postfix使用sasl进行smtp验证

DEBIAN服务器上安装了postfix，为了防止垃圾邮件，安装了sasl进行smtp验证。原来好像是使用authdaemon进行认证的，现在使用了debian testing升级了以后，出现了问题。
pop3没有问题，IMAP也没有问题，但是不能smtp，提示认证失败。

Dec 26 20:08:16 debian postfix/smtpd[2696]: warning: unknown[210.77.68.211]: SASL LOGIN authentication failed: authentication failure
Dec 26 20:08:21 debian postfix/smtpd[2696]: warning: unknown[210.77.68.211]: SASL LOGIN authentication failed: authentication failure

为了搞定这个问题，又彻底检查了一遍postfix的各个配置参数，google了无数站点，最终在这个站点找到了解决方法。
我最初的安装方案应该是采用了这个站点的方法，但后来我也修改了不少地方。

现在将我这次的修改记录一下：

1. 修改/etc/postfix/sasl/smtpd.conf文件，内容如下：

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
log_level: 5

其中，log_level可以自己调整，若出现问题，可以调大，最大为7，然后到/var/log/mail.warn、/var/log/syslog、/var/log/auth.log等文件中查找相关信息。
2. 调整/etc/init.d/saslauthd文件，加入一个参数：

DAEMON_ARGS=” -r

这个参数本来的值是空的，我就是在这个地方给卡死了两天。
3. 调整saslauthd运行目录，令其可以运行在chroot环境下，因为在DEBIAN里，postfix是运行在chroot里的。

Move saslauthd’s socket dir inside Postfix’s chroot and create a link to keep everybody happy:

# mv /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
# ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

Add the postfix user to the sasl group:

# adduser postfix sasl

4. 修改/etc/init.d/postfix文件，主要是修改FILES文件定义：

FILES=”etc/localtime etc/services etc/resolv.conf etc/hosts \
etc/nsswitch.conf etc/nss_mdns.config etc/postfix/sasl/smtpd.conf etc/sasldb2″

然后重新启动服务：

# /etc/init.d/postfix restart
# /etc/init.d/saslauthd start

这个网站的FAQ里提供的内容：

Q.: Can Postfix query the MySQL db directly?
A.: No.

Q.: Why do you use libpam-mysql? saslauthd natively supports SQL.
A.: Because saslauthd only supports unencrypted password if you use a sql db as an authentication backend. That’s the reason for interfacing saslauthd with PAM. PAM, in turn, can use just anything.

Q.: My friend told me that /etc/postfix/sasl/smtpd.conf should contain

“pwcheck_method: pam”

A.: That was true for SASL < 2.x. Now you have to use saslauthd. Q.: Why do you run saslauthd with the -r flag?
A.: Because my users authenticate as “user@domain”, not “user”. If you are in trouble check /var/log/auth.log .

Q.: Why did you move saslauthd’s socket to

/var/spool/postfix/var/run/saslauthd

?

A.: Because the smtp service runs chroot’ed.

Q.: Why did you add etc/postfix/sasl/smtpd.conf to the FILES variable?
A.: Because Postfix needs to access that file from inside the chroot. The init.d script copies the latest copy of that file inside the chroot at every restart.

Q.: How does the authentication chain work?
A.: Postfix connects to saslauthd via socket, which in turn asks PAM to authenticate the user which in turn queries the relevant MySQL table.

Q.: Are there any alternatives to libpam-mysql?
A.: Perhaps it’s possible to use authdaemon from the Courier package.

Q.: Why do you use 127.0.0.1 instead of localhost?
A.: In order to use a TCP socket instead of a unix socket. This way we don’t have to put MySQL’s unix socket inside Postfix’s chroot.

致谢：(Thanks to)
1. Luca Gibelli, http://www.nervous.it/txt/Postfix-SMTP-AUTH-4-DUMMIES.html
2. http://postfix.wiki.xs4all.nl/index.php