LDAP managed mail server with Postfix and Dovecot for multiple domains
This article will describe how to set up and configure a secure mail system with Postfix and Dovecot as SMTP and IMAP server, and OpenLDAP as a backend for user authentication and mail routing.
All services will be configured to use TLS by default to ensure transport layer security wherever possible. It's assumed that you already have a working OpenLDAP installation running with available TLS support as outlined in my OpenLDAP article.
The OS in use is Debian but the conceptual design should work independently from that.
If you find any issues with the setup described here, or you have suggestions for improvements, please contact me.
Table of contents
Overview
The setup consists of three different software components. Postfix will relay mails submitted by clients to other MTAs and receive mails from other MTAs to be stored in the user's maildir. Dovecot will serve the user's maildir via IMAPS so it can be read and managed by client software like Thunderbird. Dovecot also acts as an SASL authentication provider for Postfix. Information about user accounts and mail aliases is stored in the LDAP directory and queried by Postfix and Dovecot.
The whole setup won't involve any “real” accounts on the OS. For Postfix we can utilize virtual mailboxes to create mailboxes with any UID and GID we want, and Dovecot supports virtual users that don't need to exist in the OS's context.
LDAP
The LDAP directory needs to keep several information needed by Postfix and Dovecot to work.
- Username & Password for authentication
UIDandGIDfor managing permissions of the user'smaildir- Location of the
maildir - List of mail aliases for a given user to allow one user to have several mail adresses.
The account information can be stored with the posixAccount objectClass. To store the aliases a new LDAP scheme needs to be installed. It will feature a objectClass postfixUser with the two attributes
mailacceptinggeneralidto store a list of mail aliasesmaildropto set one or more final destinations for mail sent to the given aliases
To install the postfixUser scheme, download the LDIF to your LDAP host and add it to cn=schema,cn=config.
root@ldaphost:~# wget -O postfix.ldif https://raw.githubusercontent.com/68b32/postfix-ldap-schema/master/postfix.ldif root@ldaphost:~# ldapadd -ZZ -x -W -D cn=admin,cn=config -H ldap://ldap.example.com -f postfix.ldif
To keep mail users seperate from others and allow privilege seperation in your directory, you might want to store them within an organizationalUnit e.g. ou=Mail,dc=example,dc=com.
dn: ou=Mail,dc=example,dc=com objectclass: organizationalUnit objectclass: top ou: Mail
Create a mail account that can be used for testing purposes when configuring postfix and dovecot. To create a hashed password, use slappasswd. Make sure not to use any UID or GID used by another user or process.
dn: uid=mail000,ou=Mail,dc=example,dc=com
cn: mail000
gidnumber: 20000
homedirectory: /home/mail/mail000
mailacceptinggeneralid: test0@hosted-domain.com
mailacceptinggeneralid: test1@hosted-domain.com
maildrop: mail000@mail.example.com
objectclass: account
objectclass: posixAccount
objectclass: postfixUser
objectclass: top
uid: mail000
uidnumber: 20000
userpassword: {SSHA}ncdXGXXD6zaG76dSCVKVAQLH4vPcHaTa
The aliases listed with mailacceptinggeneralid can contain any domain thats MX record points to your mail server. If you are not sure what domain to use for maildrop, don't worry, it will be explained when postfix is set up.
To speed up the dircetory lookups, indices should be created for the mailacceptinggeneralid and maildrop attribute. Add the following LDIF to your database definition in cn=config to activate indices.
dn: olcDatabase={1}mdb,cn=config
objectclass: olcDatabaseConfig
objectclass: olcMdbConfig
olcdbindex: mailacceptinggeneralid eq,sub
olcdbindex: maildrop eq
Since postfix and dovecot will query the directory, a seperate user should be created along with sufficient permissions to read the ou=Mail,dc=example,dc=com subtree.
dn: cn=mailAccountReader,ou=Manager,dc=example,dc=com
cn: mailAccountReader
objectclass: organizationalRole
objectclass: simpleSecurityObject
objectclass: top
userpassword: {SSHA}GY6RPlSGKI7SPKnnT7i/ktb/3JGmCHLT
to attrs=userPassword by self =xw by anonymous auth by * none to dn.subtree="ou=Mail,dc=example,dc=com" by dn.base="cn=mailAccountReader,ou=Manager,dc=example,dc=com" read by * none
Make sure that anonymous LDAP accounts are allowed to authenticate against their userPassword, since this mechanism will be used by Dovecot to authenticate clients.
Postfix
Postfix can be installed from the Debian repository.
root@mailhost:~# apt-get install postfix postfix-ldap
Select Internet site as initial type of configuration. Then enter the FQDN of your mail host. This is probably the same as configured for myhostname in /etc/postfix/main.cf (see next section). This will leave you with a basic /etc/postfix/main.cf to get started with the postfix configuration.
The hostname
The very first parameter to configure is the myhostname directive. This is the hostname of the mail server, and should be the same as the MX record of the domains this server will receive mails for. It also should be set as PTR record for the IP address this hostname resolves to, since it is common to block mail from hosts where this is not the case. To check this out perform a reverse lookup with dig -x <IP address>.
- main.cf
myhostname = mail.example.com
LDAP mapping
Before configuring postfix to deliver and receive mail, we create some LDAP lookup tables postfix will use to query the direcotry. The next table gives an overview on how information is queried.
| Key | Value | |
|---|---|---|
| virtual_alias_domains | Domain part of an address name@hosted-domain.com | Anything if this is a hosted domain, nothing otherwise |
| virtual_alias_maps | Address in form name@hosted-domain.com | Address in form user@mail.example.com |
| virtual_mailbox_maps | Address in form user@mail.example.com | Path to mail directory |
| virtual_uid_maps | Address in from user@mail.example.com | Numeric UID to be used for mail directory |
| smtpd_sender_login_maps | Address in form name@hosted-domain.com | Login username allowed to use this sender address |
Create a directory /etc/postfix/ldap to keep all map definitions in one place. Since the files in this directory will contain your LDAP credentials, set its owner to postfix:postfix and its mode to 0100.
The connection information for your LDAP directory is common to all maps and can be copied to the top of all of them.
server_host = ldap://ldap.example.com start_tls = yes version = 3 tls_ca_cert_file = /etc/ldap/tls/CA.pem tls_require_cert = yes bind = yes bind_dn = cn=mailAccountReader,ou=Manager,dc=example,dc=com bind_pw = <Password for bind_dn> search_base = ou=Mail,dc=example,dc=com scope = sub
This will connect to the LDAP directory using TLS and check the validity of the certificate provided by the peer. This needs to be included into all files in /etc/postfix/ldap listed next.
- virtual_alias_domains
query_filter = mailacceptinggeneralid=*@%s result_attribute = mailacceptinggeneralid result_format = %d
- virtual_alias_maps
query_filter = mailacceptinggeneralid=%s result_attribute = maildrop
- virtual_mailbox_maps
query_filter = maildrop=%s result_attribute = homeDirectory result_format = %s/mailbox/
- virtual_uid_maps
query_filter = maildrop=%s result_attribute = uidNumber
- smtpd_sender_login_maps
query_filter = (|(mailacceptinggeneralid=%s)(maildrop=%s)) result_attribute = uid
You can test the mapping with the postmap command. Here is some sample output for the user created for testing.
root@mailhost:~# postmap -q hosted-domain.com ldap:/etc/postfix/ldap/virtual_alias_domains hosted-domain.com, hosted-domain.com root@mailhost:~# postmap -q mail000@mail.example.com ldap:/etc/postfix/ldap/virtual_mailbox_maps /home/mail/mail000/mailbox/ root@mailhost:~# postmap -q mail000@mail.example.com ldap:/etc/postfix/ldap/virtual_uid_maps 20000 root@mailhost:~# postmap -q test0@hosted-domain.com ldap:/etc/postfix/ldap/smtpd_sender_login mail000
If lookups don't work as expected, set debuglevel = -1 in the map definition and review the output when running postmap.
Since the files contain credentials for binding to the directory make sure to set proper file permissions.
root@mailhost:~# chown postfix:postfix /etc/postfix/ldap/* root@mailhost:~# chmod 400 /etc/postfix/ldap/*
Another problem to solve is that postfix will run in a chrooted environment (/var/spool/postfix) and will not be conscious about the CA certificate /etc/ldap/tls/CA.pem needed to validate the server's certificate. To counter this problem, create /var/spool/postfix/etc/ldap/tls/ and either copy /etc/ldap/tls/CA.pem to this directory, or create a bind mount to make the CA certificate available in both locations.
root@mailhost:~# mkdir -p /var/spool/postfix/etc/ldap/tls root@mailhost:~# touch /var/spool/postfix/etc/ldap/tls/CA.pem root@mailhost:~# mount --bind /etc/ldap/tls/CA.pem /var/spool/postfix/etc/ldap/tls/CA.pem
Be aware that this won't persist through reboots, so make sure to bind the directory before postfix is started. This can be achieved with a systemd mount unit. Create /etc/systemd/system/var-spool-postfix-etc-ldap-tls-CA.pem.mount with following content.
- var-spool-postfix-etc-ldap-tls-CA.pem.mount
[Unit] Description=Bind /etc/ldap/tls/CA.pem to /var/spool/postfix/etc/ldap/tls/CA.pem Before=postfix.service [Mount] What=/etc/ldap/tls/CA.pem Where=/var/spool/postfix/etc/ldap/tls/CA.pem Type=none Options=bind [Install] WantedBy=postfix.service
Reload systemd and start the unit.
root@mailhost:~# systemctl daemon-reload root@mailhost:~# systemctl start var-spool-postfix-etc-ldap-tls-CA.pem.mount root@mailhost:~# mount | grep CA
Check the output of mount to see if the bind was successful and enable the bind mount to be set up before postfix on boot.
root@mailhost:~# systemctl enable var-spool-postfix-etc-ldap-tls-CA.pem.mount Created symlink from /etc/systemd/system/postfix.service.wants/var-spool-postfix-etc-ldap-tls-CA.pem.mount to /etc/systemd/system/var-spool-postfix-etc-ldap-tls-CA.pem.mount.
Reboot the host to see if the bind is created during boot.
The Mailboxes
Postfix implements different methods to deliver mail to the recipient. In this setup we will make use of the virtual alias domain class and the virtual mailbox domain class. Each final mailbox is associated with a definite address <username>@$myhostname. $myhostname contains the hostname set in /etc/postfix/main.cf and will be listed in virtual_mailbox_domains. All hosted domains are treated as virtual alias domains, and will be listed in virtual_alias_domains with the LDAP map defined earlier and mapped to the address of the final mailbox.
The testuser mail000 as created in the LDAP section contains the adresses test0@hosted-domain.com and test1@hosted-domain.com as mailacceptinggeneralid. When a mail is received for one of these addresses, postfix will look for the corresponding maildrop attribute, which could either be a remote address (e.g. to just forward to a Gmail address), or an address with a domain listed in virtual_mailbox_domains, e.g. mail000@mail.example.com. Mails to domains listed in virtual_mailbox_domains will be stored in the user's mailbox. Information on where and how to create the mailbox is also retrieved from LDAP, using the mailbox address.
- /etc/postfix/main.cf
myhostname = mail.example.com virtual_alias_domains = ldap:/etc/postfix/ldap/virtual_alias_domains virtual_mailbox_domains = $myhostname virtual_alias_maps = ldap:/etc/postfix/ldap/virtual_alias_maps virtual_mailbox_base = / virtual_mailbox_maps = ldap:/etc/postfix/ldap/virtual_mailbox_maps virtual_uid_maps = ldap:/etc/postfix/ldap/virtual_uid_maps virtual_gid_maps = ldap:/etc/postfix/ldap/virtual_uid_maps smtpd_sender_login_maps = ldap:/etc/postfix/ldap/smtpd_sender_login_maps
It is very important to list each domain only once. E.g. do not list $myhostname in mydestination or virtual_alias_domains when already listed in virtual_mailbox_domains.
virtual_alias_domains will expand to all domains used in addresses given in any mailacceptinggeneralid attribute in the ou=Mail,dc=example,dc=com subtree.
The mailboxes will be stored in maildir format if the value returned by the virtual_mailbox_maps map ends with /. The value returned will be appended to virtual_mailbox_base. The map used in this setup will return the path stored in the user's homedirectory attribute, with /mailbox/ appended. So for the testuser created earlier, mail to test0@hosted-domain.com and test1@hosted-domain.com will first be redirected to mail000@mail.example.com and then stored to /home/mail/mail000/mailbox/ in maildir format.
The directory /home/mail containing the user homes must be created in advance and must be writeable by all potential mail users. To achieve this, either use the same GID across all mail users and set group ownership to that GID, or make the directory world writable.
root@mailhost:~# mkdir -p /home/mail root@mailhost:~# chmod o+w /home/mail # Make world writable or root@mailhost:~# chown :<common GID> /home/mail && chmod g+w /home/mail # use common group
The user specific directories will be created with the user's UID and GID and minimal permissions by postix when mail is received.
Reload postfix and try to send a test mail to your new server.
root@mailhost:~# systemctl reload postfix root@mailhost:~# tail -f /var/log/mail.info
When the mail is received, the logs should contain something like
.../smtpd[6693]: connect from unknown[xxxx:...] .../smtpd[6693]: A7D1665808DE: client=unknown[xxxx:...] .../cleanup[6697]: A7D1665808DE: message-id=<56E9374F.8020607@external.example.com> .../qmgr[5561]: A7D1665808DE: from=<snip@external.example.com>, size=892, nrcpt=1 (queue active) .../smtpd[6693]: disconnect from unknown[xxx:...] .../virtual[6698]: A7D1665808DE: to=<mail000@mail.example.com>, orig_to=<test0@hosted-domain.com>, relay=virtual, delay=0.42, delays=0.31/0.01/0/0.1, dsn=2.0.0, status=sent (delivered to maildir) .../qmgr[5561]: A7D1665808DE: removed
then check if the maildir got created
root@mailhost:~# tree -pug /home/mail/mail000/
/home/mail/mail000/
└── [drwx------ 20000 20000 ] mailbox
├── [drwx------ 20000 20000 ] cur
├── [drwx------ 20000 20000 ] new
│ └── [-rw------- 20000 20000 ] 1458124575.V902I1b800feM892045.mx0
└── [drwx------ 20000 20000 ] tmp
TLS and submission service
To avoid sniffing of the data exchanged with postfix, TLS needs to be enabled and configured properly. It is recommended to at least use a keylength of 2048 bit for the RSA key, and to provide a valid certificate with a correct common name (CN), signed by a well-known certificate authority. If you don't want to pay any money, consider Let's Encrypt as a free alternative. It is also advised to generate your own Diffie-Hellman groups with at least 2048 bit due to some weaknesses found with the commonly and widely used Diffie-Hellman groups.
To generate a group with 4096 bit, run
root@mailhost:~# openssl dhparam 4096 > /etc/postfix/dhparam/dh4096.pem
Generating a new group once in a while will increase security.
TLS support needs to be configured for the server side (smtpd_tls_*) of postfix, to encrypt and authenticate the connection when receiving mail as well as the client side (smtp_tls_*) for securing delivery to external MTAs.
- main.cf
smtpd_tls_cert_file = /etc/postfix/tls/server.crt smtpd_tls_key_file = /etc/postfix/tls/server.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 #tls_preempt_cipherlist = yes tls_disable_workarounds = 0xFFFFFFFFFFFFFFFF smtpd_tls_mandatory_ciphers = high smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA smtpd_tls_dh1024_param_file = /etc/postfix/dhparam/dh4096.pem smtpd_tls_eecdh_grade = ultra
This configuration for the smtpd side is quite secure but restrctive and might not work with all MTAs.
smtpd_tls_mandatory_ciphers sets the ciphersuite allowed to be used and is set to high. To see what ciphers belong to this group run postconf tls_high_cipherlist.
smtpd_tls_exclude_ciphers contains a list of insecure ciphers and is recommended by the research group mentioned above.
tls_preempt_cipherlist enables server cipher preferences when set to yes. This means that instead of the client, postfix will select the cipher used for communication. This might cause some interoperability issues, see the postfix documentation for more information.
tls_disable_workarounds set to 0xFFFFFFFFFFFFFFFF disables all OpenSSL bug work-arounds on a 64 bit system since they can create unexpected security issues.
smtpd_tls_security_level is set to may which means that encryption is optional. Changing this to encrypt will enforce the use of TLS but has the side effect that MTAs without TLS capability won't be able to deliver mail to your server.
smtpd_tls_auth_only enforces encryption during authentication independently from smtpd_tls_security_level.
smtpd_tls_dh1024_param_file sets the path to the Diffie-Hellman group and despite the name can (and should!) be larger than 1024 bit.
smtpd_tls_eecdh_grade selects the curves used by postfix for ephemeral ECDH key exchange. ultra selects the curve set in tls_eecdh_ultra_curve (see postconf tls_eecdh_ultra_curve) and is the strongest setting available, but needs approximately twice the computational cost of the strong setting.
To debug TLS connections smtpd_tls_loglevel is set to at least 1.
smtpd_tls_received_header set to yes will add information about the ciphers used during transfer to the message headers.
- main.cf
smtp_tls_security_level = verify smtp_tls_CApath = /etc/ssl/certs smtp_tls_loglevel = $smtpd_tls_loglevel smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols smtp_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
For the smtp side, smtp_tls_loglevel, smtp_tls_mandatory_protocols, smtp_tls_mandatory_ciphers and smtp_tls_exclude_ciphers are set to the same values as their smtpd counterparts. smtp_tls_security_level set to verify enforces encryption when delivering mail. The connection to the external MTA will fail if TLS is not supported or the certificate of the remote site can't be verified. To verify the certificate the CA certificates in smtp_tls_CApath are used. This can cause mail to be deferred if the peer certificate was self signed or expired. To handle this issue, either use the less secure encrypt option or set delay_warning_time to a suitable value to get a notification if your mail was deferred.
If you set smtpd_tls_security_level to may or tls_preempt_cipherlist to no, it is good practice to provide a second instance of smtpd listening on port 587 with smtpd_tls_security_level set to encrypt and tls_preempt_cipherlist set to yes. This instance should then be used by users to submit mails for delivery (outgoing SMTP server).
To enable the submission service edit /etc/postfix/master.cf and uncomment the relevant lines.
- master.cf
... submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o tls_preempt_cipherlist=yes
Reload postfix, and check /var/log/mail.* for any errors. Also check if the submission service is listening on port 587.
root@mailhost:~# systemctl reload postfix root@mailhost:~# netstat -pltn | grep master
Dovecot
While Postfix serves as an smtp server and relay, Dovecot will serve as IMAP server to retrieve the messages stored on the mail host. Dovecot also includes a SASL implementation which can be used by postfix to authenticate users.
Dovecot packages can be installed from the Debian repository.
root@mailhost:~# apt-get install dovecot-core dovecot-imapd dovecot-ldap
Configuration
The configuration is spread over several files in /etc/dovecot/ and /etc/dovecot/conf.d and contains some basic configuration blocks, which can be included by uncommenting them. doveconf -n will print the final configuraton build up out of all snippets.
Maildir location
The location of the Maildir is set in /etc/dovecot/conf.d/10-mail.conf. The user's homedirectory will be read from LDAP, and '/mailbox' will be appended with the following configuration.
maildir:~/mailbox
IMAPS
To only activate IMAPS support on port 993 and deactivate potentially insecure login attempts to the normal IMAP port 143 the port of the imap listener must be set to 0 and the lines for IMAPS needs to be uncommented in /etc/dovecot/conf.d/10-master.conf.
- 10-master.conf
service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } service_count = 1 process_min_avail = 1 }
LDAP backend
Dovecot can use LDAP as a password database for authentication as well as a user database for information like the maildir location, and the UID and GID of the user. An overview is given in the Dovecot wiki.
To activate LDAP as a password and user database, enable it in /etc/dovecot/conf.d/10-auth.conf and disable auth-system.conf.ext.
- 10-auth.conf
#!include auth-system.conf.ext !include auth-ldap.conf.ext
/etc/dovecot/conf.d/auth-ldap.conf.ext should contain the declaration for passdb and userdb.
- auth-ldap.conf.ext
passdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext } userdb { driver = ldap args = /etc/dovecot/dovecot-ldap.conf.ext }
The file /etc/dovecot/dovecot-ldap.conf.ext is used by both, passdb and userdb to configure the connection parameters to the LDAP directory.
- dovecot-ldap.conf.ext
uris = ldap://ldap.example.com dn = cn=mailAccountReader,ou=Manager,dc=example,dc=com dnpass = <dn bind password> tls = yes tls_ca_cert_file = /etc/ldap/tls/CA.pem tls_require_cert = hard debug_level = 0 auth_bind = yes auth_bind_userdn = uid=%u,ou=Mail,dc=example,dc=com ldap_version = 3 base = ou=Mail,dc=example,dc=com scope = subtree user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid user_filter = (&(objectClass=posixAccount)(uid=%u))
This configuration auth_bind = yes tries to bind to OpenLDAP with the DN of the authenticating IMAP user instead of checking the password directly. The advantage of this configuration is that the password stored in the directory does not need to be readable by Dovecot. When the auth_bind_userdn template is defined, pass_attr can be omitted. user_filter sets the filter to find the LDAP entry using the login username. user_attrs maps the LDAP attributes to Dovecot's internal attributes. When retrieving the user information, Dovecot connects to the directory with the credentials set with the dn and dnpass directives. The other parameters are used to connect to OpenLDAP with TLS and are the same as in the postfix configuration.
TLS
TLS can be configured in /etc/dovecot/conf.d/10-ssl.conf. Either reuse the key and certificate used for postfix if the hostname for the IMAP server will be the same, or generate a new key and certificate for Dovecot. The Diffie-Hellman group is generated and managed automatically by Dovecot, the size can be set with ssl_dh_parameters_length and should at least be set to 2048 bit. The ciphersuite was taken from weakdh.org
- 10-ssl.conf
ssl = required ssl_cert = </etc/dovecot/tls/server.crt ssl_key = </etc/dovecot/tls/server.key ssl_dh_parameters_length = 4096 ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA ssl_prefer_server_ciphers = yes verbose_ssl = yes
SASL Authentication
Dovecot can be configured to provide a SASL interface for postfix so that authentication for postfix can be done through Dovecot, which then uses LDAP as a backend.
To activate the SASL interface enable the auth service in /etc/dovecot/conf.d/10-master.conf.
- 10-master.conf
service auth { ... unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }
This will create a unix socket in /var/spool/postfix/private/auth owned and only accessible by the postfix user.
To activate SASL authentication in postfix, enable it in /etc/postfix/main.cf.
- main.cf
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes
To allow relaying mail from authenticated users to remote destinations, add permit_sasl_authenticated to smtpd_relay_restriction. And to allow only FROM addresses that belong to the authenticated user, set reject_sender_login_mismatch in smtpd_recipient_restrictions. The allowed addresses are looked up from the map defined in smtpd_sender_login_maps.
- main.cf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_recipient_restrictions = reject_sender_login_mismatch
Test authentication
Postfix authentication can be tested easily from the commandline. First connect to the server on port 25 or port 587.
you@workspace:~$ openssl s_client -starttls smtp -connect mail.example.com:25
You will get a lot of useful information about the TLS connection established. The next step is to introduce yourself with the EHLO command.
EHLO foo.example.com 250-mail.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN 250-AUTH=PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN
The 250-AUTH line indicates that authentication is enabled. To test authentication generate a base64 encoded string containing the username and the password prefixed by NULL bytes.
you@workstation:~$ echo -ne "\0username\0password" | base64
Then perform the authentication, send the string to the server.
AUTH PLAIN AHVzZXJuYW1lAHBhc3N3b3Jk 235 2.7.0 Authentication successful
You will either get 235 or 535 depending on if authentication was successful. If authentication does not work as expected, see /var/log/mail.* for errors. If this does not help, set debug_level = -1 in /etc/dovecot/dovecot-ldap.conf.ext and check the logs again when testing the authentication.