## - Configure a postfix server to act as relay host for
## - AUTENTiCATED clients
## -
## - see also Postfix SASL Howto:
## -    http://www.postfix.org/SASL_README.html
## -    http://www.synology-wiki.de/index.php/Mail-Relay_mit_Postfix
## -


## - Todo:
## -    1.) Configuring SASL authentication in the Postfix SMTP server
## -       - Configuring Cyrus SASL - using accounts are stored in a Cyrus SASL
## -         Berkeley DB database 
## -    2.) Configuring SASL authentication in the Postfix SMTP/LMTP client

## - ------------------------------------------------------------- - ##
## - 1. Configuring SASL authentication at the Postfix SMTP server - ##
## - ------------------------------------------------------------- - ##

## -----------------------------
## - Create the sasldb2 Database
## -
## - To create and maintain the database, we will user the 
## - command-line utility "saslpasswd2". So, we have to install
## - the packages sasl2-bin
## -
apt-get install sasl2-bin


## - The sasldb auxprop plugin authenticates SASL clients against credentials 
## - that are stored in a Berkeley DB database. The database schema is specific
## - to Cyrus SASL. The database is usually located at /etc/sasldb2
## -
## - !!!!
## - NOTE: in chrooted postfix, thats if chroot in master.cf is not set (have
## -       "-") or is set to yes (have "y"), the database "sasdb2" ist
## -        searched in the chrooted path. In debian it is file
## -        /var/spool/postfix/etc/sasldb2
## - !!!!
## -


## - Create a new account
## -
## - Note: 
## -    1.) usernames of accounts are of the Form:
## -        <username>@<domain> and NOT <username>
## -
## -    2.) The database-file defaults to "/etc/sasldb2". But on chrooted
## -        postfix (as we have), the database file must placed to 
## -        /var/spool/postfix/etc/sasldb2 - on default debian postfix
## -        install. So use flag "-f"
## -       
saslpasswd2 -c -u b.mx.oopen.de <username> -f /var/spool/postfix/etc/sasldb2

## - Check with command-line utility "sasldblistusers2"
## -
sasldblistusers2 -f /var/spool/postfix/etc/sasldb2


## ------------------------------------------------
## - Configure and Enable Cyrus SASL authentication


## - in /etc/postfix/main.cf set:
## -
## -    smtpd_sasl_type = cyrus
## -
## -    # Define the name of the configuration file. Cyrus SASL add's the
## -    # suffix ".conf". The location where Cyrus SASL searches for the named
## -    # file depends on the Cyrus SASL version and the OS/distribution used.
## -    # For debian it is: /etc/postfix/sasl/
## -    smtpd_sasl_path = smtpd
## -
## -    # enable SASL authentication
## -    smtpd_sasl_auth_enable = yes
## -    
## -    # Disallow methods that allow anonymous authentication. 
## -    smtpd_sasl_security_options = noanonymous
## -    smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
## -
## -    # Do not accept SASL authentication over unencrypted connections
## -    smtpd_tls_auth_only = yes
## -
vim /etc/postfix/main.cf

## - create /etc/postfix/sasl/smtpd.conf
## -
## -    pwcheck_method: auxprop
## -    auxprop_plugin: sasldb
## -    mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
## -
## - Take care only to use provided login mechanisms
## -    # saslpluginviewer -x AUXPROP_MECHS
## -
vim /etc/postfix/sasl/smtpd.conf


## - To allow (dynamic) ip-adresses to relay, even if they ar blacklistet
## - you can use permit_sasl_authenticated in postfix smtpd_relay_restrictions
## - BEFOR checking against blacklists
## -
## - in /etc/postfix/main.cf set:
## -
## -    smtpd_recipient_restrictions =
## -    ...
## -    # permit trusted network mynetwork
## -       permit_mynetworks,
## -    # sasl authenticated user (we work as relayhost for some office networks)
## -       permit_sasl_authenticated,
## -    # dont' accept misconfigured Mail
## -       reject_non_fqdn_recipient,
## -       reject_unknown_sender_domain,
## -       reject_unknown_recipient_domain,
## -       reject_unlisted_recipient,
## -    # RBL check - !! comment out if postcreens postscreen_dnsbl_sites is in use
## -       permit_dnswl_client dnswl.oopen.de,
## -       #reject_rbl_client zen.spamhaus.org,
## -       reject_rbl_client ix.dnsbl.manitu.net,
## -       reject_rbl_client bl.spamcop.net,
## -       reject_rbl_client dnsbl.njabl.org,
## -    # Policyd-Weight
## -    ...
## -
vim /etc/postfix/main.cf


## - !! Note !!
## -
## - Take care that the 'smtp' entry in master.cf DOES NOT contain an entry;
## - 
## -    -o smtpd_sasl_auth_enable=no
## -
## - Remove this line or set smtpd_sasl_auth_enable to 'yes'



## - --------------------------------------------------------------- - ##
## - Configuring SASL authentication in the Postfix SMTP/LMTP client - ##
## - --------------------------------------------------------------- - ##


## - Notice: you have to install Pluggable Authentication Modules for SASL
## -         for debian: install package libsasl2-modules
## -
apt-get install libsasl2-modules


## - Edit file /etc/postfix/main.cf and set:
## -
## -    # Enable SASL authentication
## -    smtp_sasl_auth_enable = yes
## -    
## -    # Forwarding to the ip-adress of host b.mx.oopen.de
## -    relayhost = [b.mx.oopen.de]
## -    
## -    # File including login data
## -    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
## -    
## -    # Force using a (TLS) security connection
## -    # obsulete - use smtp_tls_security_level instead
## -    #smtp_use_tls = yes
## -    #smtp_tls_enforce_peername = no
## -    smtp_tls_security_level = encrypt
## -
## -    # Disallow methods that allow anonymous authentication. 
## -    smtp_sasl_security_options = noanonymous
## -
vim /etc/postfix/main.cf


## - Enter SASL account data into file /etc/postfix/sasl_passwd
## -
## -    <relayhost> <username>:<password>
## -
## - Note: if relayhost is configured as above, username is of the form
## -    <username>@<domain>
## -
vim /etc/postfix/sasl_passwd

## - Important
## -
## - Keep the SASL client password file in /etc/postfix, and make the file
## - read+write only for root to protect the username/password combinations against
## - other users. The Postfix SMTP client will still be able to read the SASL
## - client passwords. It opens the file as user root before it drops privileges,
## - and before entering an optional chroot jail.
## -
chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd

## - Create databasefile of /etc/postfix/sasl_passwd 
## -
postmap /etc/postfix/sasl_passwd


## - Reload postfix
## -
/etc/init.d/postfix reload

