Introduction
------------

This howto tries to descibe how to add sasl and tls authentication to the 
Jamm mail system. Basis for this HOWTO was a discussion on the jamm-users 
mailinglist around may 2004 (look it up if you like)


Extra software needed
---------------------

postfix tls patch
this patch adds support for the TLS protocol to postfix.
ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.18-2.1.0-0.9.7d.tar.gz

SASL Library
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.18.tar.gz

OpenSSL
Probably this is already installed.
http://www.openssl.org/source/openssl-0.9.7d.tar.gz

Implementation
--------------

SASL Library
------------
You need to install this before postfix because later on you have to tell postfix where to find the correct libs.

tar -xvzf cyrus-sasl-2.1.18.tar.gz
cd cyrus-sasl-2.1.18
./configure --with-ldap=/usr/local/openldap-2.1.26 --with-dblib=none
make
make install
ln -s /usr/local/lib/sasl2 /usr/lib/sasl2

Next you set up the saslauthd to talk to our ldap server. The file to
edit/create here is /usr/local/etc/saslauthd.conf

# your ldapserver
ldap_servers: ldap://localhost
ldap_port: 389
ldap_mech: simple
# where to search in ldap
ldap_search_base: o=hosting,dc=myhosting,dc=example
# note the mail=%u@%r, a little joke from the sasl guys since version 2.1.17
# if you want the old behaviour use an older version or hack the sasl source
ldap_filter: (&(objectClass=JammMailAccount)(mail=%u@%r)(accountActive=TRUE)(delete=FALSE))

You also need to tell the sasl library what to do with an smtp authentication
request. Another way is to set up pam.ldap and use pam as the pwcheck_method. 
As I have only virtual users I think this is nicer (less things can go wrong 
:-) ). Include only the auth mechanisms you are planning to use.

edit /usr/lib/sasl2/smtpd.conf so it reads

pwcheck_method: saslauthd
mech_list: AUTH LOGIN PLAIN DIGEST-MD5

start the saslauthd
/usr/local/sbin/saslauthd -a ldap -O /usr/local/etc/saslauthd.conf


Create a certificate for postfix
--------------------------------
Creating certificates is beyond the scope of this document. I used the
following howto:
ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/doc/myownca.html

Postfix
-------
A lot of people have difficulties compiling postfix to use the sasl libs. If
you can use precompiled stuff you might give that a try first. I use a gentoo
system and I can install everything via emerge (mail me if you want to know
what USE flags i have defined. Also (with a little tweaking, as debian changes
default locations of files) this works without compiling on a debian unstable 
system. If you do want to compile it yourself something like this should work.


patch -p1 < ../pfixtls-0.8.18-2.1.0-0.9.7d/pfixtls.diff

(if you have build postfix before do a "make tidy" to clean up leftovers from
the previous build)

make makefiles CCARGS="-DHAS_LDAP -I/usr/local/include \
 -DUSE_SASL_AUTH -I/usr/local/include/sasl \
 -DUSE_SSL -I/usr/local/ssl/include" \
 AUXLIBS="-L/usr/local/lib -lldap \
 -L/usr/local/lib -llber -L/usr/local/ssl/lib -lssl -lcrypto \
 -L/usr/lib/sasl2 -lsasl2 -lssl -lcrypto"

make
make upgrade

this should work without any problems with the latest postfix release 2.1.1.

Configuring postfix.
Only file to be altered here is main.cf

# allow sasl and tls authenticated clients to relay
smtpd_recipient_restrictions = permit_mynetworks,
	permit_sasl_authenticated,
	permit_tls_all_clientcerts,
#	[...]

# sasl stuff
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
# edit the smtp recipient_restrictions to allow clients to authenticate via
# SASL
smtpd_sasl_security_options = noanonymous
# end sasl stuff

# tls stuff
# these keys and certs are created via the howto in this doc. Your milage
# may vary
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_CAfile = /etc/postfix/CAcert.pem

smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
#end tls stuff


If everthing went OK you can see that postfix is now able to relay sasl and tls
authenticated clients

jammserver postfix-2.1.1 # telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 jammserver.example.com ESMTP Postfix
ehlo example.com
250-jammserver.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
250-AUTH=LOGIN CRAM-MD5 DIGEST-MD5 PLAIN
250 8BITMIME

watch the "STARTTLS" AND "AUTH" lines

At this point you should be able to send a message with for example microsoft
outlook express using smtp authentication. Fill in you username and password
(the same you use for pop3/imap) and you are able to send mail from any host.

Also you should be able to set up encrypted mail transfers from your client
to your jamm mail server. Please note the remarks about microsoft mua's at the
end.

Help it doesn't work !
----------------------

If things go not the way you planned take a good look in the
mail.log(postfix), the auth.log(saslauthd) and the logfile from your ldap 
server.

Make sure postfix (the user postfix runs as) can read /var/state/saslauthd/mux.
chroot problem ?

Only use postfix debug settings if nothing else works. This mostly creates so
much noise the actual problem is easaly overlooked

the following urls might also help debug the problem

http://sbserv.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sasl_library_hell.shtml
ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/doc/index.html


Some remarks from the original docs included with the tls patch

# Postfix/TLS server: Outlook Express as of Internet Explorer 5 will work with
# Postfix/TLS, but it will not present any client certificate. So you can
# encrypt your email transfer but you cannot authenticate (and relay) with
# client certificates. It only works on port 25 (smtp); on other ports you
# must use smtpd_tls_wrappermode instead. [Microsoft Knowledgebase]
# Postfix/TLS server: Outlook Express as of Internet Explorer 4 does not
# support RFC2487. Use smtpd_tls_wrappermode=yes on a different port(!)
# (465=smpts?) instead.
# Postfix/TLS server: Outlook Express (Mac) seems not to support RFC2487, you
# must use smtpd_tls_wrappermode on a different port(!) (465=smtps?) instead.
# Postfix/TLS client: MS Exchange also in recent versions (5.5) offers
# STARTTLS even if not configured (from the mailing list [IETF-APPS-TLS]). I
# could not test this without access to such server, so I cannot predict what
# is going to happen.
# Postfix/TLS client: TLS connections to a CommunigatePro server fail with a
# handshake error with older versions of CommunigatePro. Reason is a protocol
# violation of the CommunigatePro server with respect to SSL-protocol version
# numbering. The respective part of the protocol is the specification of the
# client_version in section 7.4.7.1. of RFC2246.
This problem has been fixed in CommunigatePro 3.3b?? (don't know the exact
numbering) around June 09, 2000.

written by Chris Holleman chris (at) siggynet (dot) org
feedback on this document is more then welcome