Basic Postfix authentification over SSL (SASL + TLS)
As you might know, Postfix is really a big software that can deal with very complex situations - Mortals like me (software developers are mortals, sysadmin are not) only have to handle simple scenarios, involving few email accounts. So, basically my needs are to restrict email submission to users authenticated over a secure connection.
Postfix can use many underlying authentification systems. I just needed to have the smtp senders accounts to be in sync with the unix accounts (same user/pass).
The procedure below have been tested with Postfix 2.2.x under CentOS.
1) Postfix conf
Edit /etc/postfix/main.cf and add these new directives :
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_application_name = smtpd
Search the smtpd_recipient_restrictions directive and add permit_sasl_authenticated. It should looks like :
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unauth_destination
reject_unauth_pipelining,
reject_invalid_hostname
2) SASL conf
Check that you have the cyrus-sasl rpms available on your system - if not, yum install cyrus-sasl, yum install cyrus-sasl-plain
Create if needed and edit /usr/lib/sasl2/smtp.conf :
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
3) TLS security
We might stop here and jump to step 4 but we don't : this solution is totally unsecure due to the fact that the authentification datas are sent over the net without beeing encrypted.
The added security of using ssl to encrypt transferts is worth a another little effort.
Edit main.cf again and add :
smtpd_tls_auth_only = yes
smtpd_tls_req_ccert = yes
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/tls/privkey.pem
smtpd_tls_cert_file = /etc/postfix/tls/cert.pem
smtpd_tls_CAfile = /etc/postfix/tls/cert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
Then, we need to generate the ssl certificat and private key :
cd /etc/postfix
mkdir tls
cd tls
openssl req -new -x509 -nodes -out cert.pem -days 3650
chmod 600 *
4) Final step
service postfix reload
configure your MUA (Mail User Agent, eg Thunderbird) accordingly (user/pass).