# sendmail/postfix with cyrus-sasl2-authd in FreeBSD8



## jims (Feb 9, 2010)

I want to have ssl/tls encryption on my sendmail connection to remote hosts, as well as authentication. For some reason, the servers are failing at the step of sending mail. I was wondering if I could get some help understanding why. My first guess is that in FreeBSD8, /etc/passwd seems like it is no longer used for storing password hashes. I'm guessing the issue is that I need to configure cyrus-sasl2-authd to look somewhere else, but I'm not sure, and can't find any sources telling me to do that. Any suggestions here on what I might be doing wrong?

More details below.

Thanks,
-Jim




I have tried both sendmail and postfix, and can get them to work with my mail clients (kmail, windows live mail [I think MS wants people to switch to thunderbird...]). However, when I set them up to use cyrus/sasl2, they no longer respond to send requests from my mail clients.


[this is for postgres]
(1) If I telnet to the postgres jail on port 25 (the clients connect on 25 and use TLS), I send "EHLO example.com", and get a list of options, including authentication types and an option to start TLS.
(2) Step 1 is noted in /etc/maillog as a started/terminated session.
(3) When the clients probe the server to see what is available, they have unencrypted and TLS, but not SSL. They have several login types, but not all. CRAM-MD5 is what I wanted to use, and is available.
(4) Step three shows up in /etc/maillog, starttls is mentioned.
(5) I try to send a mail via the mail client. The client is set to the mail servers IP, port 25, require login, TLS, CRAM-MD5 or LOGIN or PLAN (I've tried two of the three, one of the last two doesn't show up as available).
(6) In step 5, the connection attempt doesn't seem to register.

Kmail is from the host that is running the jail of the mail server, Windows Live Mail is running on another physical box on the same subnet (192.168.1.0/24).

I moved '*ntlm*' from /usr/local/lib/sasl2 to /usr/local/lib/sasl2/disabled





MYDOMAIN will replace my actual domain name
/etc/rc.conf of jail:

```
========================================
amd_enable="NO"
sshd_enable="YES"
defaultrouter="192.168.1.1"
hostname="legolas_mail.MYDOMAIN.net"
#ifconfig_nfe0="inet 192.168.1.4  netmask 255.255.255.0"
usbd_enable="NO"
rpc_bind="NO"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
saslauthd_enable="YES"
postfix_enable="YES"
dovecot_enable="YES"
========================================
```


just the changes in postfix
/usr/local/etc/postfix/main.cf

```
========================================
myhostname = legolas_mail.MYDOMAIN.net
mydestination = legolas_mail.MYDOMAIN.net, legolas_mail.MYDOMAIN.org, legolas_mail.MYDOMAIN.com, MYDOMAIN.net, MYDOMAIN.org, MYDOMAIN.com
mynetworks_style = host
mynetworks = 127.0.0.0/8

#
# SASL2 stuff
#
# for SMTPS
#
broken_sasl_auth_clients = yes
smtpd_sasl_auth_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_local-domain = 
#$myhostname

#more security / safety stuff
smtpd_sender_restrictions = permit_sasl_authenticated , permit_my_networks
smtpd_recipient_restrictions = permit_sasl_authenticated , permit_my_networks


# tls config
smtp_use_tls = yes
smtpd_use_tls = yes 
smtp_tls_note_starttls_offer = yes 
smtpd_tls_key_file = /usr/local/etc/ssl/cert/server.key
smtpd_tls_cert_file = /usr/local/etc/ssl/cert/server.crt
smtpd_tls_CAfile = /usr/local/etc/ssl/cert/server.crt
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

smtpd_recipient_restrictions = reject_unauth_destination
========================================
```


and finally:

```
$ cat lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
```


----------

