Categories
How-To's

Postfix and Cyrus SASL authentication

It has been a while since I’ve had the time to blog about something. Mainly that is because my study is demanding a lot of time and because I am working on some new thing which keep me pretty occupied. I will write about those things some other time.

Right, on to Postfix and Cyrus SASL. Most of my servers are running some flavor of *nix and because I started to like the low effort CentOS needs to keep running, I rebuild all my Gentoo based systems (which took hours to compile and then manually upgrade thanks to the ever changing configuration of a gazillion programs) to CentOS versions – including my Postfix + Courier-IMAP + MySQL mail system. This setup is pretty common as the first guide I found on the HowTo forge for CentOS 5.x was almost verbatim what I had done while porting from Gentoo to CentOS. Also, see the Gentoo guide I used to set it all up (also usable for CentOS).

The only thing I never got going – because I never needed it – was SMTP authentication. Now, when other people send mail to your server they will not need to authenticate: the server is the end-point for the email and as such it will accept any mail sent to the domains hosted on it. So when do you need authentication? When you want to relay.

Now, relaying has a bad name on the internet, try to Google for it and see what comes up. But relaying itself is not a fluke, its a solution. In my case, I have 2 reasons for relaying.

First, at work and at my parents, I can send mail just fine using the ISP mail servers (which I have to change every time I switch locations *sigh*) but the mail servers are a bit too well educated. My domain is currently an alias (CName to be exact) for a DynDNS address. When sending mail, the mail servers resolve and expand the domain I claim to send from and rewrite the address. This means that sending to mailing lists becomes impossible and other people wonder what a ath.cx address is…

Secondly, at home I can’t send mail at all because the idiots at my ISP (I will write about the woes another time) told their mail servers that the server had to match the sender (domain wise). Because of the fact that I am not allowed to link the DNS to my IP directly, this will resolve in – yet again – 2 different domains and in this case the mail is bounced back to me.

In both cases it would be very handy to be able to just send mail using my own mail server as it will deliver mail directly to the correct remote servers, using the correct names etc.

On a side note, the government has decided that is would be a great idea to store all mail traffic for everyone in the country to fight crime. As usual, declaring such a policy will simply tell everyone who is planning to blow up stuff to use alternate means of communication – most of it being encrypted and voiding the whole purpose. To that end, I like the idea of using my own mail server on an encrypted channel so my mail remains private and let everyone listening in what dark secrets I send around. (On a side note: yes, the server to server communication can not be encrypted unless both servers know how to – but the first bit is safe).

Now, on with the details. I assume you have Postfix running with MySQL, so it is delivering mail to a maildir on your server or forwarding it somewhere else. Courier (IMAP/POP3/whatever) is running as well and can access the mail delivered for Postfix and as such, your whole mail server is up and running. Now comes the catch: Courier has a authentication library which should be able to authenticate against MySQL. Most installations will use Cyrus SASL instead because it has more features (and in my case was easier to set up as I am using postfixAdmin to administrate the server).

You NEED Cyrus SASL 2 with the SQL plugin installed, if you use Courier Authlib you need a different guide or change the authlib you are using. If you use CentOS like me, run: ‘yum install cyrus-sasl-sql’ to grab the right plugin.

Now, open up ‘/usr/lib/sasl2/smtpd.conf’ to create the specific SASL authentication file for Postfix. On a side note: in my case, I didn’t have to start the service for this to work. Anyway, insert this:

pwcheck_method: authdaemond  log_level: 2  authdaemond_path: /var/spool/authdaemon/socket

The first line tells Postfix to use the Cyrus SASL daemon (instead of the Courier Authlib one). The second line is optional but is handy when debugging, increase if things don’t work so you can see what is happening. The 3rd line is crucial: this is the path to the socket of the Cyrus SASL daemon. On CentOS 5.x you should have it here, on other distributions you need to search for the socket and put it in there.

Now you have set up the SASL authentication settings, it is time to tell Postfix to check the SASL pipeline when someone tries to authenticate. Add the following to your main.cf:

# SASL settings  broken_sasl_auth_clients = yes  smtpd_sasl_auth_enable = yes  smtpd_sasl_authenticated_header = yes  smtpd_sasl_security_options = noanonymous  smtpd_sasl_local_domain =  # Used by SASL to identify the Postfix client  smtpd_sasl_path = smtpd

These settings are pretty safe, won’t turn your box into an open relay (the bad sort of relaying abused by spammers) and will still make it possible to use pretty much every mail client out there. Note the last line: that line sets the key word when Postfix will try to authenticate: that is why the SASL configuration is called smtpd.conf. Another reason to use this name is the fact the smtpd is the name of the daemon that will request authentication and on some distributions, it will automatically search for that name.

Now safe, restart postfix and try to authenticate (set your mail client to connect to your server when sending mail and to use the same username and password you need when recieving mail). If everything went well, you can now send mail to anyone, from anywhere using your very own address and just one mail server!

If you get this:

[postfix/smtpd] warning: SASL authentication failure: cannot connect to Courier authdaemond: Connection refused

…you have a problem. Ignore the bit that says Courier authdaemond – you are trying to connect to Cyrus but Postfix doesn’t know this and as you are using the Courier interface, it will tell you something that is incorrect. The message means that it couldn’t find the socket, it is not allowed to access the socket or a similar issue is preventing it from working.

Step 1: Do NOT hardlink the socket to the SASL directory to include it into the Postfix root jail. This will work as long as the system is up: if the authlib daemon is restarted, it will recreate the socket and your hardlink will be dead – sending you off on a goose chase (guess how I found out that one… afterwards I also found this conversation about it)

Step 2: Make sure the socket file is where you told Postfix it would be. Try restarting all services and make sure the timestamp on the socket changed when you restarted everything. If it didn’t change, you are referring to the wrong file. Try to delete it, restart everything again and you won’t see it reappear. Search for it again and fix the path in the smtpd.conf file.

Step 3: When accessing the socket, you need more than read and write access to the socket. You also need r/w access to a random regular file in the directory holding the socket. This is how sockets work and if I understand correctly, a hidden file is used once a program opens the socket to continue the session – hence you need to be allowed to create that file. On CentOS, open ‘/etc/group’, find the line that says ‘daemon:…’ and add ‘postfix’ to that line, use a comma if one or more names are on that line already. Now Postfix is part of the daemon group which owns the socket directory on CentOS. If you have a different distribution, find out who owns the directory, who is running postfix (usually this is the user + group ‘postfix’ or ‘mail’) and fix it.

Step 4: Restart all services or the whole system if you get here. Read the log files again looking for hints what went wrong. If you still have problems, try to Google for it or leave a comment.

Good luck!

Categories
How-To's

Windows Live Writer and Linux, How To Do It

I’ve seen lots of discussions floating around the internet, talking about people attempting to install Windows Live Writer. Some are using Mono, others the .NET Framework – all of them are using Wine. In this article I’ll explain How I Did It.

In this case the limits of Wine and Mono become visible. The .NET frameworks work partially in Wine so relying on them is useless (to be precise: all the external libraries needed in this case screw up this valiant attempt).

In the other corner we have Mono. Because WLW is in fact a Win32 executable, we have to use Mono in Wine (install the Windows version of Mono using Wine) but even the big anti-Microsoft framework fails here.

To be honest, Mono keeps failing every time for me. This is because Mono can run managed (byte-code only) executables fine, even the ones compiled for .NET (unless I’m mistaken). However, the windows in a GUI program are drawn using a native interface for .NET, one that Mono does not have as it uses a cross-platform windowing toolkit called GTK#. In short: any program that is used in a modern desktop environment and which is designed for .NET will not run on Mono. Thanks for the effort there guys…

So WLW on Linux is a no-go. And every other blogging tool out there for the Linux platform pretty much sucks or costs muchos dineros. I still have hopes for KBlogger but after 3 months its still at alpha 2 – so I stopped hoping that would be any help any time soon. I was using Bleezer before but it keeps screwing up source code which I am trying to post (I am hoping WLW will do this a LOT better). But how do we get out of this dark age, you might wonder? The solution? VirtualBox!

Categories
Japan Blog Study Tour

Eternal concrete and rockets

TsukubaToday we are leaving Tokyo for a while to head out to Tsukuba. Tsukuba is a good 2 hours from Jimbocho and so our day started early with me giving a briefing to the group about JAXA. The latter was because all of us reviewed a company to write a report about and mine was about JAXA. So after we left the hotel with provisions to survive the coming night, we set out for Tsukuba.

Categories
Japan Blog Study Tour

Cultural clash

When we first got in Japan we noticed how freaking clean Japan is. Almost no cigarettes on the floor, no cans, no nothing. Also no graffiti or markings on bus chairs or anything. I heard that rebelling youth is simply locked up in their room for 6 months to make the point that its not accepted here.IMG_1357

Just like those vending machines that are everywhere. And I mean EVERYWHERE. On each street corner, on stations in dark alleys even in a Shinto temple. The upside is that whenever you are thirsty you can get a drink when you want. It also costs nothing: 80 to 160 yen for normal to fancy drinks. That’s 55 euro cents to 1 euro for a drink you buy at a dutch kiosk (if you can find one in a 3km radius) and you can choose from more options than a normal dutch supermarket has.