Simple user authentication with Postfix and Dovecot

Every public SMTP mail server requires some sort of user authentication. One way is by using SASL the Simple Authentication Security Layer. Reviewers of this technology say: It neither the one nor the other. Anyone who configured a Cyrus saslauthd knows why.

This article shows how to configure SMTP user authentication without configuring a saslauthd. A running Dovecot IMAP/POP3 daemon which authenticates users is required.

Further, the article shows a simple solution how to configure Postfix SMTP server with user authentication with SASL and Dovecot. Any configuration snippets rely to Dovecot and Postfix services delivered by Debian “Squeeze” 6.0. The current versions are Dovecot 1.2.15 and Postfix 2.7.1. In Dovecot 2 anything changed regarding to SASL and the authentication mechanisms. Please read Dovecot wiki for more information.

Dovecot configuration

Before configuring Postfix you should check if Dovecot’s configuration is prepared for SASL authentication. Open the Dovecot configuration file, mostly located in /etc/dovecot/dovecot.conf, and check if following lines are present:

auth default {
    user = vmail
    mechanisms = plain login
    ...
    socket listen {
        master {
            path = /var/run/dovecot/auth-master
            mode = 0600
            user = dovecot
            group = dovecot
        }
        client {
            path = /var/spool/postfix/private/auth
            mode = 0600
            user = postfix
            group = postfix
        }
    }
}

Please note the client configuration section: If you use a chroot environment verify that given UNIX socket file is located within your chroot path of Postfix. Otherwise Postfix won’t be able to access the socket file and can’t authenticate users.

With mechanisms = plain login you configure the specific authentication mechanisms. Note that any mechanism better than PLAIN or LOGIN will need a clear text password in user database. Cryptographic authentication mechanisms like CRAM-MD5 or DIGEST-MD5 won’t work with encrypted passwords in your user database. It wont work if you use a user authentication with MD5 and your passwords are encrypted.

Now restart Dovecot service if you changed anything in its configuration file.

Postfix configuration

If you configured Dovecot for SASL authentication you can enable SASL authentication in Postfix as well. Any configuration will be stored in /etc/postfix/main.cf. You shouldn’t need any alias configuration or any other map(ping) file. Open file /etc/postfix/main.cf and add following lines:

# authentication via SASL
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smptd_sasl_tls_security_options = noanonymous

The line smtpd_sasl_type = dovecot activates the Dovecot SASL interface integrated in Postfix since Postfix 2.3. With command postconf -a you get all SASL implementations known by Postfix. On Debian Squeeze you should get following output:

root@host:~# postconf -a
cyrus
dovecot
root@host:~#

On Debian Squeeze the authentication type dovecot is used. Please activate dovecot in main.cf and restart the Postfix mail server. With configuration smtpd_sasl_path = private/auth you define the UNIX socket file used for communication with Dovecot. This file is the same as configured in dovecot.conf in client section. Be sure that Postfix has read and write rights to this file. Line smtpd_sasl_security_options = noanonymous disables anonymous logins. The SMTP server offers PLAIN and LOGIN as authentication mechanisms with this option. You can disable any other mechanisms: e.g noplaintext disables any plain text mechanisms. Unfortunately, this did not work at my machine: Dovecot did not understand this option and so authentication was not successfully.

All my machines are using hashed passwords stored in a database. However, Dovecot can only authenticate plain text passwords. In this case you should add following option: smtpd_tls_auth_only = yes. This option enables authentication only if TLS as secure transport connection is used.
You should test your configuration by connecting to the SMTP service via telnet using the command EHLO <server>. The returned list of supported functions should not contain keywords LOGIN or PLAIN since you are using a insecure connection (plain TCP). If you try the same with an encrypted connection via openssl s_client -connect :25 -starttls smtp and type EHLO <server>, PLAIN and LOGIN authentication functions should be supported.

If you want to enable mail delivery for authenticated users to external systems, you have to add the option permit_sasl_authenticated to the list of smtpd_recipient_restrictions. permit_sasl_authenticated should be added before the first reject_* options. For example:

smtpd_recipient_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
 ...

Again, you have to restart the Postfix mail server to activate the new configuration.

Result

Anyone who already configured Postfix with Cyrus SASL knows that the shown configuration is just one way to get the user authentication done. The given configuration is short and simple. IMHO reducing the complexity of SASL configuration your mail server is better maintainable. You can identify configuration problems faster and solve problems quick. Further, security issues caused by a complex configuration can be eliminated.

Continuing links:
http://www.postfix.org/SASL_README.html
http://www.postfix.org/postconf.5.html
http://wiki1.dovecot.org/Authentication/PasswordSchemes
http://wiki1.dovecot.org/HowTo/PostfixAndDovecotSASL

Advertisements

One thought on “Simple user authentication with Postfix and Dovecot

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s