====== Postfix SMTP GSSAPI authentication howto ======

This howto explains how to install and configure the <html> <a href="http://www.amazon.com/gp/product/1593270011?ie=UTF8&tag=coditart-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=1593270011">Postfix</a><img src="http://www.assoc-amazon.com/e/ir?t=coditart-20&l=as2&o=1&a=1593270011" width="1" height="1" border="0" alt="" style="border:none !important; margin:0px !important;" />
</html> mail transfer agent with GSSAPI authentication. 

Non authenticated smtp servers relay e-mails only from a predefined network locations addresses/ prefixes. Using authentication in general allows two things (1) The smtp server can relay e-mails coming from any IP address as long as the client is capable of authenticating itself. (2) e-mails are encrypted when sent from the client to the postfix smtp server. [[wp>Generic Security Services Application Program Interface|GSSAPI]] authentications in particular provides a (3)rd advantage which is the single sign-on feature that allows using the same Kerberos credentials for accessing several services without the need to type the user password more than once.


===== Building and installing postfix =====



==== Install cyrus-sasl-2.1.22 ====

To enable GSSAPI authentication, we need to first install the cyrus SASL library. This is a generic way to compile cyrus-sasl library that can be used with cyrus imap server as well as with postfix.

  * Download from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/

  * Install

<code>
/configure --sysconfdir=/usr/local/etc --with-cyrus-user=cyrus --with-cyrus-group=cyrus --with-sasl=/usr/local --with-bdb-libdir=/usr/local/lib --with-bdb-incdir=/usr/local/include/db3 --with-bdb=db3 --with-saslauthd --enable-plain
make 
make install

</code>

==== Install postfix ====


   * wget http://mirror.postfix.jp/postfix-release/official/postfix-2.5.5.tar.gz

   * Make sure /usr/lib/sasl2 exists and that it has sasl libraries or points to sasl libraries eg.g /usr/local/lib/sasl2

   * Add user/group postfix with nologin

   * Create agroup postdrop ( add postdrop:*:54321: to /etc/group)

   * Build and install :

<code>
make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL  -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib -lsasl2"
make
make install
</code>










===== Edit configuration files =====

The configuration files reflect the use GSSAPI for authentication and cyrus as imap server, all e-mails to local accounts will be forwarded to cyrus.

=== /etc/postfix/main.cf ===

The two parameters that you need to change are "myhostname" and "mynetworks".

<code>
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix

# CHANGE myhostname

myhostname = codealias.info
mydomain = $myhostname
myorigin = $mydomain
unknown_local_recipient_reject_code = 550

# CHANGE mynetworks

mynetworks = 160.85.0.0/16, 127.0.0.0/8
 

# IF YOU DO NOT USE CYRUS IMAP SERVER, REMOVE THESE 2 LINES BELOW

mailbox_transport  = cyrus
fallback_transport = cyrus
  
debug_peer_level = 2
debugger_command =
	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = /usr/local/share/postfix-readme

# SASL AUTHENTICATION PARAMETERS

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd

</code>


==== /etc/postfix/master.cf ====
 
If you are not using the cyrus imap server, then ignore this file.

If you want to use cyrus imap server (assuming it is installed and running), then uncomment the following lines in master.cf. 
<code>
cyrus     unix  -       n       n       -       -       pipe
 user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

</code>


===== Create an smtp Kerberos service =====

Since we will be using GSSAPI/Kerberos5 authentication, the smtp server must be registered as a Kerberos service and the keytab must be made available to the postfix server.

On the Kerberos KDC, add a new service and extract the keytab 

<code>
kadmin -l
add smtp/codealias.info@CODEALIAS.INFO
ext_keytab --keytab=/tmp/smtp smtp/codealias.info@CODEALIAS.INFO
</code>

You need to transfer the keytab /tmp/smtp to the host running postfix and place it under /etc/keytab







===== Start postfix=====
<code>
postalias /etc/aliases
postfix start
</code>

=== Notes: ===
 

1- You can test the GSSAPI authentication using Evolution.

2- This procedure was tested on FreeBSD6.2

{{tag>security services howto unix}}