Hi,
In these notes I will share, what I learned in getting SASL SMTP authentication to work on a Debian Lenny server with Virtualmin GPL. This is probably quite obvious to experienced Postfix users - it wasn’t so obvious to me when I expected to just configure it through the Webmin/Virtualmin UI alone, without having to fix the config files manually.
Purpose: Allow logins from any IP via SMTP authentication using TSL with clients such as Thunderbird for sending mail via SMTP.
Settings in Webmin -> Postfix Mail Server -> SMTP Authentication And Encryption:
[x] Allow connections from same network
Allow connections from this system
Reject clients with no reverse hostname
[x] Allow authenticated clients
Reject email to other domains
Allow only relay domains
Allow domains this system is a backup MX for
Enable SASL SMTP authentication? [x] Yes
Handle non-compliant SMTP clients? [x] Yes
SMTP security options
[x] Reject anonymous logins
Reject plain-text logins
SMTP relaying restrictions
[x] Allow connections from same network
Allow connections from this system
Reject clients with no reverse hostname
[x] Allow authenticated clients
Reject email to other domains
Allow only relay domains
Allow domains this system is a backup MX for
Delay clients with failed logins? [x] Yes
Enable TLS encryption? [x] Yes
TLS certificate file [x] /etc/ssl/certs/ssl-cert-snakeoil.pem
TLS private key file [x] /etc/ssl/private/ssl-cert-snakeoil.key
TLS certificate authority file [x] None
Supposedly these settings should work, but they will produce the following error:
Jun 6 17:38:04 mydomain postfix/smtpd[13534]: fatal: parameter "smtpd_recipient_restrictions": specify at least one working instance of: check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
Jun 6 17:38:05 mydomain postfix/master[5703]: warning: process /usr/lib/postfix/smtpd pid 13534 exit status 1
Therefore, any attempted logins with an SMTP client like Thunderbird will fail.
The postfix configuration file main.cf did not have any of these options specified:
check_relay_domains, reject_unauth_destination, reject, defer or defer_if_permit
In /etc/postfix/main.cf we find:
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated
Changing this to:
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject
…will achieve the following:
permit_mynetworks: basically allows localhost like Usermin to send mail
permit_sasl_authenticated: permits users from any IP, as long as they are authenticated to send mail
reject: will reject all others and keep postfix happy (this needs to be the last option on the line)
Rememeber to reload the configuration: /etc/init.d/postfix reload
The added ‘reject’ at the end will not be parsed by Webmin and will end up in the wrong location, if you change any of the settings in ‘SMTP relaying restrictions’ in ‘SMTP Authentication And Encryption’. Alternatively the same settings can be accessed from Webmin -> Postfix Mail Server -> SMTP Server Options -> Restrictions on recipient addresses. I wonder, why the same settings appear in two places.
As there is probably more than one way to get this working and to combine these options, please let me know, if there are easier or better ways to set this up in Webmin/Virtualmin.
Christian
Links:
http://www.postfix.org/SASL_README.html
http://www.postfix.org/postconf.5.html<br><br>Post edited by: chriswayg, at: 2009/06/06 08:09