Differences between revisions 41 and 42
Revision 41 as of 2019-08-15 21:01:25
Size: 7530
Editor: nodiscc
Comment: add CategoryMail CategorySoftware
Revision 42 as of 2021-09-03 13:46:05
Size: 7528
Editor: ThiagoPezzo
Comment: fix pt_BR label in header
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[pt_BR/PostfixAndSASL|Português Brasileiro]] -~ ~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[pt_BR/PostfixAndSASL|Português (Brasil)]] -~

Translation(s): English - Português (Brasil)

Simple Authentication and Security Layer (SASL) with Postfix SMTP

SASL authentication in the Postfix SMTP server

Implementation using Cyrus SASL

Using saslauthd with PAM

Setup Postfix with SMTP-AUTH over SASL2 with authentication against PAM in a chroot() environment.

  • Note: The following steps have been carried out and verified on a Debian 7.1 system (Jan. 2015).
  • Note: SASL2 (saslauthd) creates a socket in its working directory. Postfix (smtpd) needs access to this socket. If smtpd is running chroot()ed (what is standard on Debian) saslauthd must run within this chroot() environment also (though not being chrooted itself). While this is fine for smtpd there are other services (Cyrus imapd for example) which expect saslauthd 's socket at its "regular" location (/var/run/saslauthd).

  • The recommended way to solve this is to run separate saslauthd processes for Postfix and for others. Debian is prepared for this. Alternatively a symlink-trick can be used. See below. Or you can disable chroot()ing by editing the chroot columns in /etc/postfix/master.cf.


  1. Install libsasl2-modules, postfix, sasl2-bin

  2. Create a file /etc/postfix/sasl/smtpd.conf:

    pwcheck_method: saslauthd
    mech_list: PLAIN LOGIN
  3. Setup a separate saslauthd process to be used from Postfix:
    • Create a copy of saslauthd's config file

      ~# cp /etc/default/saslauthd /etc/default/saslauthd-postfix

      and edit it

      START=yes
      DESC="SASL Auth. Daemon for Postfix"
      NAME="saslauthd-postf"      # max. 15 char.
      # Option -m sets working dir for saslauthd (contains socket)
      OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"        # postfix/smtp in chroot()

      (See /usr/share/doc/sasl2-bin/README.Debian.gz)

      Alternatively you can replace the directory /run/saslauthd with a symlink to /var/spool/postfix/var/run/saslauthd

      ~# rm -rf /run/saslauthd
      ~# ln -s /var/spool/postfix/var/run/saslauthd   /run/saslauthd
      This is a quick-and-dirty hack, useful only for testing purposes. After the next reboot the contents of /run will be reset.
  4. Create required subdirectories in postfix chroot directory:

    dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
  5. Add the user "postfix" to the group "sasl":

    adduser postfix sasl
  6. Restart saslauthd:

    ~# service saslauthd  restart
    [ ok ] Stopping SASL Auth. Daemon: saslauthd.
    [ ok ] Stopping SASL Auth. Daemon for Postfix: saslauthd-postf.
    [ ok ] Starting SASL Auth. Daemon: saslauthd.
    [ ok ] Starting SASL Auth. Daemon for Postfix: saslauthd-postf.
  7. Edit Postfix configuration:

    ~# postconf -e 'smtpd_sasl_local_domain = $myhostname'
    ~# postconf -e 'smtpd_sasl_auth_enable = yes'
    ~# postconf -e 'broken_sasl_auth_clients = yes'
    ~# postconf -e 'smtpd_sasl_security_options = noanonymous'
    ~# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
  8. (Optionally) Create a new PAM fragment and adjust it to your needs:

    ~# cd /etc/pam.d
    ~# cp other smtp
    ~# editor /etc/pam.d/smtp
  9. Restart (reloading is not enough) postfix:

    ~# service postfix restart

That's it, you're done, everything should work fine now.

Using auxprop with sasldb

Setup Postfix with SMTP-AUTH over SASL2 with authentication against sasldb in a chroot() environment.

  • Note: The following steps have been carried out and verified on a Debian 8.3 system (Feb. 2016).


  1. Install libsasl2-modules, sasl2-bin

  2. Create a file /etc/postfix/sasl/smtpd.conf:

    pwcheck_method: auxprop
    auxprop_plugin: sasldb
    mech_list: plain login
  3. Add an user to sasldb2

     ~# saslpasswd2 -c -u domain user
     ~# sasldblistusers2
  4. Postfix needs /etc/sasldb2 in his chroot environment. One solution is to change init script to copy sasldb2 at startup.

    In /usr/lib/postfix/configure-instance.sh, add etc/sasldb2 in the variable FILES :

            FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
                etc/host.conf etc/nsswitch.conf etc/nss_mdns.config etc/sasldb2"
  5. Edit Postfix configuration:

    ~# postconf -e 'smtpd_sasl_local_domain = $myhostname'
    ~# postconf -e 'smtpd_sasl_auth_enable = yes'
    ~# postconf -e 'smtpd_sasl_security_options = noanonymous'
  6. Restart (reloading is not enough) postfix:

    ~# service postfix restart
    ~# systemctl daemon-reload

That's it, you're done, everything should work fine now.

Troubleshooting tip

  1. Check your configuration with saslfinger :

    ~# saslfinger -s
  2. If something goes wrong (cannot connect to server, authentification fails) try to see what is happening behind the scenes. Try to connect to your mailserver via

    ~# telnet server 25

Can smtpd be connected? If yes, enter the command "ehlo dummy". What does smtpd respond? For more information see Check for SMTP AUTH support


Implementation using Dovecot SASL

See also: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

SASL authentication in the Postfix SMTP client

Postfix and sbcglobal/yahoo/att

apt-get install libsasl2-modules
  • ADD to main.cf by using postconf. Just type (smtp.att.yahoo.com requires the port 587 otherwise you don't need it):

postconf -e "relayhost = [smtp.sbcglobal.yahoo.com]:587"
postconf -e "smtp_sasl_auth_enable = yes"
postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd"
postconf -e "smtp_sasl_security_options = noanonymous"
  • Create a file called sasl_passwd in /etc/postfix/sasl_passwd. Inside type in

[smtp.sbcglobal.yahoo.com]:587 username@sbcglobal.net:mypassword
  • Now change permissions so others can't read it:

chmod 600 /etc/postfix/sasl_passwd
  • Now postmap it. (It creates a database-like file so postfix can read it.)

postmap /etc/postfix/sasl_passwd
  • Restart postfix

postfix reload
  • Done. You can use "mutt" to send emails outside. Check /var/log/mail.log to see if everything is working.

  • After a switch from sbcglobal to att you need to verify you email address in your yahoo email options. If you have 100s of mailing lists you will need to unblock your port 25 since it is impossible to use att yahoo smtp servers without verifying each email address.
  • To opt out of your port 25 (get it unfiltered) leave a request here:Unfilter port 25 on smtp.att.yahoo.com


CategoryNetwork CategoryMail CategorySoftware