Comments (15)
Final configuration for a non-chrooted saslauthd and (optional) chrooted Postfix follows in this comment.
The setup will work wether postfix is chrooted or not -- when chrooted, just apply the additional optional config, which should make postfix safer to use.
from here on, mandatory for both chrooted and non-chrooted postfix
saslauthd non-chrooted:
Reminder: saslauthd should be non-chrooted for the setup to be simple and work.
Set parameters for saslauthd in /etc/default/saslauthd:
Before (Incorrect):
OPTIONS="-c -m /var/run/saslauthd"
(or)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"
After (Correct):
OPTIONS="-c -m /var/run/saslauthd -r"
Standard Postfix configuration:
Create a pam file for smtp/postfix, equal to dovecot. The missing file will result in login failure of postfix in pam if other's file is hardened (/etc/pam.d/smtp):
#
# /etc/pam.d/smtp - PAM behavior for postfix
#
#%PAM-1.0
@include common-auth
@include common-account
@include common-session
This probably should be a separate issue but i'll include here as it's related.
Add postfix user to the sasl group:
adduser postfix sasl
from here on, optional...(chrooted postfix)
Add binding for saslauthd in Postfix chroot:
Add a permanent mount point to /etc/fstab:
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind defaults,nodev,noauto,bind 0 0
Note: noauto = no attempt to mount what can't be mounted on early boot = no error/hang
Create directory for new mount point:
mkdir -p /var/spool/postfix/var/run/saslauthd
Set ownership and permissions:
chown -R root:sasl /var/spool/postfix/var/
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var
Then mount it:
mount /var/spool/postfix/var/run/saslauthd
Add mount command /etc/rc.local to be run at boot (after all daemons):
# Mount saslauthd bind point at postfix chroot
mount /var/spool/postfix/var/run/saslauthd
https://wiki.debian.org/PostfixAndSASL
http://blog.brachium-system.net/archives/16-Postfix-with-SASL-Authentication-in-Debian.html
Finish Postfix chrooted configuration:
Configure sasl binding for postfix (/etc/postfix/sasl/smtpd.conf):
Incorrect:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
or nothing
Correct:
saslauthd_path: /var/run/saslauthd/mux
Configure postfix to work in chrooted environment (/etc/postfix/master.cf):
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
Debian stock configuration (unsecure):
smtp inet n - - - - smtpd
Virtualmin configuration (sasl only):
smtp inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
New configuration (also added TLS):
#
# Custom configuration
# See /etc/services
#
# SMTP (25/TCP)
smtp inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes
# Submission (587/TCP+UDP)
submission inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes
# SMTPS/SSMTP (465/TCP) (deprecated, disabled)
#smtps inet n - y - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes
Notes:
- The y flag on 5th column denotes chroot=yes.
- Services were taken from /etc/services.
- TLS forced on SMTPS/465, as expected.
EDIT: fixed some settings
END
from webmin.
FWIW, on a fresh install of Ubuntu 18.04 and Webmin/Virtualmin (latest), Postfix is not running in chroot and this simplified subset sufficed:
- Replace any references to
/var/spool/postfix/var/run/saslauthd
with/var/run/saslauthd
in/etc/default/saslauthd
systemctl restart saslauthd
from webmin.
this post realy helped me out. but when using debian, there is no rc.local anymore but there are workarrounds.
i created a service for this as followed:
nano /etc/systemd/system/saslauthd_mount_bind.service
[Unit]
Description=Bind Mount for SASL Auth Daemon Socket
After=saslauthd.service
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/bin/mount -o bind /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
[Install]
WantedBy=multi-user.target
systemctl enable saslauthd_mount_bind.service
systemctl start saslauthd_mount_bind.service
from webmin.
Always weird when you get a notification on a bug from over a decade ago that's still open.
from webmin.
Update,
Found a fix for chrooted saslauthd.
Seems that in /etc/postfix/sasl/smtpd.conf the option saslauthd_path is relative to the postfix chroot. It won't accept full paths -- http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam
I'm figuring the mount bind probably should still be needed for one thing or another.
ie, testsaslauthd complains about not finding the path unless you specify it:
testsaslauthd -u username -p password -f /var/run/saslauthd/mux -s smtp
btw, tested the symlink method and it didn't worked as i thought -- the chroot does not let postfix go up in the path.
However, since one may use saslauthd for other services other than Postfix, such as Memcached (login yay!), LDAP, IRC and XMPP implementations:
http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
I think it should be left non-chrooted, just as it is suggested in Debian Wiki:
https://wiki.debian.org/PostfixAndSASL
That way it can be accessed by other services without requiring major reconfiguration.
from webmin.
solving the mount problem at boot...
from webmin.
Thanks man... this helped.
from webmin.
Finally..... Thank you
from webmin.
Thanks alot for this, even 5 years later this guide still works, and so detailed, i just had this exact issue, and this worked flawless
from webmin.
When you switch postfix
between chroot and non chroot mode, webmin should apply any changes so saslauthd would continue to work.
Note Ubuntu postfix
installs with chroot active, while the Debian postfix
package installs as non chroot mode.
webmin should set postfix as chroot by default for security as it's exposed to the internet.
from webmin.
When you switch postfix between chroot and non chroot mode, webmin should apply any changes so saslauthd would continue to work.
I think this is out of the scope of what Webmin should manage - it feels like something Postfix or saslauthd should manage.
from webmin.
I think this is out of the scope of what Webmin should manage - it feels like something Postfix or saslauthd should manage.
I agree. From reading the docs and mailing lists, the way to have saslauthd
work with postfix
and be properly secure: saslauthd
runs as root, which is required to authenticate users against /etc/shadow
. postfix
runs in a chroot
jail for security because it's exposed to the internet all the time. The only config is for chroot
'ed postfix
to see and communicate with saslauthd
to authenticate smtp
clients trying to send email from the internet, thru the outgoing postfix
mail server for their domain, which requires authentication as a system user, the solution is a bind mount and a service to start saslauthd
after reboots so it would be persistent. Without the saslauthd
PAM authentication, either postfix
has to run as root
to check system user passwords, or a database like mysql
/mariadb
/ldap
should be configured to hold email user passwords and postfix
would contact it thru localhost
on any host thru networking, or users are stuck using more resources with a webmail app on the virtualmin postfix
server, which sends their email from the localhost
which postfix
accepts without authentication and sends it out. Because, a chroot
'ed postfix
cannot directly authenticate users against the user's system login password, neither can postfix
communicate with saslauthd
unless a communication pathway has been established prior and maintained, from the chroot
jail, to saslauthd
running as root
.
from webmin.
From the postfix docs: Postfix in chroot does not manage the connection to saslauthd. Sys admin (webmin) should run scripts (examples for many OS are provided with postfix) to get postfix SMTP fully working, especially SMTP auth against saslauthd running outside the jail:
Postfix Linux chroot script.
Postfix FreeBSD chroot script.
Running Postfix daemon processes chrooted
Postfix daemon processes can be configured (via the master.cf file) to run in a chroot jail. The processes run at a fixed low privilege and with file system access limited to the Postfix queue directories (/var/spool/postfix). This provides a significant barrier against intrusion. The barrier is not impenetrable (chroot limits file system access only), but every little bit helps.
With the exception of Postfix daemons that deliver mail locally and/or that execute non-Postfix commands, every Postfix daemon can run chrooted.
Sites with high security requirements should consider to chroot all daemons that talk to the network: the smtp(8) and smtpd(8) processes, and perhaps also the lmtp(8) client. The (postfix) author's own
porcupine.org
mail server runs all daemons chrooted that can be chrooted.[...]
Note that a chrooted daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). For successful use of a chroot jail, most UNIX systems require you to bring in some files or device nodes. The examples/chroot-setup directory in the source code distribution has a collection of scripts that help you set up Postfix chroot environments on different operating systems.
Additionally, you almost certainly need to configure syslogd so that it listens on a socket inside the Postfix queue directory. Examples of syslogd command line options that achieve this for specific systems:
FreeBSD:
syslogd -l /var/spool/postfix/var/run/log
Linux, OpenBSD:
syslogd -a /var/spool/postfix/dev/log
Enabling SASL auth when postfix is in chroot: https://www.postfix.org/SASL_README.html#server_sasl_enable
from webmin.
Finish Postfix chrooted configuration:
Configure sasl binding for postfix (/etc/postfix/sasl/smtpd.conf): Incorrect:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
or nothing Correct:saslauthd_path: /var/run/saslauthd/mux
Hmm, I'd personally love to use /var/run/saslauthd/mux
with a chrooted Postfix config, though it doesn't seem to work correctly without doing mount binds.
Why is using the /var/spool/postfix/var/run/saslauthd/mux
you mentioned to be incorrect?
from webmin.
Why is using the
/var/spool/postfix/var/run/saslauthd/mux
you mentioned to be incorrect?
Not sure, I believe it's because postfix is running in chroot, so the path in /etc/postfix/sasl/smtpd.conf
setting saslauthd_path
, /var/spool/postfix/var/run/saslauthd/mux
does not exist, when postfix attempts to access it, from inside the chroot.
Postfix runs in its own chroot environment, and /var/run/saslauthd/mux
resides outside the chroot jail. Postfix cannot directly access files outside its restricted environment.
Even if Postfix could access the file, /var/run/saslauthd/mux
is usually owned by saslauthd
which runs as root
. Postfix, running as an unprivileged user, wouldn't have the necessary permissions to interact with the socket.
Mount binds provide a solution by creating a virtual link between the directory outside the chroot (/var/run/saslauthd/mux
) and a directory inside the chroot jail (often /var/spool/postfix/var/run/saslauthd
). This allows Postfix to access the socket within its restricted environment and communicate with saslauthd
for authentication.
from webmin.
Related Issues (20)
- Dovecot - Authentication methos are out of date HOT 1
- Css and Js 404 HOT 2
- Can SpamAssassin do DNS lookups? - Wrong default? HOT 1
- Connection Lost error message HOT 62
- Web interface stopped working entirely after update HOT 3
- When i try to set the acl webmin gives me -R: no such file or directory HOT 1
- getting MS TEAMS meeting invites that do not show time and date of meeting HOT 12
- Tools - UPS Daemon: Error — Perl execution failed HOT 2
- href links in ui_checked_columns_row leads to partial page loading HOT 4
- Cyrus - Add ability to configure SASL authentication mechanisms HOT 3
- SpamAssassin - Header and Body Tests - 2 input boxes for expression? - Time for a single page? HOT 7
- Postfix - missing restrictions - `smtpd_data_restrictions` and `smtpd_end_of_data_restrictions`
- System Logs Viewer - Some improvements HOT 2
- Remove `SMTP Client Restrictions` and create `Access restriction lists` HOT 3
- System Monitor - Show what service binary is being monitored HOT 4
- FirewallD - Adding some more quick actions to give parity to CSF
- Postfix - `permit_networks` does not work HOT 13
- Load dynamic modules .conf file in different locations HOT 4
- Unclear / inconsistent logic for resulting color and style of buttons HOT 6
- postfix - SMTP TLS client security level GUI options does not change smtp_tls_security_level HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webmin.