Mailinglist Archive: opensuse (1690 mails)

< Previous Next >
[opensuse] Configure smtp_auth/postfix/dovecot for mobile device relay - quick howto - request for comment

After recently wading through Postfix/Dovecot/SASL auth & TLS configuration to allow my phone to relay across my server over 3G, I have put together a quick howto that I would like to get comment on. Hopefully, this will also save others from stumbling through the configuration from scratch. Please add your comments and suggestions in-line below to help tighten security and make the howto more useful.

This setup allows for normal smtp traffic on port 25 and sasl_authentication on port 587.

The configuration is actually simple. The configuration just requires that you configure the postfix allow smtp on port 587 with sasl auth and TLS encryption; configure dovecot to provide authentication via a socket; finally generate a ssl cert and key for TLS to use during authentication (dovecot default cert and key works fine). The only difficulty involved is getting all the pieces in the right places. (which I'm not at all sure I have accomplished, but it works quite well)

1. Postfix Configuration


Most distributions provide /etc/postfix/ with the configuration for submission on port 587 present, but commented out. Simply uncommenting the 'submission' line along with its options will enable submission on port 587, however you will need to add additional options to enable SASL authentication and TLS encrypted communication between the client and the server. For example 11.4 provides the file with the following:

#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject

To enable sasl_auth and TLS, I use the following options in

submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

After you have completed configuration for submitting mail on port 587, DO NOT FORGET to OPEN PORT 587 on your router.


smtpd_client_restrictions = permit_sasl_authenticated, reject_unknown_client
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/dovecot.pem
smtpd_tls_key_file = /etc/ssl/private/dovecot.pem
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, reject_non_fqdn_hostname

2. saslauthd configuration

saslauthd will require a smtp.conf configuration file defining the authentication behavior. Normally, the default path for the sasl libraries are in /usr/lib/sasl2/. Placing the smtpd.conf file there will allow saslauthd to find it. The needed contents of smtpd.conf are:

[nirvana:~/] # cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
mech_list: plain login
log_level: 7

3. Dovecot Configuration

This configuration works with dovecot2. In 11.4, the default install is still dovecot 1.2. This will work with simple modification for dovecot 1, but you will need to consult the dovecot wiki for the changes required. All you need to do is tell dovecot the type of authentication to use and the location for the socket. dovecot2 will create the 'auth' socket on restart.


# 2.0.1: dovecot.conf
auth_mechanisms = plain login
passdb {
driver = pam
userdb {
driver = passwd
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem

Make sure you have created your dovecot ssl certificates (see below), restart dovecot (/etc/rc.d/dovecot restart) and then check to make sure the /var/spool/postfix/private/auth socket was created.

4. Creating TLS Certificates

OpenSuSE provides a script with the dovecot package that will create the certs for you in a slightly different manner. The script is /usr/share/doc/packages/dovecot/ Before running, set your ssl config in /usr/share/doc/packages/dovecot/dovecot-openssl.cnf. (otherwise you will be prompted for it) NOTE: the script will NOT overwrite existing certificates, so if you have already generated your certificates and need to do it again, then either edit the script and comment out all the 'if' statements or delete your current dovecot.pem files from /etc/ssl/{certs,private} directories. The certificates are automatically placed in /etc/ssl/cert and /etc/ssl/private.

These will work fine for sasl authentication. If you want to generate separate certificates, you can do so manually with the following:

openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Don't foget to move the keys to their final location and adjust the cert and key locations in /etc/postfix/ and /etc/dovecot/dovecot.conf above.

5. Restarting the servers

Restart postfix with '/etc/rc.d/postfix restart' (or just 'rcpostfix restart')

Start/restart saslauthd with '/etc/rc.d/saslauthd restart' (or just 'rcsaslauthd restart')

Restart dovecot with '/etc/rc.d/dovecot restart' (or just 'rcdovecot restart')

On opensuse to make sure the servers are started automatically don't forget to set the servers to start at boot. As root:

chkconfig postfix on
chkconfig dovecot on
chkconfig saslauthd on

For BSD style inits, add the daemons to the DAEMONS line in rc.conf.

6. iPhone Configuration

Configuration on the iPhone is straight forward. Use or create a normal mail account (imap recommended) and then navigate to:

Settings -> Mail, Contacts, Calendars -> (choose account) -> Account -> Outgoing Mail Server (SMTP) -> Primary Server and set the entries as follows:

Server : ON
Host Name :
User Name : your-user-name
Password : your-password
Use SSL : ON
Authenitcation : password
Server Port : 587

If your server is setup correctly, then the phone will verify your settings and you are done. If not, then you can troubleshoot by looking at the mail log. Go ahead and display your mail log on your server before sending a test mail. (as root: tailf /var/log/mail) Then to confirm operation, turn off WiFi on your phone and then send a test mail. A successful login will appear in the log as something like:

Nov 2 14:50:11 servername dovecot: imap-login: Login: user=<your-usernm>, method=PLAIN, rip=, lip=, mpid=11100, TLS

Note the TLS connection.

If your phone fails to verify the account settings, you will usually get helpful information in the log file about why it didn't. Look for TLS failing to start due to certificate problems or auth mechanisms and then revisit the sections above.

All - fill in the suggestions and additions and hopefully this will get turned into a wiki somewhere. Thanks.

David C. Rankin, J.D.,P.E.
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups