Complete Virtual Mail Server/SMTP Authentication

Introduction
If this document was followed thus far, only localhost is allowed to send mail. Unfortunately postfix cannot work with courier-authlib directly. An intermediary solution exists however,. There are three ways cyrus-sasl can get authentication information. Either directly from the database, locally or remotely. A setup using this approach would look like this. courier-imap -> courier-authlib --\ +--> database postfix --> cyrus-sasl ---/

The other option is to have cyrus-sasl authenticate directly with courier-authlib. A setup using this approach would look like this. courier-imap ---\ +-> courier-authlib -> database postfix -> cyrus-sasl --/

Ideally the last option would be the best solution, as one authentication back-end would be used, courier-authlib. The cyrus-sasl plugin to talk to courier-authlib however will only work via a unix socket and thus if courier-authlib is not running on the same system as cyrus-sasl this would not work. The other approach should thus only be used if courier-authlib can not be used.

Installing cyrus-sasl
A key feature of cyrus-sasl that is required is the useflag. It needs to be enabled or it will not work. Cyrus-sasl with the correct useflag should have been pulled in earlier whilst emerging postfix.

Configuration
To ensure cyrus-sasl is properly working the first method could be configured first and then changed to use the second scheme. There should however be no problem by jumping to the second section right away.

Cyrus-sasl to PostgreSQL
Cyrus-sasl stores its connection information in.

Cyrus-sasl to authlib
Cyrus-sasl has a plugin to allow it to communicate with courier-authlib. All the options it has is where the unix socket is located and thus will use this socket to communicate with authlib. Nothing else needs to be in.

The directory leading to the courier socket runs under the mail user and thus postfix needs to be able to access this socket.

Postfix to Cyrus-sasl
Sasl in theory should now talk to the database, to test this however postfix needs to communicate with sasl.

There are no default entries in postfix's so the following options should be added to the bottom of the file.

Testing
To verify sasl support telnet can be used to check for the AUTH statement.

Telnet can be used again to test if sending mail also works after authenticating. This requires login information to be transmitted in base64 code. An external base64 conversion tool can be used. Caution when entering passwords should be taken, only use test username and passwords. If perl is installed with the Base64 module, it can generate it also.

Also testing this with a mail-client should work only with a correct username and password combination.

After cyrus-sasl is working as required, optionally reduce its logging.

SSL Support
Having a working postfix installation that only sends mail from authorized clients only works as long as nobody is sniffing out the sent passwords. All of the traffic, the mail messages are being sent in plain text, albeit partially base64 encode. Adding SSL support is just as easy as with courier-imap and much safer. Again self signed certificates will be briefly touched upon to test the setup, but it is strongly suggested to get signed certificates, such as those from CACert.org. Jumping to over the Self signed section is recommended.

Self signed
Unfortunately postfix does not come with a handy script to generate self-signed certificates with, luckily does and can be used. The defaults should suffice.

There are now at least three files as required by postfix. The key file, the certificate file and the CA Root certificate.

CACert.org signed
As before, the csr script should be used once again. For the smtp server there will be several domain aliases configured next to smtp.example.com, such as foo, the name of the server (this is, again, coincidental that the smtp server lives on the same system as the other services and is not required) and mail.example.com. It would be possible to use the same certificate as before, or have had the certificate before configured to also contain smtp, but this makes migration and separation possible harder at a later stage.

Supply this certificate request to cacert.org under Server Certificates the New link which opens the edit box to put in the above certificate request. The radio button is set to Sign by class 3 root certificate. Copy paste the certificate signing request into the memo field and hit submit.

Then as stated by the script copy paste the key into the recommended file.

Finally, these certificates should be moved to a path where postfix can easily find them.

STARTTLS/TLS
With SSL certificates available, it is required to tell postfix to use them.

SSL/TLS
To offer smpts services is also strongly recommended, for when port 25 is not usable or desirable. Enable smtps in the of postfix. Since all other required options are set from the only the mentioned two options need to be uncommented.

Testing
Telnet can be used to verify if STARTTLS is being offered.

Using a mail-client like thunderbird who speak TLS is recommended to test whether TLS connections work. Sending a message should work normally using a proper username and password with STARTTLS on port 25 and SSL/TLS on port 465.

If everything is working properly, reduce logging output and no longer accept unencrypted connections.