a few propellerheads
Postfix with SASL and TLS

This article will walk you through installing an updated version of Postfix on Mac OS X 10.3 (Panther), complete with SASL and TLS support which uses system logins for authentication. If you prefer to see this as wide as possible, check out this expanding version with larger fonts, just for Wietse.

Advanced - This article assumes that you have a basic understanding of the Mac OS X command line and/or how to compile software from source code and that you have the developers tools installed. In addition, it assumes familiarity with mail servers, SMTP, SSL Certificates and Postfix.

Plenty of people have covered setting up SASL and TLS with Postfix, unfortunately they are generally using Linux, or at best FreeBSD. Since it took me a full day to both track down all of the information I needed and then work through some of the problems I encountered, I thought that I would post a quick step-by-step here.

I worked for as long as I was willing trying to get Cyrus SASL 2.1.17 to install without success. Therefore, I reverted to using 2.1.15 which installed with no hassles.

Commands which are executed with root priveleges have a # before them even though they are actually sudo'd to make them easier to see.

Download the Pieces
open a terminal session and move to your preferred build directory.
% curl -O ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/OLD-VERSIONS/sasl/cyrus-sasl-2.1.15.tar.gz
% curl -O ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.16-2.0.18-0.9.7c.tar.gz
% curl -O http://mirrors.cleanfunny.com/postfix-release/official/postfix-2.0.18.tar.gz
Build Cyrus SASL
The SASL libraries are already installed in Panther, but saslauthd is not and neither are the header files we need to build a new version of postfix (the one shipped as of 10.3.2 is only 2.0.10 and as of this writing, 2.0.18 is out). I went ahead and installed everything under /usr/local/ but sasl2 still looks in /usr/lib/sasl2 for plug-ins. We get around that later by moving the old directory and linking to the new one. I also didn't want to use a seperate database for my users (they all have system accounts) so I disabled dblib.
Update 3/31/2004: A couple of people have e-mailed me to tell me SASL would not compile with PAM support. A suggestion to add a link from /usr/lib/security -> /usr/lib/pam allowed a succesful compile.

# sudo ln -s /usr/lib/pam /usr/lib/security

thanks to Jeff Roy

% gnutar -xzf cyrus-sasl-2.1.15.tar.gz
% cd cyrus-sasl-2.1.15
% ./configure --enable-login=yes --with-dblib=none -disable-krb4 --disable-gssapi
% make
# sudo make install
# sudo sh -c "echo pwcheck_method: saslauthd >/usr/local/lib/sasl2/smtpd.conf"
# sudo mv /usr/lib/sasl2 /usr/lib/sasl2.apple
# sudo ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
% cd ..
% rehash
Build Postfix
Postfix has generally been a breeze to build on Mac OS X and it was no different this time, even with the TLS patch. Because I already had a functional (and running) version of Postfix, I used 'make upgrade' rather than 'make install'. After installation, but before I made any configuration changes, I verified that all mail was still being succesfully sent and received.
% gnutar -xzf postfix-2.0.18.tar.gz
% gnutar -xzf pfixtls-0.8.16-2.0.18-0.9.7c.tar.gz
% patch -p0 < pfixtls-0.8.16-2.0.18-0.9.7c/pfixtls.diff
% cd postfix-2.0.18/
% make makefiles \
  CCARGS="-DUSE_SASL_AUTH -I/usr/local/include/sasl -DHAS_SSL -I/usr/include/openssl" \
  AUXLIBS="-L/usr/local/lib -lsasl2 -lssl -lkerberos"
# sudo make upgrade
# sudo postfix reload
Create PAM file for SMTP
We have already told SASL to use saslauthd, which in turn will use PAM to authenticate our users. Now we have to tell pam how to authenticate users for SMTP. I had already created authentication profiles for IMAP and figured SMTP should be the same. Since you may or may not have that, I am showing ftpd instead.
# sudo cp /etc/pam.d/ftpd /etc/pam.d/smtp
Start saslauthd
Before we can have Postfix authenticating against saslauthd, we need to have saslauthd running. In addition to starting it right now, you should probably also create a startup file in /Library/StartupItems. Take a look at the directories in /System/Library/StartupItems for reference.
# sudo /usr/local/sbin/saslauthd -a pam
Update Postfix main.cf
We need to enable three things, SASL, TLS, and allowing SASL authenticated users to send mail. Edit your /etc/postfix/main.cf to contain at least the following changes. I have many more smtpd_recipient_restrictions to try to filter out spammers. Also, at the moment I am allowing both remote authenticated users and local unauthenticated users. Eventually everyone will be required to authenticate.
# Enable SASL authentication and allow broken clients
# You can ignore broken clients (such as Outlook Express 5) if you
# know that all of your users will be using good clients.
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
# turn on tls so that SASL auth can be delivered over tls
# encrypted channel
smtpd_use_tls = yes
smtpd_tls_key_file = /System/Library/OpenSSL/certs/your.domain.key
smtpd_tls_cert_file = /System/Library/OpenSSL/certs/your.domain.crt
smtpd_tls_CAfile = /System/Library/OpenSSL/certs/your.ca.pem
# If you want to require everyone to authenticate, you can remove
# the permit_mynetworks and follow up with a reject.
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated
Update Postfix master.cf
This step is actually optional. If you are just going to be connecting with Apple Mail or other clients which understand STARTTLS, then you can probably ignore this. Although almost all of my users use a conforming client, I use PowerMail which does not. So, to use TLS I have to create an smtps service which runs on a different port and forces TLS. Add the following line to your /etc/postfix/master.cf file.
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
Update /etc/services
And if you do this, you will also need to update your services file, since port 465 (the smtps port) is assigned to something else. Rather than replace the existing entry (since I didn't know what it was) I just added an alias for smtps. Edit your /etc/services file to have the following entries, or ditch the igmpv3lite and urd in favor of smtps.
igmpv3lite 465/udp smtps # IGMP over UDP for SSM urd 465/tcp smtps # URL Rendesvous Directory for SSM
Reload Postfix and Test
Everything should now be ready to go. If you are on your local network, you will still be able to check things out, but you should really have someone offsite check to see if they can get through without being on your net.
# sudo postfix check
# sudo postfix reload

And you are done. Configure your e-mail client to use use SSL/TLS and authenticate with username/password. You can also telnet to your mail server on port 25 to see the conversation. Reply to it's helo with an ehlo and see what options you get. You should see STARTTLS and a list of authentication options. You can remove options from the /usr/local/lib/sasl2 directory (I moved them to an 'unused' directory) in order to remove them as options for login.

If you have any questions or suggestions, please use my contact form and remember to leave an e-mail address if you want a response.