Adding SASL Auth to Postfix

[MeCJay12]

Let me know what you think of these changes. I tried to follow your style as best as I could. Once the changes are accepted and merged to the public docker image I will most likely remove my repo. You can follow the process I was following here and here.

• Updates Dockerfile to install sasl binaries

libpam-pwdfile is used to read the passwd file, sasl2-bin is the actual service that does the client authentication, and whois includes mkpasswd which isn't strictly necessary but is useful to end users when creating their passwd files.

• Updates Readme with example of basic auth situation.

Includes a link to the official Postfix docs where this situation is covers for people who may want to modify. After that, an example is included with basic PAM auth backed by a file and how to generate the file. The number of env variables that need to be set isn't pretty but I figure that's better than having users try to go figure it out.

• Updates run file to configure SASL

I tried to follow your style here so feel free to make stylistic updates if I missed on anything. My changes will only run if the user passes the $SASL_Passwds variable since the passwds file must be generated by the user first. My changes then create the smtpd config file if needed, update the saslauthd service for postfix chroot, then update PAM to use the user's passwd file. saslauthd will not be run if the user doesn't specify a passwd file to save resources. Postfix needs to start after these changes.

[MeCJay12]

Do you plan on doing more changes to the PR?

Everything I plan on doing is submitted. I did have one cleanup change in my editor that wasn't submitted but it's in there now.

Replyed to your comments. Let me know if I need to clarify more.

[wader]

Getting a bit late here, will build and test tomorrow

[wader]

@hemberger hey, looks ok to you? your usually good a spotting things :)

[wader]

Did some basic testing and didn't see anything strange. As this is disabled by default i think it should be quite safe to merge.

@MeCJay12 Some last things you want to do or ready to merge?

@hemberger Feel free to review even after this si merged

[MeCJay12]

Ready here

[wader]

👍

[rubencm]

If someone else can confirm. This wasnt working for me, in fact after a few hours I received an email from my server provider blocking my port 25 because of spam. After some tests this is what worked for me:

version: "2"

services:

  smtp:
    image: mwader/postfix-relay:latest
    restart: always
    ports:
      - "587:25"
    volumes:
      - ./passwd_file:/etc/postfix/sasl/sasl_passwds
    environment:
      - SASL_Passwds=/etc/postfix/sasl/sasl_passwds
      - POSTFIX_smtp_sasl_password_maps=hash:/etc/postfix/sasl/sasl_passwds
      - POSTFIX_smtpd_sasl_auth_enable=yes
      - POSTFIX_smtpd_sasl_security_options=noanonymous
      - POSTFIX_smtpd_recipient_restrictions=permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
      - POSTFIX_smtpd_delay_reject-yes
      - POSTFIX_smtpd_client_restrictions=permit_sasl_authenticated, reject
      - POSTFIX_myhostname=mail.domain.com
      - OPENDKIM_DOMAINS=mail.domain.com

I got the configuration from here but I dont understand it to much To test it, i used swaks, now authentication seems to be working correctly, but probably the environment variables can be improved

[wader]

Sorry have no experience with SASL auth, maybe @MeCJay12?

BTW i noticed POSTFIX_smtpd_delay_reject-yes should the - be a =?

[rubencm]

Yes, my mistake, then that line is probably not necessary

[MeCJay12]

Hey all,

I'm not an expect in Postfix either and they changed how access lists work in 2.10 so here is the config section for more context: https://www.postfix.org/postconf.5.html#smtpd_relay_restrictions

That said, if that is your full docker-compose config, the issue is including 'permit_mynetworks' in 'POSTFIX_smtpd_recipient_restrictions'. By default, this container/Postfix (need to look into it some more for a proper fix) sets permit_mynetworks = 0.0.0.0/0. smtpd_recipient_restrictions work on an OR basis so your config says "allow authenticated users OR anyone coming from permitted networks i.e. the Internet".

Short term fix, just remove 'permit_mynetworks' from 'POSTFIX_smtpd_recipient_restrictions'. Long term fix will be in an upcoming pull req.

[MeCJay12]

@wader Quick update from testing for the update, 'smtpd_relay_restrictions' is specified by default which merges with 'smtpd_recipient_restrictions' so my new recommendation is to replace 'POSTFIX_smtpd_recipient_restrictions=...' with 'POSTFIX_smtpd_relay_restrictions=permit_sasl_authenticated, reject' in your config. That said, it looks like fixing 'POSTFIX_smtpd_delay_reject' in your config will also resolve your issue. The Postfix docs are a bit unclear IMHO.