Re: [SLUG] Looking for docs on Postfix-TLS (no SASL!)

[Jeff Waugh <jdub@xxxxxxxxxxxxxx>]

<quote who="Mary Gardiner">

> Anyone got a short client-Postfix to server-Postfix TLS guide to setting
> up keys and configuring the NECESSARY variables?

Not a guide, but a snippet, because I do exactly what you want to - it's
great! You need sasl to do tls.

On the client side (I'm running Ubuntu, which is about as new as sid) you
need postfix-tls installed (Debian).

/etc/postfix/main.cf:

  relayhost = server:587   # often gets around port 25 blocking on both ends
  disable_dns_lookups = yes

  smtp_sasl_auth_enable = yes
  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
  smtp_sasl_security_options = noanonymous
  smtp_use_tls = yes
  smtp_tls_loglevel = 0

/etc/postfix/sasl_passwd: (which you need to postmap)

  server password


On the server side (I'm running sarge), you need postfix-tls, sasl2-bin,
libsasl2-modules.

/etc/postfix/main.cf:

  broken_sasl_auth_clients = yes
  smtpd_use_tls = yes
  smtpd_tls_auth_only = yes
  smtpd_sasl_auth_enable = yes
  smtpd_sasl_security_options = noanonymous
  smtpd_sasl_tls_security_options = noanonymous
  smtpd_sasl_local_domain =
  smtpd_tls_loglevel = 0
  smtpd_tls_received_header = no
  smtpd_tls_key_file = /etc/postfix/smtpd.pem
  smtpd_tls_cert_file = /etc/postfix/smtpd.pem
  smtpd_tls_CAfile = /etc/postfix/smtpd.pem

/etc/postfix/sasl/smtpd.conf:

  pwcheck_method: saslauthd
  mech_list: login plain


You need to be running saslauthd (/etc/default/saslauthd). There are a
number of backends for it - I just use UNIX logins via pam or shadow.

- Jeff

-- 
linux.conf.au 2005: Canberra, Australia                http://linux.conf.au/
 
   "Well, you know us usability folks... We like to believe that the two
    aren't mutually exclusive." - Calum Benson on power and cleanliness