FREEBSD SYSADMIN Installing And Configuring Cyrus-Sasl2

SASL (Simple Authentication and Security Layer) is a system for adding protocol connection-based authentication support. In this article, we will use the Simple Mail Transfer Protocol (SMTP) mechanism, namely Postfix MTA uses SMTP to transfer Internet email. Adding authentication support to Postfix is important for users who want to relay email through their servers from unsecured public networks. Secure mail relay can be achieved by coupling SASL with SSL/TLS based encryption.

By default, Postfix MTA is not an open email relay. While this prevents unauthorized users from using the server to deliver spam, it also prevents authorized users from sending email from locations other than the local private network. Cyrus SASL allows SMTP servers to verify the identity of remote users. Once authenticated, the user is allowed remote relay privilege.

John Myers, a former systems architect at Carnegie Mellon University, published the SASL specification in October 1997. Cyrus SASL is maintained under the Cyrus Project at Carnegie Mellon.

The discussion in this article is particularly relevant for Cyrus SASL configurations with Postfix MTA, and assumes that you intend to use SASL with SMTP combined with SSL/TLS encryption to secure PLAIN and/or LOGIN authentication methods.

The operating system used in this article uses FreeBSD 13. You can start installing the Cyrus SASL authentication server, which includes Cyrus SASL. To start the installation of the Cyrus SASL authentication Server, type the following command:

root@router2:~ # cd /usr/ports/security/cyrus-sasl2-saslauthd
root@router2:~ # make config && make install clean
root@router2:~ # rehash

A menu will appear showing options to start the Cyrus SASL installation process, just leave these settings at their defaults, just press the "enter" button.



Once you have finished installing security/cyrus-sasl2, edit the /usr/local/lib/sasl2/Sendmail.conf file, or create it if it doesn't exist, and add the following lines:

pwcheck_method: saslauthd
mech_list: plain login

The script above explains, the first line directs Cyrus SASL to use the SASL authentication server that you installed. The second line tells Cyrus SASL to announce only the PLAIN and LOGIN methods when the client initially connects to the SMTP server.

The next step is to enable the SASL authentication server to start automatically when the computer boots. To configure the SASL authentication server to start automatically on boot, add the following script to the /etc/rc.conf file.

saslauthd_enable="YES"
saslauthd_flags="-a pam"

Run the saslauthd daemon with the following command.

root@router2:~ # service saslauthd restart

This daemon functions as a sendmail broker to authenticate against the passwd database on FreeBSD. This saves you the trouble of creating a new set of usernames and passwords for each user who needs to use SMTP authentication, and keeps the login and email passwords the same.

If the saslauthd daemon is already running, type the following script in the /etc/make.conf file.

root@router2:~ # ee /etc/make.conf
SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL
SENDMAIL_LDFLAGS=-L/usr/local/lib
SENDMAIL_LDADD=-lsasl2

The script above gives Sendmail the proper configuration options to link to cyrus-sasl2 at compile time. Make sure cyrus-sasl2 is installed before recompiling Sendmail. Now we continue to recompile Sendmail by running the following command:

root@router2:~ # cd /usr/src/lib/libsmutil
root@router2:~ # make cleandir && make obj && make
root@router2:~ # cd /usr/src/lib/libsm
root@router2:~ # make cleandir && make obj && make
root@router2:~ # cd /usr/src/usr.sbin/sendmail
root@router2:~ # make cleandir && make obj && make && make install

After Sendmail is compiled and reinstalled, edit the /etc/mail/freebsd.mc file or local .mc file. Many administrators choose to use the output of the hostname as the .mc file name for uniqueness. Add this line to the file /etc/mail/freebsd.mc and place it at the end of the file.

root@router2:~ # ee /etc/mail/freebsd.mc
dnl set SASL options
TRUST_AUTH_MECH(`GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl
define(`confAUTH_MECHANISMS', `GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN')dnl

The final step is to run the make command while in /etc/mail, the script below will run a new .mc extension file and create a .cf extension file called freebsd.cf. Type the script below to copy the file to sendmail.cf.

root@router2:~ # cd /etc/mail
root@router2:/etc/mail # make install restart

Recompiling Sendmail should have no problems if /usr/src hasn't changed much and the necessary dependencies are available.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post