In this article we will configure our server for authenticated smtp.
In the previuos part we have alredy setup database and tables.
FIRST METHOD: CYRUS-SASL AUTH (saslauthd daemon)
Now we have to install the following packages in order to enable sasl2 authentication:
cyrus-sasl cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-sql:
yum install cyrus−sasl cyrus−sasl−devel cyrus−sasl−plain cyrus−sasl−sql
edit your /etc/sasl2/smtpd.conf :
pwcheck_method: auxprop mech_list: PLAIN auxprop_plugin: sql sql_usessl: no sql_engine: mysql sql_hostnames: localhost sql_user: postfix sql_database: mailserver sql_passwd: yoursecretpassword sql_select: select password from users where username = '%u' log_level: 3
you need a SSL certifcate. For a production server it is adviceable to purchase one. Otherwise you can build a self-signed certificate this way: generate your key
openssl genrsa -out ca.key 2048
Now generate your CSR (certificate request).
Answer to all questions and press return (no password) to create it
openssl req -new -key ca.key -out postfix.csr
Now you can get your self-signed certificate signing your request:
openssl x509 -req -days 3650 -in postfix.csr -signkey ca.key -out postfix.crt
move them
mv postfix.crt /etc/pki/tls/certs/ mv ca.key /etc/pki/tls/private/ mv postfix.csr /etc/pki/tls/private/
Adding the following lines to your /etc/postfix/main.cf should complete your configuration.
smtpd_tls_key_file = /etc/pki/tls/private/ca.key smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt smtpd_use_tls = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes smtpd_tls_auth_only = no smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
Don’t forget to enable and start saslauthd service:
systemctl enable saslauthd systemctl start saslauthd
SECOND METHOD: use dovecot to authenticate postfix
This method doesn’t require the installation of external modules. So it is simplier.
But it has the disadvantage you cannot easilly separate IMAP and SMTP users. So all your IMAP users will be enabled to send email trough your SMTP.
If this is OK for you, you can go this way and save time and server resources.
Configuration is very simple.
You should add a dovecot listener.
Add this to your /etc/dovecot/conf.d/10−master.conf under service auth section :
# Postfix smtp−auth
unix_listener /var/spool/postfix/private/auth {
mode = 0666
}
Postfix configuration is very similar to the one supplied above.
Add the following two line to the above config:
smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth
restart your services and remember this time the auth username matches your email address.
HI, Thanks for this tutorial!
I use the FIRST METHOD: CYRUS-SASL AUTH (saslauthd daemon).
My problem now is… how to configure my thunderbird to use this SSL connection.
On first tutorial, i configure:
1) The IMAP (security box) with “SECURITY CONNECTION”: STARTTLS , and “AUTHENTICATED METHOD”: Normal Password.
2) The SMTP (security box) with “SECURITY CONNECTION”: NONE , and “AUTHENTICATED METHOD”: Password transmitted insecurely
Now… after i make the tutorial step 2, i can’t send and i can’t receive email with this configuration. What is the correct configuration? Where can i see the log error?
Thanks!
For thunderbird I configured:
Security STARTTLS
Port: 25
Auth: normal password
And it is OK.
You can find all errors in the usual mail log in /var/log/maillog
I cannot help you with the very few info you provided.
1)cannot receive mail: can you telnet your server on port 25? Have you tried to telnet a mail and see if it si correctly delivered to the inbox? If it is OK have you set the DNS MX record of your domain pointing to your server….. etc.etc.
2)cannot send: check your client configuration. Look at the log and report errors.
ok. The problem is my firewall 🙁
I can send and receive email now… but i don’t understand why The SMTP configuration (security box) is “SECURITY CONNECTION”: NONE , and “AUTHENTICATED METHOD”: Password transmitted insecurely
The “SECURITY CONNECTION” shoud not be : STARTTLS or SSL/TLS ???
what this new settings actually do?
Thanks!
Yes it should be STARTTLS (working fine on my server)
If U wish STARTTLS only simple modify your postfix config:
smtpd_tls_auth_only = yes
and restart
OK… now is working… the problem is my self-signed certificate… but the option “smtpd_tls_auth_only = yes” or “smtpd_tls_auth_only = no” is equal in the result.
I can send email with SMTP setting “SECURITY CONNECTION = NONE” OR “SECURITY CONNECTION = STARTTLS”.
It Works for the two ways even that “smtpd_tls_auth_only = no”.
Another thing…
I don’t know if you can help me but i only can send and receive emails in my internal network. If i send a email to GMAIL i don’t receive, and if i send a email from gmail i don’t receive.
> I configure my MX in “register.com” with:
(Hostname) mywebsite.com > (Priority) High > (mailserver) mail.mywebsite.com
> I configure my CNAME in “register.com” with:
mail.mywebsite.com (points to) mywebsite.dyndns.org (I use dyndns because i don’t have a fix IP)
> In my router, i configure to automaticly update the dyndns with newest IP.
> I can ping to mail.mywebsite.com
> In my router, i make port forwarding to ports 25(SMTP), 110(POP3), 143(IMAP), 993(IMAPS), 995(POPS), 465(SMTPS) to my CentosServer IP, where is the mail server. In that case, we only use 25, 110 and 143.
>My Thinderbird is installed in a windows machine, inside the home network, and i can send and receive emails to the users in my mail server. It works if i use as server my internal SERVER IP and works if i use as server the “mail.mywebsite.com”
Is something wrong in what I’m Doing ?
(Now… the log errors)
> WHEN I SEND FROM GMAIL TO ME
I receive this error message in Gmail:
Delivery to the following recipient has been delayed:
pedro@mywebsite.com
Message will be retried for 2 more day(s)
Technical details of temporary failure:
The recipient server did not accept our requests to connect. Learn more at http://support.google.com/mail/bin/answer.py?answer=7720
[(0) mail.mywebsite.com. [177.158.125.XXX]:25: socket error]
> WHEN I SEND FROM ME TO GMAIL
In the /var/log/logmail i get this:
Jan 22 20:53:59 mywebsite postfix/smtp[2365]: connect to gmail-smtp-in.l.google.com[64.233.186.27]:25: Connection timed out
Jan 22 20:53:59 mywebsite postfix/smtp[2365]: connect to gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Network is unreachable
Jan 22 20:53:59 mywebsite postfix/smtp[2365]: connect to alt1.gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1a]:25: Network is unreachable
Jan 22 20:54:06 mywebsite postfix/qmgr[1588]: 94AFF416180C: from=, size=755, nrcpt=3 (queue active)
Jan 22 20:54:06 mywebsite postfix/qmgr[1588]: 37583416182D: from=, size=741, nrcpt=1 (queue active)
Jan 22 20:54:06 mywebsite postfix/qmgr[1588]: ECA23416182A: from=, size=733, nrcpt=1 (queue active)
Jan 22 20:54:06 mywebsite postfix/qmgr[1588]: 2A7FB4161836: from=, size=723, nrcpt=2 (queue active)
Jan 22 20:54:14 mywebsite postfix/smtp[2378]: connect to gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Network is unreachable
Jan 22 20:54:14 mywebsite postfix/smtp[2379]: connect to gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Network is unreachable
P.S. I change my real hostname to mywebsite and i change the last 3 digit of my ip address to XXX
Thanks for help!
A normal network issue. Usually very easy to track.
For incoming email try telneting port 25 of your 177.158.125.XXX from an external address (not LAN). This seems to be the problem faced by gmail sending to you.
For outgoing email try telneting port 25 of gmail-smtp-in.l.google.com [64.233.186.27] from your server. Probably it won’t be able to do that.
Morever check your IPV6 network status. It seems your box have IPV6 enabled but cannot reach external network. Disable IPV6 on your network intervace if it is not really able to reach the internet.
Moreover I confirm no address in your 177.158.125.XXX range has port 25 open to the internet
Hi…
My ISP is blocking my port 25 (in Brazil this port is blocked for residencial users).
I changed my smtp port to (587) and i can connect to my server from outside (with Thunderbird) and sent emails to users in my server sucessfully.
When i try to send to an external email, SMTP use the port 25, and i can not send. When i try to receive from an external email, the external email can´t reach my server.
The unique solution (in Brazil) is to have a “comercial connection” in my ISP instead of a “residencial connection”.
Thanks for the help!
Do you will try to install a anti-spam and anti-virus in the mail server? What programs you recommend?
Thanks for the help!
I am testing amavis + clamav + spamassassin.
For your problem, if you wish to keep your server on your home connection, you can buy a cheap vps and tunnel from outside 🙂 Mail service doesn’t require a very fast connection.
Or use IPV6….