# Postfix + Cyrus SASL HowTo Without MySQL

## admin-killer

I was trying to find a way to make Postfix + Cyrus-SASL + Courier-IMAP to work without using MySQL per the Gentoo Guide. I could not find any documentation, so I have spent the last 3 weeks of my life trying to wade though this mess. I have finally got it to work. 

The HowTo doesn't:

Auth against /etc/shadow directly

Tell how to setup Bind or other "required" services indirectly related to being a mail server.

The HowTo does:

Tell how to set up multiple domains

How to add/auth against the /etc/sals2/sasl2db

Work!

I want to post this both for future reference as well as if some other poor soul neede the same help I did.

YMMVLast edited by admin-killer on Fri Apr 30, 2004 7:52 am; edited 1 time in total

----------

## admin-killer

Originally from: http://killer-server.net/~mike/docs/mail.php

Sorry for any typos in advance!  :Rolling Eyes: 

Setting Up Gentoo As A Mail Server

1 - Introduction

The purpose of this document is to attempt to alliviate the headahce I had trying to transition from RedHat 8 to Gentoo.

I used Postfix, Procmail, Courier-IMAP and Cyrus-SASL to accomplish this. This assumes you have a self-booting system, have networking and DNS, etc, setup properly,

Packages required to continue installation that I reference, but do not refernece how to setup are:

nmap, sysklogd and vi or nano.

Usually, a simple "emerge nmap vi" will give you all you need.

2 - Preliminary Setup

The USE flags for /etc/make.conf that I use are:

USE="libwww ssl sasl apache2 apache mysql php mod_php postfix imap pop3 -mbox maildir i586 uw-imap -X -x11 -xfree -gtk -qt -gnome -kde -ssmtp"

Make sure to

bash # env-update

* Caching service dependencies...           [ ok ]

bash#

2 - Emerging Packages

I found that there is a minor annoyance with Gentoo and having a default MTA program already installed.

Thus, we learn to use the -pv switch when emerging to solve this issue.

bash # emerge postfix procmail courier-imap -pv

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild N ] net-mail/postfix-2.0.19 -ipv6 -ldap -mbox -postgres+maildir +mysql +pam +sasl +ssl 0 kB

[ebuild N ] net-mail/procmail-3.22-r6 0 kB

[ebuild N ] net-mail/courier-imap-3.0.2 +berkdb +gdbm +mysql +nls +pam -fam -ldap -postgres -(selinux) 0 kB

Total size of downloads: 0 kB

It is quite possible to have it look like this also:

bash # emerge postfix procmail courier-imap -pv

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild N ] net-mail/postfix-2.0.19 -ipv6 -ldap -mbox -postgres+maildir +mysql +pam +sasl +ssl 0 kB

[ebuild N ] net-mail/ssmtp-2.48 0kB

[ebuild N ] net-mail/procmail-3.22-r6 0 kB

[ebuild N ] net-mail/courier-imap-3.0.2 +berkdb +gdbm +mysql +nls +pam -fam -ldap -postgres -(selinux) 0 kB

Total size of downloads: 0 kB

The ssmtp is the problem-child. If it's the first "compile" that you've ever done for Postfix, it is likely that it will be there.

You know it will be a problem if it compiles after Postfix, since it will overwrite Postfix's binaries with ssmtp binaries.

Don't worry about version numbers. If you are upgrading, it will have a R instead of N.

The same goes for total download size. That's just how much needs to get downloaded

Ok, we'll worry about that ssmtp a little later, but we'll assume you'll have the second listing.

Go ahead and:

bash # emerge postfix procmail courier-imap -pv

It will start the compile process. How long depends on processor speed. On my P2/400MHz/96MB RAM and it took about an hour.

bash # etc-update

and it should spit out a buncha options. Hit

-5

(as in the hypen and number 5)

To auto-merge all these files.

Remember that ssmtp? Well, now we get rid of it. For some reason, if you setup Gentoo, it defaults to no MTA (Postfix, Sendmail, QMail, Exim, etc) and uses

ssmtp for local mail delivery. There may be a way to set up ssmtp for a Internet MTA, but that's not why we are here. Thus,

bash # emerge unmerge ssmtp

and away it goes. But since it was compiled/installed after Postfix, we have to re-compile Postfix.

bash # emerge postfix

Now that we have wasted our time a little, let's configure this beast to do our dirty work.

3 - Postfix Configuration

Well, we got all the programs installed and ready to go.

We'll start with Postfix

bash # vi /etc/postfix/main.cf

# main.cf for postfix

# mk - GPL

# set to your Fully Qualified Domain Name (FQDN)

myhostname = tux.com

# set to your FQDN

mydomain = tux.com

# Set localhost names, as well as ALL you hostnames (eg, tux.com, bob.org, etc)

mydestination = $mydomain, $myhostname, localhost.$mydomain, penguin.org, tux.com

myorigin = $mydomain

# Set localhost, external ip(s). Also, use the btree part for drac pop-before-smtp

# Use one of the following lines depending on if you want dracd pop-before-smtp

mynetworks = 127.0.0.0/8, XXX.XXX.XXX.XXX

#mynetworks = 127.0.0.0/8, XXX.XXX.XXX.XXX, btree:/var/lib/drac/drac

# $mydestination should take care of hosts, but I set it the same, just in case..

relay_domains = $mydestination, penguin.org, tux.com

# Point it to the HASHED alias map

alias_maps = hash:/etc/postfix/aliases

default_transports = smtp

default_privs = nobody

command_directory = /usr/sbin

daemon_directory = /usr/lib/postfix

mailbox_command = /usr/bin/procmail

# Change the next lines if you want older mbox-style mail spooling for users. CHOOSE ONLY ONE!

# Use for mbox-style. This will create the new mail spool for users in /var/spool/mail/$user

#mail_spool_directory = /var/spool/mail # Use for maildir. This will create the maildir in /home/$users/.maildir

home_mailbox = .maildir/

# how many people can connect and suck up bandwidth at a time

local_destination_concurrency_limit = 3

# How many outgoing connections at a time

default_destination_concurrency_limit = 10

# How verbose the debug level will be. Keep it to this while setting up Postfix, then change it down later

debug_peer_level = 2

# USE FOR SASL2 - make sure to add users to sasldb with the following line:

# saslpasswd2 -c -u your.hostname.org -a smtpauth username

# and check which users are in the database with:

# sasldblistusers2

# Verify ALL users for ALL domains are added

# what type of authentication to use

pwcheck_method: = saslauthd

# enable sasl-authentication version 1 & 2

smtpd_sasl_auth_enable = yes

smtpd_sasl2_auth_enable = yes

# Stupid clients, like Outlook Express, need this

broken_sasl_auth_clients = yes

# Security stuff I mostly have no idea what it does EXCEPT permit_sasl_authenicated is NEEDED!!!

smtpd_recipient_restrictions = permit_mynetworks, check_client_access hash:/etc/postfix/access, permit_sasl_authenticated, check_relay_domains

# Point it to the HASHED access map

smtpd_sender_restrictions = hash:/etc/postfix/access

# Use for POP/IMAP before SMTP

#smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, check_client_access, btree:/var/lib/drac/drac, reject_unauth_destination

If you notice, I have two domains declared: penguin.org and tux.com. I also have my external ip address declared: XXX.XXX.XXX.XXX

MAKE SURE TO DECLARE ALL DOMAINS HOSTED ON YOUR BOX AND YOUR EXTERNAL IP(s)

Seperate all values with commas. I also prefer /home/*/.maildir for local delivery (compared to uw-imap mbox format)

Also, note the btree:/var/lib/drac/drac in the mynetworks declaration and check_client_access btree:/var/lib/drac/drac in the

smtpd_recipient_restrictions declaration. This is for pop/imap before smtp. I don't usually even bother setting it up,

but if you are having problems with SASL-Auth, it is an alternative authentication method.

Now, we'll tell Postfix to dump as much as possible in the debug log

bash # vi /etc/postfix/master.cf

smtp        inet     n     -     n     -     -     smtpd  -v

All we did is add a -v to the end of the line to tell Postfix to verbose the debugging output.

Now we generate the aforementioned /etc/postfix/aliases and /etc/postfix/access hash databases

bash # vi /etc/postfix/aliases

#

# @(#)aliases 8.2 (Berkeley) 3/5/94

#

# Aliases in this file will NOT be expanded in the header from

# Mail, but WILL be visible over networks or from /bin/mail.

#

# >>>>>>>>>> The program "bash# postalias aliases" must be run after

# >> NOTE >> this file is updated for any changes to

# >>>>>>>>>> show through to sendmail.

#

# Basic system aliases -- these MUST be present.

mailer-daemon: postmaster

postmaster: root

# General redirections for pseudo accounts.

bin: root

daemon: root

adm: root

lp: root

sync: root

shutdown: root

halt: root

mail: root

news: root

uucp: root

operator: root

games: root

gopher: root

ftp: root

nobody: root

apache: root

named: root

xfs: root

gdm: root

mailnull: root

postgres: root

squid: root

rpcuser: root

rpc: root

ingres: root

system: root

toor: root

manager: root

dumper: root

abuse: root

newsadm: news

newsadmin: news

usenet: news

ftpadm: ftp

ftpadmin: ftp

ftp-adm: ftp

ftp-admin: ftp

# trap decode to catch security attacks

decode: root

# Person who should get root's mail

root: mike@tux.com

# Format psuedo-user: realuser@domain.com

# exmaple

# somebody: theotherguy@tux.com

Now we hash it to be usable by Postfix

bash # postalias /etc/postfix/aliases

bash # vi /etc/postfix/access

localhost RELAY

tux.com RELAY

penguin.org RELAY

127.0.0.1 RELAY

XXX.XXX.XXX.XXX RELAY

bash # postmap hash:/etc/postfix/access

And that should have those tables/databases setup properly. If it whines about not findind the file, etc, you may have change into the /etc/postfix directory.

We'll also check /etc/procmailrc to verify it will send mail to /home/$user/.maildir/ like we want it to.

bash # vi /etc/procmailrc

# Use maildir-style mailbox in user's home directory

DEFAULT=$HOME/.maildir/

We'll double check our work right here to make sure it works properly.

The commands we enter are in RED, the responses given by the server are in normal color.

bash # /etc/init.d/postfix start

*Starting postfix...                     [ ok ]

bash # telnet 127.0.0.1 25

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

220 tux.com ESMTP Postfix

ehlo tux.org

250-tux.org

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM

250-AUTH=CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM

250-XVERP

250 8BITMIME

mail from: root

250 Ok

rcpt to:root@localhost

250 Ok

data

354 End data with .

blah blah blah.

.

250 Ok: queued as 59C9F3A685

quit

221 bye

Connection closed by foreign host.

bash # more /home/mike/.maildir/new/*.tux.org

Return-Path:

X-Original-To: root@localhost

Delivered-To: root@localhost.tux.org

Received: from tux.org (localhost [127.0.0.1])

by tux.org (Postfix) with ESMTP id 3064E2072D

for ; Thu, 29 Apr 2004 20:48:23 +0000 (Local time zone must be set--see zic manual page)

Message-Id: <20040429204823.3064E2072D@tux.org>

Date: Thu, 29 Apr 2004 20:48:23 +0000 (Local time zone must be set--see zic manual page)

From: root@tux.org

To: undisclosed-recipients:;

blah blah blah

And we should see the message we have just sent!

NOTE: In the above example, tux.org is the domain we are setting up Postfix for. The user mike is who is designated to get root mail per /etc/postfix/aliases

4 - Courier-IMAP Configuration

Lucky for us, Courier-IMAP is setup right out of the box for us. If we want to tinker and add drac, ssl, etc, then

we have to make a couple changes. BUT, we don't want to right now, so:

bash # /etc/init.d/courier-imapd start

* Starting authdaemond.plain...         [ ok ]

* Starting courier-imapd...                 [ ok ]

bash # /etc/init.d/courier-pop3d start

* Starting courier-pop3d...           [ ok ]

bash # nmap -vv 127.0.0.1

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-04-29 21:14 Local time zone must be set--see zic manual page

Host localhost (127.0.0.1) appears to be up ... good.

Initiating SYN Stealth Scan against localhost (127.0.0.1) at 21:14

Adding open port 22/tcp

Adding open port 25/tcp

Adding open port 110/tcp

Adding open port 143/tcp

The SYN Stealth Scan took 2 seconds to scan 1659 ports.

Interesting ports on localhost (127.0.0.1):

(The 1655 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE

22/tcp open ssh

25/tcp open smtp

110/tcp open pop3

143/tcp open imap

Nmap run completed -- 1 IP address (1 host up) scanned in 1.521 seconds

We now see that we have port 22 (Open-SSH), port 25 (Postfix), port 110 (Courier-POP3D) and 143 (Courier-IMAPD) open.

Good. Run nmap again on your external IP to verify your firewall is letting it through. If the report is not similiar to the above,

STOP NOW AND FIX YOUR FIREWALL!

5 - Cyrus-SASL Configuration

This is the part that took me the better part of 2 weeks to figure out. You'll now blow through this part in about 3 minutes.

First, we change the authentication type.

bash # vi /etc/sasl2/smtp

# $Header: /home/cvsroot/gentoo-x86/net-mail/postfix/files/smtp.sasl,v 1.1 2003/09/24 05:08:51 max Exp $

# Use for another type of authentication

#pwcheck_method: pam

pwcheck_method: saslauthd

mech_list: LOGIN PLAIN

bash # vi /etc/conf.d/saslauthd

# Copyright 1999-2004 Gentoo Technologies, Inc.

# Distributed under the terms of the GNU General Public License v2

# $Header: /home/cvsroot/gentoo-x86/dev-libs/cyrus-sasl/files/saslauthd.conf,v 1.2 2004/03/04 18:36:16 vapier Exp $

# Config file for /etc/init.d/saslauthd

# Authentications mechanism (for list see saslauthd -v)

SASL_AUTHMECH=shadow

# Hostname for remote IMAP server (if rimap auth mech is used)

SASL_RIMAP_HOSTNAME=""

# Honour time-of-day login restrictions (if shadow auth mech is used)

# Make this ="" to turn it off. Putting =no will turn it on!

SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS=yes

# Tack the above options together

[ -n ${SASL_AUTHMECH} ] && \

SASLAUTHD_OPTS="-a ${SASL_AUTHMECH}"

#[ -n ${SASL_RIMAP_HOSTNAME} ] && \

# SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -H ${SASL_RIMAP_HOSTNAME}"

#[ -n ${SASL_TIME_OF_DAY_LOGIN_RESTRICTIONS} ] && \

# SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -T"

bash # /etc/init.d/saslauthd start

* Stopping saslauthd...           [ ok ]

bash # telnet 127.0.0.1 25

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

220 tux.com ESMTP Postfix

ehlo tux.org

250-tux.org

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM

250-AUTH=CRAM-MD5 DIGEST-MD5 LOGIN PLAIN NTLM

250-XVERP

250 8BITMIME

auth login

334 s3SdfgkdfF

quit

221 bye

Connection closed by foreign host.

The above tells us it was fine with the authentication by login, and Postfix issued a encrypted challenge. If we knew the response, we could login, but that's where is gets messy.

5 - Cyrus-SASL Database

This is where we hope this is a clean install on a new server with no users or the admin knows the users/passwords for the entire system.

If neither are true, bummer. But, if you are lucky and vigiliant, you might be able to swipe the user/passwords from "failed" login attempts. Fire up your email client

and setup the account(s). Then make sure to enable smtp authentication (a check box usually). Try to send an email to a server outside your network and watch the log file for the info:

bash # less /var/log/mail.info

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: sasl_method LOGIN

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: uncoded challenge: Username:

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: > unknown[192.0.3.10]: 334 VXNlsd5hbWU6

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: < unknown[192.0.3.10]: bWlaE4Q==

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: decoded response: bob

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: uncoded challenge: Password:

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: > unknown[192.0.3.10]: 334 UGFzc3d84rQ6

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: < unknown[192.0.3.10]: cmVsbG7yhrjI=

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: decoded response: tomato

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: warning: unknown[192.0.3.10]: SASL LOGIN authentication failed

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: > unknown[192.0.3.10]: 535 Error: authentication failed

If you get the above, and have decoded the username and password correctly - WOOHOO!

Obviously, you need to either create an account to test this with, or have one with a known user/password combination.

If you did not get the above decoded correctly - bummer for you |= (

Now we just need to add the user(s) to the sasldb in /etc/sasl2/sasl2d

bash # saslpasswd2 -c -u tux.com -a smtpauth bob

Password:

Again (for verification):

We use the program saslpaaswd2 to append to the database. The switch -c = create, -u = domain name (per the $mydestination in /etc/postfix/main.cf),

-a = type of program using the database, with "bob" being the username.

If ever you need to delete a user, issue the command:

bash # saslpasswd2 -d -u tux.com -a smtpauth bob

The -d = delete user from this domain and program access.

NOTE: Be sure to add ALL users with ALL possible domains to the SASL database. Otherwise, well, goofy things will happen.

To check to see who is in the database and which domains they may use to authenticate themselves with, use:

bash # sasldblistusers2

bob@tux.com: userPassword

mary@penguin.org: userPassword

mary@tux.com: userPassword

guy@tux.com: userPassword

bob@pengiun.org: userPassword

As we can see, users bob and mary can use either domains (tux.com or penguin.org) to authenticate themselves with. However, user guy

can only use tux.com because the admin is lazy OR the admin only wants user guy to have mail going out of tux.com.

With all this setup, let's send that email again from our email client that failed on authentication at earlier.

bash # less /var/log/mail.info

Apr 29 22:11:53 tux.com postfix/smtpd[32561]: < unknown[192.0.3.10]: AUTH LOGIN

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: sasl_method LOGIN

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: uncoded challenge: Username:

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: > unknown[192.0.3.10]: 334 VXNlsd5hbWU6

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: < unknown[192.0.3.10]: bWlaE4Q==

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: decoded response: bob

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: uncoded challenge: Password:

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: > unknown[192.0.3.10]: 334 UGFzc3d84rQ6

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: < unknown[192.0.3.10]: cmVsbG7yhrjI=

Apr 29 21:53:22 tux.com postfix/smtpd[31073]: smtpd_sasl_authenticate: decoded response: tomato

Apr 29 22:11:53 tux.com postfix/smtpd[32561]: > unknown[192.0.3.10]: 235 Authentication successful

Apr 29 22:11:53 tux.com postfix/smtpd[32561]: watchdog_pat: 0x8096d20

Apr 29 22:11:53 tux.com postfix/smtpd[32561]: < unknown[192.0.3.10]: MAIL FROM: [bob@tux.com]

[.... other stuff ....]

Apr 29 22:12:01 tux.com postfix/smtp[32565]: 134923A685: to=[tester@anotherserver.org], relay=anotherserver.org[74.3.20.2], delay=7, status=sent (250 2.0.0 i3U5Kljj086445 Message accepted for delivery)

If you see the above line "status=sent", then you have successfully setup Postfix with SASL-Auth!

If you don't get the above line "status=sent", then you get to google it on your own.

Did I mention to be sure to add these programs to the default runlevel?

bash # rc-update add postfix default

* postfix added to runlevel default

* Caching service dependencies...            [ ok ]

* rc-update complete.

bash #

bash # rc-update add postfix default

* courier-pop3d added to runlevel default

* Caching service dependencies...            [ ok ]

* rc-update complete.

bash #

bash # rc-update add postfix default

* courier-imapd added to runlevel default

* Caching service dependencies...            [ ok ]

* rc-update complete.

bash #

bash # rc-update add postfix default

* saslauthd added to runlevel default

* Caching service dependencies...            [ ok ]

* rc-update complete.

bash #

bash # rc-update show

The last command "rc-update show" will list all the program startups scripts in /etc/init.d/ and if/where their runlevel(s).

I have found a few hacks along the way that are useful, but now what I wanted as far as features and default operation. But, I"ll be a nice guy and cover them anyway.

6 - Drac POP/IMAP Before SMTP

Dynamic Relay Authorization Control - "Drac"

Before I could get SASL to work properly, I found this "hack" to allow a user to check their email, then have ~5 minute windows to send email.

I didn't care for it, since sometimes writing an email takes longer than 5 minutes. Then one has to jump through a couple hoops to get email sent.

The scenerio went sorta like this:

Check email -> write email (but it takes longer than 5 minutes) -> send email -> won't authenticate -> check email -> send email.

I personally found it kinda annoying, plus my users did as well. Luckily, I came across other fixes to help alleviate the problem. But just for fun we'll set it up.

bash # emerge drac -pv

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild N ] net-mail/drac-1.12-r1 -debug 0 kB

Total size of downloads: XX kB

bash # emerge drac

And it should happily compile away and create /etc/init.d/dracd

We now need install drac-add:

bash # wget http://venus.tripadelic.com/ebuilds/sources/drac-add.c.gz

bash # gunzip drac-add.c.gz

bash # gcc -o drac-add drac-add.c -L/usr/sbin/drac -ldrac -mcpu=i686 -march=i686 -Os -fomit-frame-pointer -fstack-protector -pipe

bash # strip drac-add

bash # cp drac-add /usr/lib/courier-imap/authlib/

Well, that compiled and installed drac and drac-add. Now we need to tell Postfix and Courier-IMAP to use it. We'll add "drac-add to the "AUTHMODULES=" in

/etc/courier-imap/imapd and /etc/courier-imap/pop3d.

bash # vi /etc/courier-imap/imapd

AUTHMODULES="authdaemon drac-add"

bash # vi /etc/courier-imap/po3d

AUTHMODULES="authdaemon drac-add"

That will tell imap/pop3 to be on the lookout and notify Postfix when a Login occurs. Now we need to tell Postfix to allow smtp-after-pop/imap. We add the lines

btree:/var/lib/drac/drac

to the lines

mynetworks

smtpd_recipient_restrictions

and Postfix knows what to do from there.

bash # vi /etc/postfix/main.cf

mynetworks = 127.0.0.0/8, XXX.XXX.XXX.XXX, btree:/var/lib/drac/drac

smtpd_recipient_restrictions = permit_mynetworks, reject_non_fqdn_recipient, check_client_access, btree:/var/lib/drac/drac, reject_unauth_destination

The above lines are commented out in my SASL-auth /etc/postfix/main.cf. If you use the Drac-auth option as well as SASL-auth I have no idea what the results will be.

I would recommend using one or the other at any given time in the configuration file.

bash # rc-update add dracd default

* dracd added to runlevel default

* Caching service dependencies...            [ ok ]

* rc-update complete.

bash #

bash # rc-update show

That's it! Now, just make sure to POP or IMAP before SMTP and it should work.

In case it doesn't, reference this forum post:

Gentoo Drac HowTo

https://forums.gentoo.org/viewtopic.php?t=151637&highlight=drac+postfix

7 - Gateway Mail Server

Ok, this was really my first attempt at Postfix. And it worked. In fact, I used this for about 2 weeks while I trouble-shooted the silly SASL-auth. Sadly,

it has it's inherent dangers. I have no idea how well it would hold up against header-spoofing. I'd imagine tht would be kinda hard to pull off, but I never

really tried, nor did anyone try while I had the mail server running like this. The reason I prefer SASL-auth is I have remote users that connect to the

server via other dialup services. I would therefore, due to security checks in Postfix, have to declare their IP or their subnet. Since dialup ISP's usually use

a round-robin system for IP assigning, it would be nearly impossible to figure out the client IP without hacked up scripting. What a headache. That would leave

the other option: declare the entire subnet. As you can imagine, that makes for a giant headache when someone one the subnet figures out whats going on and uses

the server maliciously for spamming. So, I will tell how I got it to work, but I would not recommend this as a final configuration.

We basically declare the IP's that we are allowing to relay though this host (relay as defined as the user has a legal account AND has email destined for another domain)

bash # vi /etc/postfix/main.cf

mynetworks = 127.0.0.0/ 8, 40.34.3.5, 76.5.223.0/ 8, 66.45.128.7

What we have just done is declared that we will allow:

localhost to connect (127.0.0.0/8 )

allow IP 40.34.3.5 (maybe our external interface?)

allow IP range 76.5.223.0-255 (76.5.223.0/8 )

allow IP 66.45.128.7 (another static IP DSL user who uses our mail server perhaps?)

NOTE: Replace your IP(s) you wish to declare with the appropiate IP(s) and subnet(s)

This actually seemed to work very well if I were a small ISP with all the mail couming through the computer as a gateway, and I could declare only subnets I controlled.

Also, relaying is dependant on 2 factors -

1. A REAL user trying to connect

2. An ALLOWED IP or subnet that the above user is connecting from.

If both are true, then the mail is "relayed" through the server to the appropiate domain. "Authenitcation" was based off client/IP, regardless of the

user's password. Thus, checking the "Use SMTP Authenitcation" in the email client did not work unless SASL-Auth was properly setup. Then it became almost

a redundancy.

Of course, if you use this method, make sure to It's messy, but it worked.  :Embarassed: 

----------

## ikaro

wrong forum.

----------

## admin-killer

 :Embarassed: 

Which forum should I post it under?

----------

## BlinkEye

 *ikaro wrote:*   

> wrong forum.

 

very useful and constructive comment.

@admin-killer: thanks a lot for this guide

----------

## barrct

I've been trying to authenticate for 3 days not and after going though pages of forus, I thought to add the -v in master. While I was in there I added an option as well. This has finnaly gotten me up and running to auth to send, and to happily recieve.

```
/etc/postfix/master.cf
```

and add

```
-o smtpd_sasl_auth_enable=yes
```

onto the smtpd line (first one), then kill the client restrictions so that any network can deliver to me, but still use

```
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
```

Anyone want to tell me that that will make me an open relay and give me a slight mod to fix it?

----------

## jkcunningham

For future reference, the ssmtp binary is added in the original install as a dependency to vixie-cron (and maybe the other crons as well). If you want to never have to bother removing it, emerge postfix before emerging vixie-cron way back in the beginning. Vixie-cron notices it has an MTA and doesn't bother. 

And if you forget, all you have to do is remove ssmtp before emerging postfix and all is well. 

-Jeff

----------

