Postfix with SASL and TLS
This article will walk you through installing an updated version of Postfix on
Mac OS X 10.3 (Panther), complete with SASL and TLS support which uses system
logins for authentication. If you prefer to see this as wide as possible,
check out this expanding
version with larger fonts, just for Wietse.
This article assumes that you have a basic understanding of the Mac OS X command
line and/or how to compile software from source code and that you have the
developers tools installed. In addition, it assumes familiarity with mail servers,
SMTP, SSL Certificates and Postfix.
Plenty of people have covered setting up SASL and TLS with Postfix, unfortunately they
are generally using Linux, or at best FreeBSD. Since it took me a full day to both
track down all of the information I needed and then work through some of the problems
I encountered, I thought that I would post a quick step-by-step here.
I worked for as long as I was willing trying to get Cyrus SASL 2.1.17 to install without
success. Therefore, I reverted to using 2.1.15 which installed with no hassles.
Commands which are executed with root priveleges have a # before them even though they
are actually sudo'd to make them easier to see.
Download the Pieces
open a terminal session and move to your preferred build directory.
% curl -O ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/OLD-VERSIONS/sasl/cyrus-sasl-2.1.15.tar.gz
% curl -O ftp://ftp.aet.tu-cottbus.de/pub/postfix_tls/pfixtls-0.8.16-2.0.18-0.9.7c.tar.gz
% curl -O http://mirrors.cleanfunny.com/postfix-release/official/postfix-2.0.18.tar.gz
Build Cyrus SASL
The SASL libraries are already installed in Panther, but saslauthd is not and neither are the
header files we need to build a new version of postfix (the one shipped as of 10.3.2 is only
2.0.10 and as of this writing, 2.0.18 is out). I went ahead and installed everything under
/usr/local/ but sasl2 still looks in /usr/lib/sasl2 for plug-ins. We get around that later by
moving the old directory and linking to the new one. I also didn't want to use a seperate
database for my users (they all have system accounts) so I disabled dblib.
A couple of people have e-mailed me to tell me SASL would not compile
with PAM support. A suggestion to add a link from /usr/lib/security -> /usr/lib/pam allowed
a succesful compile.
# sudo ln -s /usr/lib/pam /usr/lib/security
thanks to Jeff Roy
% gnutar -xzf cyrus-sasl-2.1.15.tar.gz
% cd cyrus-sasl-2.1.15
% ./configure --enable-login=yes --with-dblib=none -disable-krb4 --disable-gssapi
# sudo make install
# sudo sh -c "echo pwcheck_method: saslauthd >/usr/local/lib/sasl2/smtpd.conf"
# sudo mv /usr/lib/sasl2 /usr/lib/sasl2.apple
# sudo ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
% cd ..
Postfix has generally been a breeze to build on Mac OS X and it was no different this time, even with
the TLS patch. Because I already had a functional (and running) version of Postfix, I used
'make upgrade' rather than 'make install'. After installation, but before I made any configuration
changes, I verified that all mail was still being succesfully sent and received.
% gnutar -xzf postfix-2.0.18.tar.gz
% gnutar -xzf pfixtls-0.8.16-2.0.18-0.9.7c.tar.gz
% patch -p0 < pfixtls-0.8.16-2.0.18-0.9.7c/pfixtls.diff
% cd postfix-2.0.18/
% make makefiles \
CCARGS="-DUSE_SASL_AUTH -I/usr/local/include/sasl -DHAS_SSL -I/usr/include/openssl" \
AUXLIBS="-L/usr/local/lib -lsasl2 -lssl -lkerberos"
# sudo make upgrade
# sudo postfix reload
Create PAM file for SMTP
We have already told SASL to use saslauthd, which in turn will use PAM to authenticate our users. Now
we have to tell pam how to authenticate users for SMTP. I had already created authentication profiles
for IMAP and figured SMTP should be the same. Since you may or may not have that, I am showing ftpd instead.
# sudo cp /etc/pam.d/ftpd /etc/pam.d/smtp
Before we can have Postfix authenticating against saslauthd, we need to have saslauthd running. In addition
to starting it right now, you should probably also create a startup file in /Library/StartupItems. Take a
look at the directories in /System/Library/StartupItems for reference.
# sudo /usr/local/sbin/saslauthd -a pam
Update Postfix main.cf
We need to enable three things, SASL, TLS, and allowing SASL authenticated users to send mail. Edit your
/etc/postfix/main.cf to contain at least the following changes. I have many more smtpd_recipient_restrictions
to try to filter out spammers. Also, at the moment I am allowing both remote authenticated users and local
unauthenticated users. Eventually everyone will be required to authenticate.
# Enable SASL authentication and allow broken clients
# You can ignore broken clients (such as Outlook Express 5) if you
# know that all of your users will be using good clients.
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
# turn on tls so that SASL auth can be delivered over tls
# encrypted channel
smtpd_use_tls = yes
smtpd_tls_key_file = /System/Library/OpenSSL/certs/your.domain.key
smtpd_tls_cert_file = /System/Library/OpenSSL/certs/your.domain.crt
smtpd_tls_CAfile = /System/Library/OpenSSL/certs/your.ca.pem
# If you want to require everyone to authenticate, you can remove
# the permit_mynetworks and follow up with a reject.
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated
Update Postfix master.cf
This step is actually optional. If you are just going to be connecting with Apple Mail or other
clients which understand STARTTLS, then you can probably ignore this. Although almost all of my
users use a conforming client, I use PowerMail which does not. So, to use TLS I have to create
an smtps service which runs on a different port and forces TLS. Add the following line to your
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
And if you do this, you will also need to update your services file, since port 465 (the smtps port)
is assigned to something else. Rather than replace the existing entry (since I didn't know what it was)
I just added an alias for smtps. Edit your /etc/services file to have the following entries,
or ditch the igmpv3lite and urd in favor of smtps.
igmpv3lite 465/udp smtps # IGMP over UDP for SSM
urd 465/tcp smtps # URL Rendesvous Directory for SSM
Reload Postfix and Test
Everything should now be ready to go. If you are on your local network, you will still be able
to check things out, but you should really have someone offsite check to see if they can get
through without being on your net.
# sudo postfix check
# sudo postfix reload
And you are done. Configure your e-mail client to use use SSL/TLS and authenticate with username/password.
You can also telnet to your mail server on port 25 to see the conversation. Reply to it's helo
with an ehlo and see what options you get. You should see STARTTLS and a list of authentication
options. You can remove options from the /usr/local/lib/sasl2 directory (I moved them to an
'unused' directory) in order to remove them as options for login.
If you have any questions or suggestions, please use my contact form
and remember to leave an e-mail address if you want a response.