SMTP Authentication Using RADIUS
Most ISPs provide a certain range of services to local users including
Web, incoming mail and DNS for hosting customers, and Internet access
and outgoing mail for connectivity customers. While working at a
mid-sized ISP, I ran across a problem where a set of users required
mail relaying but there was no apparent solution. We began using
an outsourced service that allowed users to dial up to servers anywhere
in the world for Internet connectivity and authenticate to a set
of RADIUS servers at our data center, thus giving us control of
user names and passwords. The problem was that these users required
both incoming and outgoing mail services.
Incoming (POP3) mail was no problem because authentication is
standard, but our method of providing SMTP was based on the client
IP address. The clients accessing our systems through the outsourced
dial-up service used a variety of IP address ranges owned by the
outsourcing company. If we included these addresses, anyone with
access to the dial-up service would have access to our SMTP servers,
regardless of whether they were actually customers of our ISP. If
we excluded the dial-up service IP addresses, our own customers
could not access the SMTP servers through dial-up. We needed a way
to directly authenticate access to SMTP.
A solution was found by patching qmail (our standard SMTP server)
with a special version of qmail-smtpd.c, which was meant to use
the qmail checkpassword program to verify user identities. A special
patch to checkpassword, called radcheckpassword, was used to provide
RADIUS authentication to the SMTP daemon. You must have a working
RADIUS server to use these patches, and not all mail clients support
outgoing mail authentication. qmail SMTP relaying works by requiring
one of two things. Either the recipient mail domain must be in the
rcpthosts file, meaning the domain is hosted on the local server,
or the RELAYCLIENT environment variable must be set. Typically this
is done based on the client IP address. With the changes made in
this article, the qmail SMTP daemon uses an external program to
allow or disallow relaying, in this case radcheckpassword.
To set up a qmail SMTP server to use RADIUS authentication, you
must have the following (and you may need other packages for your
- qmail 1.03 source code: ftp://anonymous:@cr.yp.to/software/qmail-1.03.tar.gz
- checkpassword-0.81 source code: ftp://anonymous:@cr.yp.to/software/checkpassword-0.81.tar.gz
- Modified qmail-smtpd patch file: http://members.elysium.pl/brush/qmail-smtpd-auth/
- Radcheckpassword 0.1 patch: http://www.tic.ch/e-image/andrew/software/radcheckpassword/
To begin, download qmail 1.03 and checkpassword and unpack
them into a directory. (More information on qmail and checkpassword
can be found at http://www.qmail.org). Download the AUTH
patch (modified qmail-smtpd patch) file, and the radcheckpassword
patch and unpack them as well. It is useful to unpack all of
these files in the same directory (such as /usr/src).
The first step is to compile the radcheckpassword program.
Note that the current version of checkpassword is 0.90, but
you need chkpassword-0.81 for the radchkpassword-0.1 patch.
Change to the radcheckpassword-0.1 directory and be sure to
read the README file in this directory. It contains some platform-specific
changes that must be made if you are not running a Linux system.
You also need to edit the Makefile in the radcheckpassword-0.1
directory to reflect the location of the checkpassword source
code (it assumes the directory /usr/local/src/checkpassword-0.81).
When you are ready to compile, change to the radcheckpassword-0.1
directory and type make radcheckpassword. Be sure you
have root privileges and type make install to install
the application. The default installation directory is /usr/local/bin.
Note that if you intend to use a service type in your RADIUS
database other than Login-User, you must modify the radcheckpassword.c
file, as shown in Listing 1.
Install and Configure qmail
qmail has a number of requirements to meet before you can
begin to build the software from source. Switch to the directory
that contains the qmail software. Read the INSTALL file and
follow the procedures. The first step is to create a directory
for qmail, typically /var/qmail. Second, you must read the INSTALL.ids
file. This file guides you through creating the necessary user
groups and accounts for the operation of qmail. This process
varies depending on your operating system.
You are now ready to start building the software. Be sure
you are in the directory that contains the AUTH patch. Patch
the qmail-smtpd.c file using the following commands:
cp README.auth base64.c base64.h ../qmail-1.03
patch -d ../qmail-1.03 < auth.patch
Compile qmail by changing to the qmail-1.03 source directory and
typing make setup check. You should now read the INSTALL.ctl
and FAQ files to learn how to configure qmail.
The simplest way to configure is to run the ./config script.
This script will attempt to determine the fully qualified hostname
of your system and configure the files. If it cannot find the
systems hostname, you must manually configure the <qmail>/control/me
file. This file must contain only the fully qualified hostname
of the system.
You must also have a file in /var/qmail/control called rcpthosts.
This file lists all the domains for which your mail server will
receive mail. If this is an SMTP-only server, this file will
be empty but it must exist. If this file is missing, then your
server will be an open SMTP relay.
Follow the instructions in the INSTALL file until you reach
the step where you add qmail-smtpd to the inetd.conf file. This
step will differ from the default configuration. Add this line
to your inetd.conf instead:
smtp stream tcp nowait qmaild /var/qmail/bin/qmail-smtpd \
your.mail.domain /usr/local/bin/radcheckpassword /bin/true
Once you have completed the steps in the INSTALL file, you
can configure the /etc/radius.conf file. The configuration of
the radius.conf file may be different on different operating
system but is usually configured as follows:
Server Shared Secret Timeout Retries
#example radius.conf file
Be sure that your RADIUS server is now configured. You must add
each user to the RADIUS database and configure their service types
as configured in the radcheckpassword.c file (shown in Listing
1). If you are using an existing RADIUS user database where the
service type is something other than the default of Login-User,
you can modify the radcheckpassword.c file with the new value
and recompile radcheckpassword.
Configure the Client
Restart the system or run the qmail start script and kill
-HUP the inetd service (first ensure that no other MTAs
are running). qmail should now be running.
The next step is to configure the client. All clients are
different, but typically you will specify the qmail server as
the SMTP or outgoing mail server and enable outgoing authentication
in the client. It is important to note again that not all clients
support outgoing mail authentication. In Microsoft Outlook 2000,
for example, you would select Accounts from the Tools menu,
select the default account and click the Properties button.
Click the Servers tab, ensure the modified qmail server is specified
as the outgoing mail server, and select the My server
requires authentication box (as shown in Figure 1). Click
the Settings button next to My server requires authentication
to open the Outgoing Mail Server dialog (as shown in Figure
2). Unless you are also using the same RADIUS server for incoming
mail authentication, select Log on using and enter
your user name and password.
Testing and Troubleshooting
Test your qmail smtp server by sending an email with the client
configured to use outgoing authentication, and an email configured
not to use authentication. The server should accept a message
with authentication enabled and not accept a message when authentication
is disabled. If the message does not go through with authentication
enabled, check the following:
- The user exists in the RADIUS database.
- The password is correct.
- The service type is correct according to the value in radcheckpassword.c
(Login-User by default).
- The RADIUS server is configured to allow the qmail server
as a RADIUS client.
- The RADIUS configuration is correct on the qmail server,
including the server name or address and shared secret.
- The inetd.conf entry is correct.
If the server is allowing all messages, check the following:
- The /var/qmail/control/rcpthosts file exists and contains
only the domains for which the mail server will receive messages
(it will be empty in the case of a pure SMTP relay).
- qmail is listening on port 25 and no other MTAs are running
on the system.
By following the steps in this article, you can configure
a qmail server to use RADIUS to authenticate SMTP mail relaying.
Rather than anything new and groundbreaking, this is an example
of using existing tools together in a way that they were never
meant to be used to produce a required result. It is also possible
to leave out the radcheckpassword patch and use the standard
checkpassword utility to authenticate from a password file.
Documentation on this can be found with the qmail AUTH patch.
Qmail Resource Sites
Blair Rampling is the UNIX administrator in a mid-sized resource
company. He has extensive Solaris experience as well as experience
in Linux, Microsoft Windows, and even VMS.