This is a re-post of an old tutorial I wrote with some minor updates for more recent versions of OpenBSD.

One of the greatest challenges in migrating my server from a managed FreeBSD server to the new OpenBSD server was learning how to implement support for SASL on SMTP connections. This seems like something so elementary in a mail server that it should be really simple. Unfortunately, simply installing the cyrus-sasl package doesn’t handle the integration with sendmail for you nor is there any really good documentation online. I was particularly disappointed that OpenBSD’s documentation was completely silent on how to do it.

After searching online nearly all searches for SASL on OpenBSD were for Postfix. Fortunately I did come across an article on how to do it. While it was written for OpenBSD 3.3 nearly all of the steps also apply to 4.7 and later. You can find the original article here.

First we’re going to need to install the cyrus-sasl package. We’re going to be using the plain vanilla version which allows us to use OpenBSD’s Unix style authentication from /etc/master.passwd. There are other flavors for LDAP, MySQL, and db4.

# pkg_add -i cyrus-sasl
Ambiguous: choose package for cyrus-sasl
 a       0: <None>
         1: cyrus-sasl-2.1.25p2
         2: cyrus-sasl-2.1.25p2-db4
         3: cyrus-sasl-2.1.25p2-ldap
         4: cyrus-sasl-2.1.25p2-mysql
         5: cyrus-sasl-2.1.25p2-pgsql
         6: cyrus-sasl-2.1.25p2-sqlite3

Here we’ll choose option 1.

Next we want to let saslauthd (the Cyus SASL 2 daemon) know that it’s going to be working with sendmail and what types of authentication we want to support. This is done by creating a file called Sendmail.conf in /usr/local/lib/sasl2 like this. The cat command listed first allows you to enter the contents into the file without opening an editor such as vi.

# cat > /usr/local/lib/sasl2/Sendmail.conf

pwcheck_method: saslauthd

mech_list: LOGIN PLAIN

(hit ctrl-d to save)

There are other authentication methods than just LOGIN and PLAIN that you can use such as DIGEST-MD5 and CRAM-MD5 that you can also add on the second line of the file if you plan on using them. Since we’re using OpenBSD’s own authentication mechanism we’ll omit them from the line.

Before we forget, let’s add our startup script to /etc/rc.local to ensure that saslauthd is started with the server:

if [ -x /usr/local/sbin/saslauthd ]; then

echo -n ‘ saslauthd’; /usr/local/sbin/saslauthd -a getpwent

fi

On OpenBSD 5.0 and later*, saslauthd will be started using the rc.d(8) mechanism. You will need to add the following line to /etc/rc.conf.local:

pkg_scripts=”saslauthd”

saslauthd_flags=”-a getpwent”

* Substitute “pkg_scripts” for “rc_scripts” if you’re using 4.9.

Worth noting here is that we are using getpwent(3) as our authentication method. This is basically just saying that we’re authenticating against /etc/master.passwd. Since saslauthd defaults to starting up 5 threads or processes each time it runs, we can limit this by adjusting the startup command with a -n option followed by the desired number of threads we want to limit to. This may be desirable on an older machine with fewer resources.

(more…)