How to smtp auth with Postfix
Howto smtp auth with Postfix(1)Introduction
What's the problem?
If you want to relay messages from everywhere in the world using only one (your) smtp server you usually run into trouble. The servers relay permissions check your IP if it belongs to a trusted network (e.g. a range of IP Adresses). From the smtp servers point of view you try to send from an untrusted network when you dial-up.
This HOWTO will help you deploy a method that is called smtp auth in conjunction with Postfix. It will explain installation, configuration and use of the softwares needed (Cyrus-SASL, TLS and Postfix) for this solution. Before you decide on using this method, read if you can do with less.
What are the approaches to fix this issue?
Add ip manually
Each time a user wants to relay from an IP Adress unknown to the system, she adds the IP to the relay net, restarts the smtp server and sends her mail. After messaging is done she removes the IP and restarts the smtp server once more.
This is by far the most insecure solution. Though possible, you would have to permit shell access to users and teach them how to deal with the system. It won't work for those who focus on the computing and not the computer...
smtp-after-pop (pop-before-smtp)
A service/script runs on the smtp server that will add IPs of users that have successfully authenticated to their pop3 or imap server. The service/script will write the IP of those users to a file or database. Since they are valid users to the pop/imap server they must also be valid users to the smtp server. When they send messages after the pop/imap the smtp server also looks up the file or database that the pop/imap server has written to and if the IP is found in there the client may relay messages. After a certain period the IP expires and is removed from the file/database.
This will not work easily with common Mailclients, as not all of them come with built-in support for smtp-after-pop. There are workrounds on the net, but solution may require expensive configuration and/or constant support.
smtp auth
This approach uses a totally different, IP independend method. Instead of checking the IP of the Mailclient and comparing it to a range of permitted IP Adresses, the Mailclient authenticates itself providing username and password to the mailserver (or sharing a secret with it). These credentials are compared to a source that the mailserver has access to and if valid data has been provided, the mailserver will permit relaying.
This HOWTO will help you to enable Postfix to provide smtp auth using Cyrus-SASL. Read about the benefits of using smtp auth and how smtp auth is beeing processed before you will find out what steps you will have to go to deploy your specific smtp auth solution.
Howto smtp auth with Postfix(2)
(52 阅读)
Benefits of using smtp auth
Authentication for Mailclients
Mobile Users
1. Using smtp auth we can make it possible for clients, colleagues, and ourselves to relay messages from everywhere in the world using only one (our) smtp server.
2. Being mobile then we don't have to deal with the hassle to find a smtp server that permits us to relay.
3. Once set up, we do not have to give extra support to others to reconfigure their mailclients properly.
4. We can make use of scripts and daemons that run on our server and provide services that we need e.g. server-side virus scanning.
Corporate Network
Imagine all users are allowed to send messages to users in the local network, but only a few should be permitted to send messages to remote users. If you check by IP the "forbidden users" simply have to use a machine with a valid IP. This is where smtp auth can also help you as it checks for users and not IP. You then only provide smtp auth accounts for those who may relay outbound messages and configure Postfix to reject other senders.
Authentication for Mailservers (e.g. Dial-Up smtp, Corporate Networks)
1. We can enable our smtp server to authenticate itself with other smtp servers.
2. We might use this when our ISP requires us to authenticate our (dial-up) smtp server or even connect several (dial-up) company locations to each other in order to provide safe and explicit messaging.
3. Finally we can add an extra layer of security to encrypted communication (TLS).
You want that? Understand the process of smtp auth first, before you install and configure. It will save lot's of time when you need to trace down a malfunction. You will know where things go wrong and be able to concentrate on that only.
Howto smtp auth with Postfix(3)
(31 阅读)
How smtp auth is processed
Authentication for Mailclients
1. A Mailclient, configured to use smtp auth, connects to its smtp server.
2. The smtp server responds and offers one or more mechanisms for authentication.
3. The Mailclient chooses a mechanism and submits data for authentication.
4. The Mailclient's data is verified by the authentication service.
5. The authentication service submits the result (valid user/invalid user) of the verification to the smtp server.
6. If the Mailclient is a valid user the smtp server will receive message data otherwise it will end the connection.
Authentication for Mailservers
1. A local smtp server wants to relay messages to a remote smtp server. It connects to the remote server.
2. The remote smtp server responds and offers smtp auth (one or more mechanisms for authentication) to the local server
3. The local smtp server looks up for preconfigured information that will tell username and password for the remote server
4. It submits the given data for authentication
5. The transmitted data is verified by the remote authentication service. It then submits the result (valid user/invalid user) of the verification to the remote smtp server
6. If the local smtp server is a valid user the smtp server will allow the messages to be relayed; otherwise it will end the connection.
Now that we have split Authentication for Mailclients from Authentication for Mailservers, find out next what you will need to install and configure to get each of them running. Nonetheless important you should read and understand the job of Cyrus-SASL in smtp auth and which methods and mechanisms to choose from that software to suite your needs best.
Howto smtp auth with Postfix(4)
(26 阅读)
What do you need to offer smtp auth in Postfix?
Authentication for Mailclients
You want Postfix to authenticate incomming connections from Mailclients?
You have to go through the following steps:
1. install Cyrus-SASL
2. configure Cyrus-SASL
3. configure Postfix source-code with Cyrus-SASL support
4. build Postfix
5. (re)install Postfix
6. configure Postfix to use the SASL smtpd features
Mechanism Plain and/or Login
If you want Postfix to authenticate incomming connections from Mailclients and offer the mechanism PLAIN and/or LOGIN we strongly recommend that you also add the use of TLS to your solution.
You have to go through the following steps:
1. install Cyrus-SASL
2. configure Cyrus-SASL
3. patch Postfix source-code to add T
