Monday, October 27, 2008

freebsd + postfix + sasl + openldap

a week ago a friend of mine asked me to help him (read: side income ;)) to reconfigure his mail server to support smtp authentication.
so, for the past 3 days I've been trying to reconfigure the above combination but with no success especially to make postfix + sasl to use openldap for authentication. but after a lotttttt of googling, countless try an errors, few mugs of nescafe tarik etc... I've finally managed to resolve the issue :)

here is the configurations:

[root@mail ~]# uname -a
FreeBSD mail.domain.com.my 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007 root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386

recompile postfix with these options:
[root@mail ~]# cat /var/db/ports/postfix/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for postfix-2.5.1_2,1
_OPTIONS_READ=postfix-2.5.1_2,1
WITH_SASL2=true
WITH_TLS=true
WITH_OPENLDAP=true

cyrus-sasl:
[root@mail ~]# saslauthd -v
saslauthd 2.1.22
authentication mechanisms: sasldb getpwent kerberos5 pam rimap ldap httpform

openldap already compiled with these options:
[root@ldap ~]# cat /var/db/ports/openldap23/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for openldap-server-2.3.11
_OPTIONS_READ=openldap-server-2.3.11
WITH_SASL=true
WITH_PERL=true
WITH_SHELL=true
WITH_SLP=true
WITH_TCP_WRAPPERS=true
WITH_BDB=true
WITH_PROXYCACHE=true
WITH_PPOLICY=true
WITH_RWM=true
WITH_DYNAMIC_BACKENDS=true

ok 1st step is to configure the cyrus-sasl configuration files.
[root@mail ~]# cat /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mechlist: PLAIN LOGIN
log_level: 5


[root@mail ~]# cat /usr/local/etc/saslauthd.conf
ldap_servers: ldap://192.168.1.8/
ldap_auth_method: fastbind
ldap_filter: uid=%u,ou=Users,dc=domain,dc=com,dc=my
ldap_search_base: dc=domain,dc=com,dc=my
ldap_bind_dn: cn=Manager,dc=domain,dc=com,dc=my
ldap_password: secret

start the service with this flag "-cra ldap" (put -d for debugging)
[root@mail ~]# /usr/local/etc/rc.d/saslauthd start
Starting saslauthd.

[root@mail ~]# ps aux|grep sasl
root 39276 0.0 0.4 4840 2784 ?? Ss 3:25PM 0:00.00 /usr/local/sbin/saslauthd -cra ldap
root 39283 0.0 0.4 4840 2780 ?? S 3:25PM 0:00.00 /usr/local/sbin/saslauthd -cra ldap
root 39284 0.0 0.4 4840 2780 ?? S 3:25PM 0:00.00 /usr/local/sbin/saslauthd -cra ldap
root 39285 0.0 0.4 4840 2780 ?? S 3:25PM 0:00.00 /usr/local/sbin/saslauthd -cra ldap
root 39286 0.0 0.4 4840 2780 ?? S 3:25PM 0:00.00 /usr/local/sbin/saslauthd -cra ldap

test it out using testsaslauthd command
[root@mail ~]# testsaslauthd -u ashamril -p 1qaz2wsx
0: OK "Success."

this means the sasl can authenticates with your ldap server. yahoooo ;)

next configure the postfix. added these lines in /usr/local/etc/postfix/main.cf

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
smtpd_sasl_path = smtpd
smtp_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination


restart the postfix & test it out:
[root@mail ~]# printf "ashamril" | mmencode
YXNoYW1yaWw=
[root@mail ~]# printf "1qaz2wsx" | mmencode
MXFhejJ3c3g=
[root@mail ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.domain.com.my ESMTP Postfix (By LinuxDotMy)
EHLO domain.com.my
250-mail.domain.com.my
250-PIPELINING
250-SIZE 512000000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
250-AUTH=LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH LOGIN
334 VXNlcm5hbWU6
YXNoYW1yaWw=
334 UGFzc3dvcmQ6
MXFhejJ3c3g=
235 2.7.0 Authentication successful


yahooooo setel.

p/s: man hours: 1st day till 4am, 2nd day till 2am. 3rd day baru setel... bape ek nak caj?
and
to all Hindu who celebrate Deepavali, A Very Happy Deepavali !

3 comments:

Anonymous said...

Salam bro... mantap bsd rupenye... bleh la kongsi ilmu sket....

Latest blog Hilangkan autorun.inf daripada thumbdrive

Anonymous said...

satu haprak tak phm...ngehngehngeh

Gianni said...

http://wiki.lepr-e.com/wiki/index.php/Ubuntu_Smtp_Server