courier – Cyberwizzards World

It has been a while since I’ve had the time to blog about something. Mainly that is because my study is demanding a lot of time and because I am working on some new thing which keep me pretty occupied. I will write about those things some other time.

Right, on to Postfix and Cyrus SASL. Most of my servers are running some flavor of *nix and because I started to like the low effort CentOS needs to keep running, I rebuild all my Gentoo based systems (which took hours to compile and then manually upgrade thanks to the ever changing configuration of a gazillion programs) to CentOS versions – including my Postfix + Courier-IMAP + MySQL mail system. This setup is pretty common as the first guide I found on the HowTo forge for CentOS 5.x was almost verbatim what I had done while porting from Gentoo to CentOS. Also, see the Gentoo guide I used to set it all up (also usable for CentOS).

The only thing I never got going – because I never needed it – was SMTP authentication. Now, when other people send mail to your server they will not need to authenticate: the server is the end-point for the email and as such it will accept any mail sent to the domains hosted on it. So when do you need authentication? When you want to relay.

Now, relaying has a bad name on the internet, try to Google for it and see what comes up. But relaying itself is not a fluke, its a solution. In my case, I have 2 reasons for relaying.

First, at work and at my parents, I can send mail just fine using the ISP mail servers (which I have to change every time I switch locations *sigh*) but the mail servers are a bit too well educated. My domain is currently an alias (CName to be exact) for a DynDNS address. When sending mail, the mail servers resolve and expand the domain I claim to send from and rewrite the address. This means that sending to mailing lists becomes impossible and other people wonder what a ath.cx address is…

Secondly, at home I can’t send mail at all because the idiots at my ISP (I will write about the woes another time) told their mail servers that the server had to match the sender (domain wise). Because of the fact that I am not allowed to link the DNS to my IP directly, this will resolve in – yet again – 2 different domains and in this case the mail is bounced back to me.

In both cases it would be very handy to be able to just send mail using my own mail server as it will deliver mail directly to the correct remote servers, using the correct names etc.

On a side note, the government has decided that is would be a great idea to store all mail traffic for everyone in the country to fight crime. As usual, declaring such a policy will simply tell everyone who is planning to blow up stuff to use alternate means of communication – most of it being encrypted and voiding the whole purpose. To that end, I like the idea of using my own mail server on an encrypted channel so my mail remains private and let everyone listening in what dark secrets I send around. (On a side note: yes, the server to server communication can not be encrypted unless both servers know how to – but the first bit is safe).

Now, on with the details. I assume you have Postfix running with MySQL, so it is delivering mail to a maildir on your server or forwarding it somewhere else. Courier (IMAP/POP3/whatever) is running as well and can access the mail delivered for Postfix and as such, your whole mail server is up and running. Now comes the catch: Courier has a authentication library which should be able to authenticate against MySQL. Most installations will use Cyrus SASL instead because it has more features (and in my case was easier to set up as I am using postfixAdmin to administrate the server).

You NEED Cyrus SASL 2 with the SQL plugin installed, if you use Courier Authlib you need a different guide or change the authlib you are using. If you use CentOS like me, run: ‘yum install cyrus-sasl-sql’ to grab the right plugin.

Now, open up ‘/usr/lib/sasl2/smtpd.conf’ to create the specific SASL authentication file for Postfix. On a side note: in my case, I didn’t have to start the service for this to work. Anyway, insert this:

pwcheck_method: authdaemond  log_level: 2  authdaemond_path: /var/spool/authdaemon/socket

The first line tells Postfix to use the Cyrus SASL daemon (instead of the Courier Authlib one). The second line is optional but is handy when debugging, increase if things don’t work so you can see what is happening. The 3rd line is crucial: this is the path to the socket of the Cyrus SASL daemon. On CentOS 5.x you should have it here, on other distributions you need to search for the socket and put it in there.

Now you have set up the SASL authentication settings, it is time to tell Postfix to check the SASL pipeline when someone tries to authenticate. Add the following to your main.cf:

# SASL settings  broken_sasl_auth_clients = yes  smtpd_sasl_auth_enable = yes  smtpd_sasl_authenticated_header = yes  smtpd_sasl_security_options = noanonymous  smtpd_sasl_local_domain =  # Used by SASL to identify the Postfix client  smtpd_sasl_path = smtpd

These settings are pretty safe, won’t turn your box into an open relay (the bad sort of relaying abused by spammers) and will still make it possible to use pretty much every mail client out there. Note the last line: that line sets the key word when Postfix will try to authenticate: that is why the SASL configuration is called smtpd.conf. Another reason to use this name is the fact the smtpd is the name of the daemon that will request authentication and on some distributions, it will automatically search for that name.

Now safe, restart postfix and try to authenticate (set your mail client to connect to your server when sending mail and to use the same username and password you need when recieving mail). If everything went well, you can now send mail to anyone, from anywhere using your very own address and just one mail server!

If you get this:

[postfix/smtpd] warning: SASL authentication failure: cannot connect to Courier authdaemond: Connection refused

…you have a problem. Ignore the bit that says Courier authdaemond – you are trying to connect to Cyrus but Postfix doesn’t know this and as you are using the Courier interface, it will tell you something that is incorrect. The message means that it couldn’t find the socket, it is not allowed to access the socket or a similar issue is preventing it from working.

Step 1: Do NOT hardlink the socket to the SASL directory to include it into the Postfix root jail. This will work as long as the system is up: if the authlib daemon is restarted, it will recreate the socket and your hardlink will be dead – sending you off on a goose chase (guess how I found out that one… afterwards I also found this conversation about it)

Step 2: Make sure the socket file is where you told Postfix it would be. Try restarting all services and make sure the timestamp on the socket changed when you restarted everything. If it didn’t change, you are referring to the wrong file. Try to delete it, restart everything again and you won’t see it reappear. Search for it again and fix the path in the smtpd.conf file.

Step 3: When accessing the socket, you need more than read and write access to the socket. You also need r/w access to a random regular file in the directory holding the socket. This is how sockets work and if I understand correctly, a hidden file is used once a program opens the socket to continue the session – hence you need to be allowed to create that file. On CentOS, open ‘/etc/group’, find the line that says ‘daemon:…’ and add ‘postfix’ to that line, use a comma if one or more names are on that line already. Now Postfix is part of the daemon group which owns the socket directory on CentOS. If you have a different distribution, find out who owns the directory, who is running postfix (usually this is the user + group ‘postfix’ or ‘mail’) and fix it.

Step 4: Restart all services or the whole system if you get here. Read the log files again looking for hints what went wrong. If you still have problems, try to Google for it or leave a comment.

Good luck!

In this article I will explain how to build RPM packages from the tar.gz packages on the Courier site in order to install Courier and/or its components using the RPM based installer in CentOS.

Server crashes always come when you least expect them. My trusty server just came down with a bad case of broken SATA controllers (don’t know how to cure that). Of course, the socket A cpu (Athlon 2600XP) motherboard is long out of fashion and so we wind up with the purchase of a new server (technically an HTPC but I’ll post something about that later on).

One of the key packages I use for years is Courier MTA. This software is supported fine by Gentoo but because the number of servers that I need to maintain is steadily growing, the drive for cutting edge kernels and software is fading as upgrading Gentoo systems can be a time consuming process.

So in the reinstall I decided to drop the mail, web and ftp services into a virtual CentOS machine so I could move the server to a different computer in case of the physical host failing.

The first thing that became obvious was the lack of Courier RPM’s out there, simply because the Courier package from the site can be converted into RPM’s with ease. If you are reading this then you probably have not compiled packages before and you need some help.

Disclaimer: I am using a setup which uses MySQL based authentication so I will remove the other database packages as soon as I am done – if you need those, be sure to omit those commands.

Start out by installing ‘rpmbuild’ as we will use it to build the packages:

yum install rpm-build

Next, get the latest source tarball from here.

As a normal user (running as root will give you an error so don’t bother) run the following:

rpmbuild –ta courier-0.60.0.tar.bz2

In my case I got this error telling me I don’t have enough permissions to write where the rpmbuild tool wants to put its files:

error: Failed to rename /usr/src/redhat/SPECS/rpm-spec.uykL0j to /usr/src/redhat/SPECS/rpm-spec.uykL0j: Permission denied: No such file or directory

This is a bother because Courier requires you to be non-root and rpmbuild requires you to be root. I solved this by temporarily changing the /usr/src/redhat owner to be me:

chown berend:users /usr/src/redhat –R

Running rpmbuild again now shows us a list of missing dependencies, in my case I had to install:

yum install expect libtool-ltdl-devel gdbm-devel pam-devel gnutls-devel mgetty-sendfax pcre-devel openssl-perl gamin-devel

One of the missing requirements is the ‘/usr/lib/ltdl.h’file – this is part of the libtool-ntdl-devel package. Another is ‘/usr/include/fam.h’ which is provided by gamin-devel.

The primary missing package however, is courier-authlib-devel. We can solve this by going back to the download page and downloading the courier-authlib tarball. After grabbing it, run rpmbuild on it:

rpmbuild –ta courier-authlib-0.61.1.tar.bz2

On my system the following was required to be able to build the RPM:

yum install libtool libtool-ltdl-devel openldap-devel mysql-devel zlib-devel postgresql-devel gcc-c++ redhat-rpm-config

Note that if you skipped installing the dependencies for courier itself, some of those packages are needed for courier-authlib as well.

After calling rpmbuild again on the courier-authlib tarball, the compiler should kick in and the build will complete on its own. After the build is complete, install courier-authlib-devel to be able to build Courier itself (you can later remove this if you don’t need it), you need to run this as root:

rpm –i /usr/src/redhat/RPMS/i386/courier-authlib-0.61.1-1.i386.rpm rpm –i /usr/src/redhat/RPMS/i386/courier-authlib-devel-0.61.1-1.i386.rpm

If did everything right, calling rpmbuild on the courier tarball will now fire up the compiler on courier itself, resulting in a neat pile of RPMs in ‘/usr/src/redhat/RPMS’ – most of which have self-explanatory names or are dependencies of each other.

Before installing Courier, lets clean up the mess we had to make to get here, run this as root again:

yum remove libtool libtool-ltdl-devel openldap-devel mysql-devel zlib-devel postgresql-devel gcc-c++ redhat-rpm-config gdbm-devel pam-devel gnutls-devel mgetty-sendfax pcre-devel openssl-perl gamin-devel courier-authlib-devel  chown root:root /usr/src/redhat –R

Note that we omit ‘expect’ from the remove command as it is needed by courier and its packages.

And there you have it, a complete guide to building your own Courier RPM packages on CentOS 5.2. All that is left is to actually install the RPM’s and set up Courier but that is beyond this little howto.