SMTP authentication in Proxmox

[supinfo.caritas]

i follow this https://doc.ubuntu-fr.org/postfix

i dont enable TLS
and now user need login and password to send mail

but SASL do not work with /etc/pmg/user.conf the format is different

 

[M.D. Klapwijk]

Small write-up on how to do this in Proxmox Mail Gateway 6.x:

• install packages for saslauthd:
  

  apt-get install sasl2-bin libsasl2-modules

• modify /etc/default/saslauthd:
  

  START=yes
  DESC="SASL Authentication Daemon"
  NAME="saslauthd"
  MECHANISMS="ldap"
  MECH_OPTIONS=""
  THREADS=5
  OPTIONS="-c -m /var/run/saslauthd"

• create /etc/saslauthd.conf (use a dedicated service account on ldap/ad for pmg):
  

  ldap_use_sasl: yes
  ldap_servers: ldap://10.1.1.10:389
  ldap_search_base: OU=users,DC=example,DC=com
  ldap_bind_dn: CN=<pmg_service_username>,OU=Service accounts,DC=example,DC=com
  ldap_password: <pmg_service_password>

• start the saslauthd service:
  

  service saslauthd restart

• test ldap connection through saslauthd, using a regular ldap/ad user:
  

  testsaslauthd -u <username> -p <password>

• check the logs for sasslauthd
  

  journalctl -fu saslauthd

Once the 0: OK "Success." is received from testsaslauthd the postfix config can be done.

• create /etc/postfix/sasl/smtpd.conf:
  

  pwcheck_method: saslauthd
  mech_list: PLAIN LOGIN

• modify/create the template /etc/pmg/templates/main.cf.in (defaults can be copied from /var/lib/pmg/templates/main.cf.in):
  

  ...
  smtpd_sender_restrictions =
          permit_mynetworks
          reject_non_fqdn_sender
          check_client_access     cidr:/etc/postfix/clientaccess
          check_sender_access     regexp:/etc/postfix/senderaccess
          check_recipient_access  regexp:/etc/postfix/rcptaccess
  [%- IF pmg.mail.rejectunknown %] reject_unknown_client_hostname[% END %]
  [%- IF pmg.mail.rejectunknownsender %] reject_unknown_sender_domain[% END %]
  
  smtpd_sasl_auth_enable = yes
  broken_sasl_auth_clients = yes
  smtpd_sasl_security_options = noanonymous
  
  smtpd_recipient_restrictions =
          permit_sasl_authenticated
          permit_mynetworks
          reject_unauth_destination
          reject_non_fqdn_recipient
          check_recipient_access  regexp:/etc/postfix/rcptaccess
  [%- IF postfix.usepolicy %] check_sender_access  regexp:/etc/postfix/senderaccess[% END %]
  [%- IF postfix.usepolicy %] check_client_access  cidr:/etc/postfix/clientaccess[% END %]
  [%- IF postfix.usepolicy %] check_policy_service inet:127.0.0.1:10022[% END %]
  [%- IF pmg.mail.verifyreceivers %] reject_unknown_recipient_domain[% END %]
  [%- IF pmg.mail.verifyreceivers %] reject_unverified_recipient[% END %]
  
  ...

• Add the postfix user to the sasl group:
  

  adduser postfix sasl

• regenerate the config files based on the template:
  

  pmgconfig sync --restart 1

Note: one might want to setup tls via the /etc/pmg/pmg-tls.pem properly in advance, but that is beyond the scope of this short how-to.

 

[ZombyWoof]

Hi All,
I also have a similar set up for my F&F mail service, fully configured with PMG, so, very simple:
SMTP mail from internet > PMG > LocalMailServer for incoming
and
LocalMailServer > PMG > SMTP2GO Smarthost (for verification etc.) for outgoing

Initially, I used PMG to receive only - and that worked fine for a few months.
I finally got around to sending via PMG. (Using all of the suggestions above)
... and good guide: https://www.caretech.io/2018/10/06/how-to-use-proxmox-mail-gateway-with-an-authenticated-smarthost/
(But see below)

However, as soon as I did that, my mail server started complaining about authentication errors, and PMG started queuing the incoming mail.
---> Either I got the smarthost authenticating outgoing, and mail server rejecting incoming, or vice-versa.

Finally realised:
Some guides (I found 2) recommended the server auth file (in my case smtp_auth) should contain something like (but here using SMTP2GO):
mail.smtp2go.com:2525 SMTP2GOUsername:SMTP2GOPassword
...and this is what caused the either-or side effect. The auth file should contain
[mail.smtp2go.com]:2525 SMTP2GOUsername:SMTP2GOPassword
WITH the square brackets around the server name.

Had me pulling hair for hours. (And I can ill afford that!)

---
Note that there are 3 'levels' of the main.cf file:
/etc/postfix/main.cf - you can try out your edits to this file by performing a systemctl restart postfix.
However, this file WILL get overwritten from
/etc/pmg/templates.main.cf.in if you change any critical settings in the GUI that require a PMG restart
So, once you have tested your postfix changes, copy them over to /etc/pmg/templates/main.cf.in and they will then be copied back to /etc/postfix/main.cf on any PMG restart.
However! if you upgrade PMG, even the template file will get 'reset' to a default state.
So keep a copy of your changes and be prepared to re-apply them to the template after an update.
There is also another 'master' copy of the template in:
/var/lib/pmg/templates. I understand this is used to create /etc/pmg/templates/main.cf.in I have not tried editing this file, but maybe doing so could give a more update-proof configuration. YMMV.

 

[Stoiko Ivanov]

However! if you upgrade PMG, even the template file will get 'reset' to a default state.

No - templates copied to /etc/pmg/templates will keep their changes - in case the shipped copy in /var/lib/pmg/templates has had an update you will be asked by ucf how to proceed with your changes.

I understand this is used to create /etc/pmg/templates/main.cf.in I have not tried editing this file, but maybe doing so could give a more update-proof configuration.

the admin of the system has to copy the file over to /etc/pmg/templates

see the documentation on the subject:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

 

[ZombyWoof]

Thanks, Stoiko - that's exactly the piece of the puzzle I was missing!

 

[hoanv9]

Anyone can make saslauthd work in pmg v8? I tried many time but I can not do the authentication, always returnesd "0: NO "authentication failed""

 

[Stoiko Ivanov]

Anyone can make saslauthd work in pmg v8? I tried many time but I can not do the authentication, always returnesd "0: NO "authentication failed""

haven't tried it - but I doubt there is something fundamentally broken.
Post the logs where you run into the issue - also consider opening a new thread for this (this one started 2 years ago - probably most people here have already solved their issues and might not want to get further notifications)

 

[RolandK]

> PMG is meant to be run between your border and your internal mail-server - this usually is deployed without SMTP-auth.

@Stoiko Ivanov , even if this may be true at many customer sites - i think you don't want to have every device in your company to be able use your mailserver to send email without auth or without any IP ACL applied.

actually , we are in process of migrating to exchange online - and still need some local relay for our legacy clients, and we would prefer smtp auth to control who can send email.

we can apply ip acl with pmg, but it would also be nice if it would support smtp client auth out of the box and via webgui

 

[Stoiko Ivanov]

we can apply ip acl with pmg, but it would also be nice if it would support smtp client auth out of the box and via webgui

PMG currently has no concept of authentication for mail-boxes - and I really don't think adding one is a good fit ...
If you have any authentication backend that fits (e.g. LDAP) - you can add that to PMG with a postfix config modification as well.

i think you don't want to have every device in your company to be able use your mailserver to send email without auth or without any IP ACL applied.

If IP-based ACLs are enough - PMG offers this out of the box - if you have accounts on your downstream mail-server why not let the devices sent their mails through that server