Guys, After recently wading through Postfix/Dovecot/SASL auth & TLS configuration to allow my phone to relay across my server over 3G, I have put together a quick howto that I would like to get comment on. Hopefully, this will also save others from stumbling through the configuration from scratch. Please add your comments and suggestions in-line below to help tighten security and make the howto more useful. This setup allows for normal smtp traffic on port 25 and sasl_authentication on port 587. The configuration is actually simple. The configuration just requires that you configure the postfix allow smtp on port 587 with sasl auth and TLS encryption; configure dovecot to provide authentication via a socket; finally generate a ssl cert and key for TLS to use during authentication (dovecot default cert and key works fine). The only difficulty involved is getting all the pieces in the right places. (which I'm not at all sure I have accomplished, but it works quite well) 1. Postfix Configuration /etc/postfix/master.cf Most distributions provide /etc/postfix/master.cf with the configuration for submission on port 587 present, but commented out. Simply uncommenting the 'submission' line along with its options will enable submission on port 587, however you will need to add additional options to enable SASL authentication and TLS encrypted communication between the client and the server. For example 11.4 provides the master.cf file with the following: #submission inet n - n - - smtpd # -o smtpd_etrn_restrictions=reject # -o smtpd_client_restrictions=permit_sasl_authenticated,reject To enable sasl_auth and TLS, I use the following options in master.cf: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING After you have completed configuration for submitting mail on port 587, DO NOT FORGET to OPEN PORT 587 on your router. /etc/postfix/main.cf smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem smtpd_tls_key_file = /etc/ssl/private/dovecot.pem smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname 2. saslauthd configuration saslauthd will require a smtp.conf configuration file defining the authentication behavior. Normally, the default path for the sasl libraries are in /usr/lib/sasl2/. Placing the smtpd.conf file there will allow saslauthd to find it. The needed contents of smtpd.conf are: [nirvana:~/] # cat /usr/lib/sasl2/smtpd.conf pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux mech_list: plain login log_level: 7 3. Dovecot Configuration This configuration works with dovecot2. In 11.4, the default install is still dovecot 1.2. This will work with simple modification for dovecot 1, but you will need to consult the dovecot wiki for the changes required. All you need to do is tell dovecot the type of authentication to use and the location for the socket. dovecot2 will create the 'auth' socket on restart. /etc/dovecot/dovecot.conf: # 2.0.1: dovecot.conf auth_mechanisms = plain login passdb { driver = pam } userdb { driver = passwd } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } ssl_cert = </etc/ssl/certs/dovecot.pem ssl_key = </etc/ssl/private/dovecot.pem Make sure you have created your dovecot ssl certificates (see below), restart dovecot (/etc/rc.d/dovecot restart) and then check to make sure the /var/spool/postfix/private/auth socket was created. 4. Creating TLS Certificates OpenSuSE provides a script with the dovecot package that will create the certs for you in a slightly different manner. The script is /usr/share/doc/packages/dovecot/mkcert.sh Before running, set your ssl config in /usr/share/doc/packages/dovecot/dovecot-openssl.cnf. (otherwise you will be prompted for it) NOTE: the mkcert.sh script will NOT overwrite existing certificates, so if you have already generated your certificates and need to do it again, then either edit the script and comment out all the 'if' statements or delete your current dovecot.pem files from /etc/ssl/{certs,private} directories. The certificates are automatically placed in /etc/ssl/cert and /etc/ssl/private. These will work fine for sasl authentication. If you want to generate separate certificates, you can do so manually with the following: openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024 chmod 600 smtpd.key openssl req -new -key smtpd.key -out smtpd.csr openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt openssl rsa -in smtpd.key -out smtpd.key.unencrypted mv -f smtpd.key.unencrypted smtpd.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 Don't foget to move the keys to their final location and adjust the cert and key locations in /etc/postfix/main.cf and /etc/dovecot/dovecot.conf above. 5. Restarting the servers Restart postfix with '/etc/rc.d/postfix restart' (or just 'rcpostfix restart') Start/restart saslauthd with '/etc/rc.d/saslauthd restart' (or just 'rcsaslauthd restart') Restart dovecot with '/etc/rc.d/dovecot restart' (or just 'rcdovecot restart') On opensuse to make sure the servers are started automatically don't forget to set the servers to start at boot. As root: chkconfig postfix on chkconfig dovecot on chkconfig saslauthd on For BSD style inits, add the daemons to the DAEMONS line in rc.conf. 6. iPhone Configuration Configuration on the iPhone is straight forward. Use or create a normal mail account (imap recommended) and then navigate to: Settings -> Mail, Contacts, Calendars -> (choose account) -> Account -> Outgoing Mail Server (SMTP) -> Primary Server and set the entries as follows: Server : ON Host Name : your.server.name User Name : your-user-name Password : your-password Use SSL : ON Authenitcation : password Server Port : 587 If your server is setup correctly, then the phone will verify your settings and you are done. If not, then you can troubleshoot by looking at the mail log. Go ahead and display your mail log on your server before sending a test mail. (as root: tailf /var/log/mail) Then to confirm operation, turn off WiFi on your phone and then send a test mail. A successful login will appear in the log as something like: Nov 2 14:50:11 servername dovecot: imap-login: Login: user=<your-usernm>, method=PLAIN, rip=166.205.10.56, lip=192.168.6.17, mpid=11100, TLS Note the TLS connection. If your phone fails to verify the account settings, you will usually get helpful information in the log file about why it didn't. Look for TLS failing to start due to certificate problems or auth mechanisms and then revisit the sections above. All - fill in the suggestions and additions and hopefully this will get turned into a wiki somewhere. Thanks. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org