DaemonForums  

Go Back   DaemonForums > Miscellaneous > Guides

Guides All Guides and HOWTO's.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 4th May 2008
roundkat roundkat is offline
Shell Scout
 
Join Date: May 2008
Posts: 107
Thanked 1 Time in 1 Post
Default Working Configuration for Openbsd 4.0 - Postfix - SASL - TLS

Some old stuff..
Might be helpful to some one..


OS: OpenBSD 4.0
MTA: Postfix w/sasl
Imap: Dovecot

packages installed (via ports)
Code:
cyrus-sasl-2.1.21p2 RFC 2222 SASL (Simple Authentication and Security Layer)
dovecot-1.0.rc15    compact IMAP/POP3 server
expat-2.0.0         XML 1.0 parser written in C
gettext-0.14.5p1    GNU gettext
help2man-1.29       GNU help2man
libiconv-1.9.2p3    character set conversion library
libltdl-1.5.22p1    GNU libtool system independent dlopen wrapper
libtool-1.5.22p0    generic shared library support script
logsentry-1.1.1p2   logfile auditing tool
metaauto-0.5        wrapper for gnu auto*
pcre-6.4p1          perl-compatible regular expression library
postfix-2.3.2-sasl2 fast, secure sendmail replacement
wget-1.10.2p0       retrieve files from the web via HTTP, HTTPS and FTP
relevant PF rules
Code:
TCP_OPTIONS = "flags S/SA keep state"

pass in log on $ext_if inet proto tcp from any to any port smtp \
       $TCP_OPTIONS
pass in log on $ext_if inet proto tcp from any to any port imaps \
       $TCP_OPTIONS
pass in log on $ext_if inet proto tcp from any to any port 465 \
       $TCP_OPTIONS
Postfix and Dovecot were easy to setup but I had issues
with SASL.
After much googling I found many answers, but
none that fit my situation.

I found some of the answers here but after much trial and error
I narrowed it down..

Pls comment/correct where necessary..

Much Thanks..
rk.

Scenario:
I connect to the DoveCot Imap Server remotely via ssl/tls
connection using a ThunderBird client.
I also want to send mail "from" the remote email server
via ssl.

I installed and configured Postfix with the following (additional)
SASL/TLS options:

main.cf (note: the dovecot.pem were generated from the dovecot script after modifying /etc/ssl/dovecot-openssl.cnf)
Code:
# TLS additions
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/ssl/dovecotcert.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,reject_unauth_destination 
# Authentication with SASL
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain
master.cf
Code:
smtp      inet  n       -       -       -       -       smtpd
#submission inet n       -       -       -       -       smtpd
#  -o smtpd_enforce_tls=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
added to /etc/services and /var/spool/postfix/etc/services
Code:
smtps           465/tcp    #smtp protocol over TLS/SSL
Added SASL authenticated users using this command
Code:
saslpasswd2 -c -u <domain-name>.com -a smtpauth <username>
Then the *tricky* part that I had been chasing...

I had to copy the sasldb2.db to

/var/spool/postfix/etc/sasldb2.db

and chown it _postfix.

Granted when I add another use I have to manually add them
via the saslpasswd2 command.. but since there are only going
to be a few users that is not an issue..

It now works..!!! Wooot...

Lessons learned:
Postfix is chrooted under OpenBSD.

I was chasing this errror:
warning: SASL authentication failure: no user in db
among other SASL errors..

finally
postconf -n

Code:
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /etc/postfix
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
html_directory = /usr/local/share/doc/postfix/html
inet_interfaces = $myhostname, localhost
mail_owner = _postfix
mailq_path = /usr/local/sbin/mailq
manpage_directory = /usr/local/man
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = <my-domain>.com
myhostname = bsdbox.<my-domain>.com
mynetworks = 192.168.0.0/16, 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/local/sbin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix/readme
sample_directory = /etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = _postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/dovecotcert.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
Hope this helps others.. it has been very frustrating for me..

Note:
the smtpd.conf you may have found in your searching is not
needed in OpenBSD.

rk
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[ OpenBSD 4.5 ] apm -C not working wraith0x2b OpenBSD Installation and Upgrading 17 6th May 2009 09:03 AM
WindowMaker 0.92.0p7 (OpenBSD 4.4/i386 Packages) configuration issue. xixobrax OpenBSD General 1 3rd May 2009 04:04 PM
Problem with Postfix and Sasl auth unixbsd OpenBSD General 1 27th April 2009 03:26 AM
Working around cheap SOHO routers under OpenBSD BSDfan666 Guides 1 23rd November 2008 07:44 PM
Postfix, SASL w/ LDAP kronic OpenBSD General 2 19th June 2008 06:49 AM


All times are GMT. The time now is 02:07 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick