I use postfix for this type of mail server. You can only authenticate if you have established a secure connection first. And here is my long winded answer. I may not have included everything needed but I included all I can remember right this moment. Good Luck. apt-get install postfix-tls sasl-bin Add the following to '/etc/postfix/main.cf' ## SMTP AUTH enable_sasl_authentication = yes broken_sasl_auth_clients = yes smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_local_domain = $myhostname smtpd_sender_restrictions = hash:/etc/postfix/access, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains smtp_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_relay_domains ## TLS #client connections smtpd_use_tls = yes smtpd_enforce_tls = no smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/postfix-key.pem smtpd_tls_cert_file = /etc/postfix/postfix-crt.pem smtpd_tls_received_header = yes smtpd_starttls_timeout = 360s smtpd_tls_session_cache_timeout = 3600s smtpd_tls_wrappermode = no tls_random_source = dev:/dev/urandom #smtp server connections smtp_use_tls = yes smtp_enforce_tls = no smtp_starttls_timeout = 300s smtp_tls_session_cache_timeout = 3600s smtp_tls_key_file = /etc/postfix/postfix-key.pem smtp_tls_cert_file = /etc/postfix/postfix-crt.pem smtp_tls_enforce_peername = yes #smtp_tls_loglevel = 2 smtp_tls_note_starttls_offer = yes In '/etc/postfix/master.cf' uncomment the 2 lines below only used by postfix-tls if they are commented # only used by postfix-tls smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o content_filter= 587 inet n - n - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o content_filter= Make an '/etc/postfix/sasl/smtpd.conf' mech_list: PLAIN LOGIN pwcheck_method: PAM auto_transition: false I believe you can use the default settings for pam smtp but for some reason I switched to using pwdfile module for pam, and I dont remember why. apt-get install libpam-pwdfile Put the following in to '/etc/pam.d/smtp' #%PAM-1.0 auth required /lib/security/pam_pwdfile.so pwdfile /etc/passwd account required /lib/security/pam_permit.so The following is a little hack shell script I wrote to generate the postfix ssl certificate files since I hate trying to remember how to do it each time I setup another server or refresh an expired cert. '/etc/postfix/makesslcerts.sh' #!/bin/sh # Description: a little shell script to aid in making ssl certis # Author: Jason Jorgensen <jasonj at innominatus.com> # # Modify for your needs NAME="postfix" OPENSSL=`which openssl` TAR=`which tar` DATE=`which date` CURRENTDATE=`$DATE -u +%m.%d.%Y` COUNTRY="US" # Country - US, AU, UK, CA STATE="Minnesota" # State - MN, IA, CA, NY LOCALITY="Twin Cities" # City, Town, Village - Minneapolis, Mexico City, Moscow ORGANIZATION="Organization" # Organization, Company, Affiliate - Joe's Gas Station, The Tortilla Hut, UNIT="System Administration" # Organizational unit, Department - System Administration, Web Authoring, Administration #COMMONNAME=`hostname --fqdn` # Common Name, Host name of server - fully.qualified.domain.name of server hosting COMMONNAME="smtp.domain.com" # Common Name, Host name of server - fully.qualified.domain.name of server hosting EMAIL="sysadmin at domain.com" # Email address of authority for cert - sysadmin at bar.com, theboss at foo.org NONCA="$COUNTRY\n$STATE\n$LOCALITY\n$ORGANIZATION\n$UNIT\n$COMMONNAME\n$EMAIL\n\n\n" #generate some random data for server dd if=/dev/urandom of=$NAME.rand bs=1024 count=1 #global key $OPENSSL genrsa -rand $NAME.rand -out $NAME-key.pem 1024 echo -e $NONCA | $OPENSSL req -new -key $NAME-key.pem -out $NAME-ca.pem #self signed global cert $OPENSSL x509 -req -days 740 -in $NAME-ca.pem -signkey $NAME-key.pem -out $NAME-crt.pem #set correct permissions chown root:root $NAME-key.pem $NAME-ca.pem $NAME-crt.pem $NAME.rand chmod 400 $NAME-key.pem $NAME-ca.pem $NAME-crt.pem $NAME.rand #Make a backup if [ -e "$NAME-key.pem" ] && [ -e "$NAME-ca.pem" ] && [ -e "$NAME-crt.pem" ] && [ -e "$NAME.rand" ] then echo "*** Creation successful! ***" tar zcvf $NAME-$CURRENTDATE.tar.gz $NAME-key.pem $NAME-ca.pem $NAME-crt.pem $NAME.rand >/dev/null else echo "*** Creation FAILED, you will have to troubleshoot ***" fi exit; Jon Schewe wrote: >I'm running debian woody on a server and I'm getting tired of keeping >the host_accept_relay variable in exim up to date. So I'd like to do >smtp auth on that server. I also want the traffic to be encrypted, so >passwords aren't sniffed and I want it to use the unix passwords for >authentication, shadow passwords. I'm currently using exim, since that >was the default install, but I'm willing to switch MTAs if required, as >long as it works. I'd also like to stick with standard debian packages >because otherwise things can get hard to maintain. > >I've tried setting up the plain and login settings using the following >server_conditions: > #server_condition = "${if >crypteq{$2}{${extract{1}{:}{${lookup{$1}lsearch{/etc/shadow}{$value}{*:*}}}}}{1}{0}}" > server_condition = "${if pam {$1:$2}{yes}{no}}" > >This is with mail in the shadow group so that it should be able to read >/etc/shadow, but that doesn't appear to be working. I'd think the pam >solution would work, but it doesn't seem to be able to authenticate me. > >Thanks for any help you can provide. > > > >------------------------------------------------------------------------ > >_______________________________________________ >TCLUG Mailing List - Minneapolis/St. Paul, Minnesota >http://www.mn-linux.org tclug-list at mn-linux.org >https://mailman.real-time.com/mailman/listinfo/tclug-list > _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list