS options:
main.cf (note: the dovecot.pem were generated from the dovecot script after modifying /etc/ssl/dovecot-openssl.cnf)
Code:
# TLS additions
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/dovecotcert.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination
# Authentication with SASL
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain
master.cf
Code:
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_enforce_tls=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
added to /etc/services and /var/spool/postfix/etc/services
Code:
smtps 465/tcp #smtp protocol over TLS/SSL
Added SASL authenticated users using this command
Code:
saslpasswd2 -c -u <domain-name>.com -a smtpauth <username>
Then the *tricky* part that I had been chasing...
I had to copy the sasldb2.db to
/var/spool/postfix/etc/sasldb2.db
and chown it _postfix.
Granted when I add another use I have to manually add them
via the saslpasswd2 command.. but since there are only going
to be a few users that is not an issue..
It now works..!!! Wooot...
Lessons learned:
Postfix is chrooted under OpenBSD.
I was chasing this errror:
warning: SASL authentication failure: no user in db
among other SASL errors..
finally
postconf -n
Code:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /etc/postfix
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
html_directory = /usr/local/share/doc/postfix/html
inet_interfaces = $myhostname, localhost
mail_owner = _postfix
mailq_path = /usr/local/sbin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = <my-domain>.com
myhostname = bsdbox.<my-domain>.com
mynetworks = 192.168.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/local/sbin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix/readme
sample_directory = /etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/dovecotcert.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
Hope this helps others.. it has been very frustrating for me..
Note:
the smtpd.conf you may have found in your searching is not
needed in OpenBSD.
rk