Ben's Bits

The Rantings of a Techie
 
« VoIP and Conferencing2002 National Public Radio Documentary on New Orleans Hurricane Threat »

Postfix SMTP AUTH support for relayhost

09/06/05

Permalink 08:57:16 pm, by Ben Franske Email , 127 words   English (US)
Categories: Server Notes

Postfix SMTP AUTH support for relayhost

Tonight I changed my relayhost for my outgoing home mail server to one that requires me to use SMTP AUTH so I needed to modify my main.cf on the outgoing server as follows.

Added the following settings to /etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

Create /etc/postfix/sasl_passwd as follows:
my.mail.relay.net username:password

Because the password is in cleartext make it root only:
# chown root:root /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd

Create the hash file:
# postmap /etc/postfix/sasl_passwd

Make the hash file world readable:
# chmod 644 /etc/postfix/sasl_passwd

Reload the Postfix config:
# /etc/init.d/postfix reload

PermalinkPermalink5 comments »

5 comments

Comment from: Curtis Brown [Visitor] · http://www.SpectralDesign.Net
You say:

Make the hash file world readable:
# chmod 644 /etc/postfix/sasl_passwd

But shouldn't that be:
chmod 644 /etc/postfix/sasl_passwd.db

???
When I do the postmap command you show it doesn't alter the mother file, but it makes a .db file.
11/12/05 @ 19:58
Comment from: Ben Franske [Member] Email · http://ben.franske.com
Hmm. Now that I look at it I think you're right, but if you were going to do it that way I think you would change smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd to smtp_sasl_password_maps = /etc/postfix/sasl_passwd.db or something similar. I think that my original method hashes the file on demand instead of accessing a pre-hashed file.
11/13/05 @ 16:31
Comment from: sysmonk [Visitor] Email · http://dev.datavoid.org
First of all, if you specify hash:/etc/postfix/sasl_passwd, then postfix accesses /etc/postfix/sasl_passwd.db and not /etc/postfix/sasl_passwd.
Secondly, you have to chmod the sasl_passwd.db, and not sasl_passwd. ( i'm talking about the second chmod).
And, if you chmod 644, then you'll have security problems, because the .db file IS NOT encrypted, and anyone can read the file with a simple editor.
So, the solution would be to chown it to postfix:postfix and chmod 600 the sasl_passwd.db.
05/18/07 @ 03:45
Comment from: sysmonk [Visitor] Email · http://dev.datavoid.org/
oh, and here's a link to a Proof of concept:

http://p.data.lt/67
05/18/07 @ 03:52
Comment from: Matthew Szubrycht [Visitor] Email · http://bmihosting.com/?r=ben.franske.com
@sysmonk, all

You need to have the sasl_passwd file owned by root:root or root:wheel (depending on the OS), with 0600 permissions. Otherwise you could potentially expose your server. Postfix will still be able to read the file, because it gets started with root privileges.

To sum it up, Ben is right, and these are the right commands to issue:

[quote]
# chown root:root /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd

#### or, on BSD-like boxes ####

# chown root:wheel /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd

Also, remember to run (as root):
# postmap /etc/postfix/sasl_passwd whenever you change the sasl_passwd file


Cheers,
Matt
09/26/08 @ 13:38

This post has 1 feedback awaiting moderation...

Leave a comment


Your email address will not be revealed on this site.

Your URL will be displayed.
(Line breaks become <br />)
(Name, email & website)
(Allow users to contact you through a message form (your email will not be revealed.)
March 2010
Mon Tue Wed Thu Fri Sat Sun
 << <   > >>
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

Ben's Bits

Search

Categories

XML Feeds

What is RSS?
multiblog platform