Ubuntu 5.10 + Open-XChange 0.8.0-6 + Postfix + SASL How-To

by Diego Fantoma (diego_AT_fantoma.it - http://www.fantoma.it), march 2006



Installation

Become super-user if you aren't:

su -

apt-get install sharutils

apt-get install libsasl2 libsasl2-dev libsasl2-modules

apt-get install sasl2-bin

/etc/init.d/saslauthd stop

We are going to use the saslauthd daemon in order to authehticate users against LDAP:

mv /etc/default/saslauthd /etc/default/saslauthd.ORG
echo 'START=yes' > /etc/default/saslauthd
echo 'MECHANISMS="ldap"' >> /etc/default/saslauthd

About the configuration the man page of saslauthd says:

The ldap configuration parameters are read from /etc/saslauthd.conf

So that:

echo "ldap_servers: ldap://127.0.0.1:389/" > /etc/saslauthd.conf
echo "ldap_search_base: ou=Users,ou=OxObjects,$DCDOMAIN" >> /etc/saslauthd.conf
echo "ldap_auth_method: userPassword" >> /etc/saslauthd.conf
echo "ldap_filter: uid=%u" >> /etc/saslauthd.conf
echo "ldap_bind_dn: cn=Manager,$DCDOMAIN" >> /etc/saslauthd.conf
echo "ldap_bind_pw: $PASSWORD" >> /etc/saslauthd.conf

SASL configuration

echo 'loglevel: 3' > /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf
echo 'sasl_pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf

Adjusting the directories in order to let the postfix to run in a chrooted environment:

mkdir -p /var/spool/postfix/var/run/saslauthd
chmod 0710 /var/spool/postfix/var/run/saslauthd
chgrp -R postfix /var/spool/postfix/var/run/saslauthd
rmdir /var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

Now you can try the configuration:

/etc/init.d/saslauthd start
/usr/sbin/testsaslauthd -u OXUSER -p OXUSERPASS

I espect to receive an "OK" response.

Postfix configuration for SASL

cp /etc/postfix/master.cf /etc/postfix/master.cf.ORG
echo 'smtps    inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes' >> /etc/postfix/master.cf
echo '587      inet   n       -       n -     -       smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes' >> /etc/postfix/master.cf

cp /etc/postfix/main.cf /etc/postfix/main.cf.NOSASL echo >> /etc/postfix/main.cf
echo '# -- SASL --' >> /etc/postfix/main.cf
echo >> /etc/postfix/main.cf
echo 'smtpd_sasl_auth_enable = yes' >> /etc/postfix/main.cf
echo 'smtpd_sasl_security_option = noanonymous' >> /etc/postfix/main.cf
echo 'broken_sasl_auth_clients = yes' >> /etc/postfix/main.cf
echo 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination' >> /etc/postfix/main.cf
echo 'smtpd_use_tls = yes' >> /etc/postfix/main.cf
echo 'smtpd_tls_key_file = /etc/postfix/server.key.unencrypted' >> /etc/postfix/main.cf
echo 'smtpd_tls_cert_file = /etc/postfix/server.crt' >> /etc/postfix/main.cf
echo 'smtpd_tls_loglevel = 3' >> /etc/postfix/main.cf
echo 'smtpd_tls_received_header = yes' >> /etc/postfix/main.cf
echo 'smtpd_tls_session_cache_timeout = 3600s' >> /etc/postfix/main.cf
echo 'tls_random_source = dev:/dev/urandom' >> /etc/postfix/main.cf

It's now time to create the TLS encryption keys:

Please create the /root/xchange/cert_fld file using the following legenda:
Country Name (2 letter code)
State or Province Name (full name)
Locality Name (eg, city)
Organization Name (eg, company)
Organizational Unit Name (eg, section)
Common Name (eg, YOUR name)
Email Address
A challenge password
An optional company name 		echo "[Type your two digits country code]" > /root/xchange/cert_fld
echo "[Type the full country name]" >> /root/xchange/cert_fld
echo "[Type the locality name]" >> /root/xchange/cert_fld
echo "$ORGANIZATION" >> /root/xchange/cert_fld
echo "[Type a unit name]" >> /root/xchange/cert_fld
echo "mail.$MAILDOMAIN" >> /root/xchange/cert_fld
echo "postmaster@$MAILDOMAIN" >> /root/xchange/cert_fld
echo "$PASSWORD" >> /root/xchange/cert_fld
echo "$ORGANIZATION" >> /root/xchange/cert_fld


In case, adjust the /root/xchange/cert_fld for your needs!!!

openssl genrsa -des3 -rand /etc/hosts -out /root/xchange/server.key 2048
openssl req -new -key /root/xchange/server.key -out /root/xchange/server.csr < /root/xchange/cert_fld
openssl x509 -req -days 3650 -in /root/xchange/server.csr -signkey /root/xchange/server.key -out /etc/postfix/server.crt
openssl rsa -in /root/xchange/server.key -out /etc/postfix/server.key.unencrypted

postfix reload

Testing postfix

Generate a couple of OXUser and OXUserPassword encrypted data:

(*)  printf 'OXUser\0'|uuencode -m -
(**)  printf 'OXUserPassword\0'|uuencode -m -

Now telnet your localhost on port 25:

telnet localhost 25

And input data as following:

ehlo goofy

You must see a row like the following:

250-AUTH LOGIN PLAIN

So type:

AUTH LOGIN

The server must respond with a 334 VXNlcm5hbWU6 message (encripted form of "Username")

Enter the first encrypted generated key (*)

The server must respond with a 334 UGFzc3dvcmQ6 message (encripted form of "Password")

Enter the second encrypted generated key (**)

The server must respond with a 235 Authentication successful message.

Quit the connection entering:

quit

Now you're ready to test the SASL/TLS connection with a client

Previous:
Ubuntu 5.10 + Open-XChange 0.8.0-6 + Postfix How-To
Ubuntu 5.10 + Open-XChange 0.8.0-6 How-To
 Next:
Ubuntu 5.10 + Open-XChange 0.8.0-6 + Courier IMAP How-To
Ubuntu 5.10 + Open-XChange 0.8.0-6 Tools
Ubuntu 5.10 + Open-XChange 0.8.0-6 Start page

© 2005 Diego Fantoma - Licensed under GPL
A verbatim copy may be reproduced or distributed in any medium physical or electronic without permission of the author, with the same distribution license and with the reference to the original author. Translations are similarly permitted without express permission if it includes a notice on who translated it.