Posted by simonw on Tue 15 Jul 2008 at 11:25
My email server uses SMTP AUTH with PLAIN or LOGIN. Thus the password is send without encryption (base64 doesn't count honest). The server listens on port 465 so that the password can be encrypted using SSL, if people prefer not to send their password in plain text (my users generally know not to do that, or at least let me set up their mail clients).
My friend wants to set up his laptop to send emails using his account on my email server. He wants to do this using a traditional MTA, so that cron and other system emails "just work".
Here is a config I worked out for him. But I think there must be simpler smarthost configurations for AUTH over SMTPS in Debian. The configuration is not especially secure, as it doesn't validate that there is no man in the middle attack!
Mail server: mail.example.com
Username: user@example.com
Password: password
Server accepts SMTP Authentication on ports 25 and 465.
Based on...
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html
apt-get install postfix stunnel dpkg-reconfigure postfix
Select - Satellite system - accept defaults except for domain name (made example.com but choice yours).
Email sent now to mail.example.com listed as "Greylisted", or rejected as wrong recipient because we still need to authenticate.
echo "mail.example.com user@example.com:password" >>/etc/postfix/sasl_passwd chown root:root /etc/postfix/sasl_passwd chmod 600 /etc/postfix/sasl_passwd cd /etc/postfix/ postmap hash:/etc/postfix/sasl_passwd echo "smtp_sasl_auth_enable = yes" >>/etc/postfix/main.cf echo "smtp_sasl_security_options =" >>/etc/postfix/main.cf
Now we have auth working? Test if you brave your password going in plain text!
Postfix doesn't do SMTPS natively in 2.3 and later (well see comments at end of this article).
http://www.postfix.org/TLS_README.html#client_smtps
vim /etc/default/stunnel Change "ENABLED=0" to "ENABLED=1"
Append this to /etc/stunnel/stunnel.conf
[smtp-tls-wrapper] accept = 11125 client = yes connect = mail.example.com:465
Modify "/etc/hosts.allow" adding.
smtp-tls-wrapper: 127.0.0.1
In /etc/postfix/main.cf make the relay host line read:
relayhost = [127.0.0.1]:11125
In /etc/postfix/sasl_passwd make the credential line read
[127.0.0.1]:11125 user@example.com:password
Remake the hashed version of the authentication credentials
cd /etc/postfix postmap hash:/etc/postfix/sasl_passwd
Restart everything
/etc/init.d/postfix restart /etc/init.d/stunnel restart
Now in one shell window as root...
tcpdump -X -i eth0 host mail.example.com
And send an email, and make sure it looks encrypted.
I'm not sure the stunnel configuration explained above is complete, but stunnel logs good error messages! Using Thunderbird is a lot less effort ;)
Some discussion on the Internet says you can make Postfix smtpd use TLS in wrapper mode - but I hate editing /etc/postfix/master.cf - it is one of those bits of postfix that makes me nervous!
The nullmailer packager still has AUTH and SMTPS in its to-do list - bored Debian Developers could do worse than add these, as this should be a configuration done by dpkg for some MTA (preferably one simpler than postfix!) by now.
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2008 simonw - please ask for permission to republish or translate.