Adeptus-Mechanicus

Main
Codex
Librarium Whitehat
Advisories
Blog Pics
"Inveniam viam aut faciam" : I will either find a way, or I shall make one


SMTP Relay Authentication - Postfix
Author - Nic Maurel

Intro
The reason for this paper is that more and more people are employing a security feature on their mail servers called smtp authentication. Now I can totally understand why. SPAM. While I know smtp is clear text, and the password can be sniffed. But the principle goes, if Server A has authentication and Server B doesn't, script kiddies will go for Server B. It just raises the bar a little. Now it is quite simple and is only a few steps, and I am going to show you how to do it on a Linux Postfix server.

Howto
Bear in mind we are not setting up authentication for our mail server, we are only telling our mail server that the remote server for a specific domain requires authentication. So how do we do this for specific domains? Simple we create a file with the root user as follows:
vi /etc/postfix/sasl_passwd

----------------------------------------
#Domain Username:Password
mail.example.com mail01:rght#1
-----------------------------------------

save and exit. Fairly self explanatory, any mail going to mail.example.com will need the specified username and password.
chmod -Rf 600 /etc/postfix/sasl_passwd
chown -Rf root:root /etc/postfix/sasl_passwd

Ahh! But now you ask how will postfix read the file if it is only uses the postfix user. The answer is postfix does not only use the postfix user, it starts up as root to read configuration files, and then changes to the postfix user. Nifty to know.

/usr/sbin/postmap /etc/postfix/sasl_passwd
This will create a sasl_passwd.db file with the same permissions
Take note: every time you make changes to this file you will need to postmap it again, and reload postfix to reread the db file. Lastly edit you main.cf
vi /etc/postfix/main.cf

--Add these three lines:

---------------------------------------------------
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
----------------------------------------------------


Save and exit.
Do a "/etc/init.d/postfix reload". This will reread the new changes and Voila! You will be able to send to that specific server or domain with authentication.

Take note: If you need to relay through a server that requires authentication then you need to add this additional line in your /etc/postfix/main.cf.
---------------------------------------------------------
relayhost = mail.example.com
---------------------------------------------------------

This will send all your mail through mail.example.com

Conclusion
SMTP Authentication, can be a useful security mechanism, but do not think it is fool proof. As I have mentioned smtp is a clear text protocol, which allows the username and password to be viewed. Consider this just an additional step to ensure that you are sending to the correct server or servers.
I hope you have found this useful, and always remember you won't learn things unless you try them.