Translation(s): English - Português (Brasil)

Simple Authentication and Security Layer (SASL) with Postfix SMTP

SASL authentication in the Postfix SMTP server

Implementation using Cyrus SASL

Using saslauthd with PAM

Setup Postfix with SMTP-AUTH over SASL2 with authentication against PAM in a chroot() environment.


  1. Install libsasl2-modules, postfix, sasl2-bin

  2. Create a file /etc/postfix/sasl/smtpd.conf:

    pwcheck_method: saslauthd
    mech_list: CRAM-MD5 DIGEST-MD5 LOGIN PLAIN
  3. Setup a separate saslauthd process to be used from Postfix:
    • Create a copy of saslauthd's config file

      ~# cp /etc/default/saslauthd /etc/default/saslauthd-postfix

      and edit it

      START=yes
      DESC="SASL Auth. Daemon for Postfix"
      NAME="saslauthd-postf"      # max. 15 char.
      # Option -m sets working dir for saslauthd (contains socket)
      OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"        # postfix/smtp in chroot()

      (See /usr/share/doc/sasl2-bin/README.Debian.gz)

      Alternatively you can replace the directory /run/saslauthd with a symlink to /var/spool/postfix/var/run/saslauthd

      ~# rm -rf /run/saslauthd
      ~# ln -s /var/spool/postfix/var/run/saslauthd   /run/saslauthd
      This is a quick-and-dirty hack, useful only for testing purposes. After the next reboot the contents of /run will be reset.
  4. Create required subdirectories in postfix chroot directory:

    dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
  5. Add the user "postfix" to the group "sasl":

    adduser postfix sasl
  6. Restart saslauthd:

    ~# service saslauthd  restart
    [ ok ] Stopping SASL Auth. Daemon: saslauthd.
    [ ok ] Stopping SASL Auth. Daemon for Postfix: saslauthd-postf.
    [ ok ] Starting SASL Auth. Daemon: saslauthd.
    [ ok ] Starting SASL Auth. Daemon for Postfix: saslauthd-postf.
  7. Edit Postfix configuration:

    ~# postconf -e 'cyrus_sasl_config_path = /etc/postfix/sasl'
    ~# postconf -e 'smtpd_sasl_local_domain = $myhostname'
    ~# postconf -e 'smtpd_sasl_auth_enable = yes'
    ~# postconf -e 'broken_sasl_auth_clients = yes'
    ~# postconf -e 'smtpd_sasl_security_options = noanonymous'
    ~# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
  8. (Optionally) Create a new PAM fragment and adjust it to your needs:

    ~# cd /etc/pam.d
    ~# cp other smtp
    ~# editor /etc/pam.d/smtp
  9. Restart (reloading is not enough) postfix:

    ~# service postfix restart

That's it, you're done, everything should work fine now.

Using auxprop with sasldb

Setup Postfix with SMTP-AUTH over SASL2 with authentication against sasldb in a chroot() environment.


  1. Install libsasl2-modules, sasl2-bin

  2. Create a file /etc/postfix/sasl/smtpd.conf:

    pwcheck_method: auxprop
    auxprop_plugin: sasldb
    mech_list: CRAM-MD5 DIGEST-MD5 LOGIN PLAIN
  3. Add an user to sasldb2

     ~# saslpasswd2 -c -u domain user
     ~# sasldblistusers2
  4. Postfix needs /etc/sasldb2 in his chroot environment. One solution is to change init script to copy sasldb2 at startup.

    In /usr/lib/postfix/configure-instance.sh, add etc/sasldb2 in the variable FILES :

            FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
                etc/host.conf etc/nsswitch.conf etc/nss_mdns.config etc/sasldb2"
  5. Edit Postfix configuration:

    ~# postconf -e 'cyrus_sasl_config_path = /etc/postfix/sasl'
    ~# postconf -e 'smtpd_sasl_local_domain = $myhostname'
    ~# postconf -e 'smtpd_sasl_auth_enable = yes'
    ~# postconf -e 'smtpd_sasl_security_options = noanonymous'
  6. Restart (reloading is not enough) postfix:

    ~# service postfix restart
    ~# systemctl daemon-reload

That's it, you're done, everything should work fine now.

Troubleshooting tip

  1. Check your configuration with saslfinger :

    ~# saslfinger -s
  2. If something goes wrong (cannot connect to server, authentification fails) try to see what is happening behind the scenes. Try to connect to your mailserver via

    ~# telnet server 25

Can smtpd be connected? If yes, enter the command "ehlo dummy". What does smtpd respond?


Implementation using Dovecot SASL

See also: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

SASL authentication in the Postfix SMTP client

Postfix and sbcglobal/yahoo/att

apt-get install libsasl2-modules

postconf -e "relayhost = [smtp.sbcglobal.yahoo.com]:587"
postconf -e "smtp_sasl_auth_enable = yes"
postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd"
postconf -e "smtp_sasl_security_options = noanonymous"

[smtp.sbcglobal.yahoo.com]:587 username@sbcglobal.net:mypassword

chmod 600 /etc/postfix/sasl_passwd

postmap /etc/postfix/sasl_passwd

postfix reload


CategoryNetwork CategoryMail CategorySoftware