Postfix Active directory/LDAP authentication with Cyrus sasl on Linux

Postfix Main server

A simple and proven method to configure postfix to provide Active directory authentication to all email users. Refer to the solution section for more information.

Topic

  • How to configure postfix to authenticate LDAP server using cyrus sasl?
  • How to configure postfix to Active Directory authentication?
  • How to configure postfix to use LDAP authentication?
  • How setup Postfix configuration to support LDAP and cyrus authentication?
  • How setup Postfix configuration to support AD/ active directory cyrus authentication?

apt

  • Centos
  • RHEL
  • Scientific Linux
  • Fedora
  • Debian
  • Ubuntu


Solution


Postfix Lab information

Email Domain: example.com
LDAP Server: ad.example.com

Postfix Package installation

Centos/Fedora/Rhel:

# yum install postfix cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain openldap


Postfix LDAP Configuration

  • Add the following LDAP or Active directory server information to /etc/sasl2/smtpd.conf file.
$ cat /etc/sasl2/smtpd.conf 
pwcheck_method: saslauthd
mech_list: plain login

ldap_servers: ldap://ad.example.com
ldap_search_base: CN=Users,DC=example,DC=com
ldap_timeout: 10
ldap_filter: sAMAccountName=%U
ldap_bind_dn: CN=vmail,CN=Users,DC=example,DC=com
ldap_password: Abcd1234
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind

  • In the above configuration file, ad.example.com is the Active Directory server. There is a service account or user called vmail being used to connect to Active Directory. Postfix forwards all authentication to AD/LDAP server using the credential of vmail account and provides the authentication validation service to users.

  • Add following configuration in /etc/sysconfig/saslauthd file

$ cat /etc/sysconfig/saslauthd 

SOCKETDIR=/run/saslauthd

# Mechanism to use when checking passwords.  Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ability to use.
MECH=ldap

# Additional flags to pass to saslauthd on the command line.  See saslauthd(8)
# for the list of accepted flags.
FLAGS=-O /etc/sasl2/smtpd.conf

  • Now start saslauthd daemon.
# systemctl enable saslauthd 
# systemctl start saslauthd 

  • Postfix LDAP authentication test with testsaslauthd
#  testsaslauthd -u adtest -p zbc1234
0: OK "Success."

  • Note: If the above command returns OK then authentication is successful. If there is some problem, troubleshoot the issue from LDAP side or with LDAP configuration defined in /etc/sasl2/smtpd.conf file.

Postfix configuration
  • Once saslauthd is successfully configured, add following postfix configuration in /etc/postfix/main.cf file.
$ cat /etc/postfix/main.cf

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix

mail_owner = postfix
mydomain = example.com

inet_interfaces = all
inet_protocols = all

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
unknown_local_recipient_reject_code = 550

#Network configuration.
mynetworks_style = subnet
mynetworks = 127.0.0.0/8 192.168.10.0/24

# postfix SMTP SASL Authentication configuration. 
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = cyrus
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = no

# A custom SMTP class for allow or deny. 
smtpd_restriction_classes = allow, deny
allow = permit
deny = reject

# for specific IP address verification 
smtpd_client_restrictions = permit_mynetworks,deny

#  rule which enforces SMTP HELO restriction 
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    deny

# Forces SMTP senders for authentication 
smtpd_sender_restrictions =
    permit_sasl_authenticated, 
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    deny

#Generic configuration 
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

debug_peer_level = 2
debugger_command =
     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
     ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES


Postfix Configuration Validation/Testing
  • Now restart postfix service and start testing

  • Create a base64 encrypted username and password for testing. For example if LDAP user name is tekfik and password is tekfik1234 then execute the following command to generate a encrypted username and password.
$ echo -ne '
$ echo -ne '\000tekfik\000tekfik1234' | openssl base64 
0tekfik
$ echo -ne '\000tekfik\000tekfik1234' | openssl base64 
0tekfik1234' | openssl base64

  • Execute the below telnet command for Postfix LDAP/AD authentication validation
$ telnet 192.168.10.70 25
Trying 192.168.10.70...
Connected to 192.168.10.70.
Escape character is '^]'.
220 ad.example.com ESMTP Postfix

ehlo example.com
250-ad.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

  • In the telnet window, type the following details for Postfix LDAP authentication
    AUTH PLAIN EkufohddidXXbhdkggdNkMTIzNHlddewd=
    235 2.7.0 Authentication successful

  • Once authentication is successful, execute the following steps to send email.

MAIL FROM:root@example.com
250 2.1.0 Ok
RCPT TO:test@example.com
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject:Tekfik

Hello Tekfik
. <dot is given to send the email>

250 2.0.0 Ok: queued as M453E1052891


You May Also Like

avatar

About the Author: TekFik

TekFik is a technical blogging site helps techies and engineers to solve their day to day issues and also allows everyone to share knowledge and feedback. Please feel free to contact us at tekfik.rd@gmail.com if there is anything.

Leave a Reply

Your email address will not be published. Required fields are marked *