Translation(s): English - Português Brasileiro
Simple Authentication and Security Layer (SASL) with Postfix SMTP
SASL authentication in the Postfix SMTP server
Implementation using Cyrus SASL
Using saslauthd with PAM
Setup Postfix with SMTP-AUTH over SASL2 with authentication against PAM in a chroot() environment.
- Note: The following steps have been carried out and verified on a Debian 7.1 system (Jan. 2015).
Note: SASL2 (saslauthd) creates a socket in its working directory. Postfix (smtpd) needs access to this socket. If smtpd is running chroot()ed (what is standard on Debian) saslauthd must run within this chroot() environment also (though not being chrooted itself). While this is fine for smtpd there are other services (Cyrus imapd for example) which expect saslauthd 's socket at its "regular" location (/var/run/saslauthd).
The recommended way to solve this is to run separate saslauthd processes for Postfix and for others. Debian is prepared for this. Alternatively a symlink-trick can be used. See below. Or you can disable chroot()ing by editing the chroot columns in /etc/postfix/master.cf.
Install libsasl2-modules, postfix, sasl2-bin
Create a file /etc/postfix/sasl/smtpd.conf:
pwcheck_method: saslauthd mech_list: PLAIN LOGIN
- Setup a separate saslauthd process to be used from Postfix:
Create a copy of saslauthd's config file
~# cp /etc/default/saslauthd /etc/default/saslauthd-postfix
and edit it
START=yes DESC="SASL Auth. Daemon for Postfix" NAME="saslauthd-postf" # max. 15 char. # Option -m sets working dir for saslauthd (contains socket) OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" # postfix/smtp in chroot()
(See /usr/share/doc/sasl2-bin/README.Debian.gz)
Alternatively you can replace the directory /run/saslauthd with a symlink to /var/spool/postfix/var/run/saslauthd
~# rm -rf /run/saslauthd ~# ln -s /var/spool/postfix/var/run/saslauthd /run/saslauthd
This is a quick-and-dirty hack, useful only for testing purposes. After the next reboot the contents of /run will be reset.
Create required subdirectories in postfix chroot directory:
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
Add the user "postfix" to the group "sasl":
adduser postfix sasl
Restart saslauthd:
~# service saslauthd restart [ ok ] Stopping SASL Auth. Daemon: saslauthd. [ ok ] Stopping SASL Auth. Daemon for Postfix: saslauthd-postf. [ ok ] Starting SASL Auth. Daemon: saslauthd. [ ok ] Starting SASL Auth. Daemon for Postfix: saslauthd-postf.
Edit Postfix configuration:
~# postconf -e 'smtpd_sasl_local_domain = $myhostname' ~# postconf -e 'smtpd_sasl_auth_enable = yes' ~# postconf -e 'broken_sasl_auth_clients = yes' ~# postconf -e 'smtpd_sasl_security_options = noanonymous' ~# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
(Optionally) Create a new PAM fragment and adjust it to your needs:
~# cd /etc/pam.d ~# cp other smtp ~# editor /etc/pam.d/smtp
Restart (reloading is not enough) postfix:
~# service postfix restart
That's it, you're done, everything should work fine now.
Using auxprop with sasldb
Setup Postfix with SMTP-AUTH over SASL2 with authentication against sasldb in a chroot() environment.
- Note: The following steps have been carried out and verified on a Debian 8.3 system (Feb. 2016).
Install libsasl2-modules, sasl2-bin
Create a file /etc/postfix/sasl/smtpd.conf:
pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: plain login
Add an user to sasldb2
~# saslpasswd2 -c -u domain user ~# sasldblistusers2
- Postfix needs /etc/sasldb2 in his chroot environment. One solution is to change init script to copy sasldb2 at startup.
In /usr/lib/postfix/configure-instance.sh, add etc/sasldb2 in the variable FILES :
FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \ etc/host.conf etc/nsswitch.conf etc/nss_mdns.config etc/sasldb2"
Edit Postfix configuration:
~# postconf -e 'smtpd_sasl_local_domain = $myhostname' ~# postconf -e 'smtpd_sasl_auth_enable = yes' ~# postconf -e 'smtpd_sasl_security_options = noanonymous'
Restart (reloading is not enough) postfix:
~# service postfix restart ~# systemctl daemon-reload
That's it, you're done, everything should work fine now.
Troubleshooting tip
Check your configuration with saslfinger :
~# saslfinger -s
If something goes wrong (cannot connect to server, authentification fails) try to see what is happening behind the scenes. Try to connect to your mailserver via
~# telnet server 25
Can smtpd be connected? If yes, enter the command "ehlo dummy". What does smtpd respond? For more information see Check for SMTP AUTH support
Implementation using Dovecot SASL
See also: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL
SASL authentication in the Postfix SMTP client
Postfix and sbcglobal/yahoo/att
- SBC global block port 25 on its DSL users:
- We will use sbc smtp server via authentication to send emails. Do this:
apt-get install libsasl2-modules
ADD to main.cf by using postconf. Just type (smtp.att.yahoo.com requires the port 587 otherwise you don't need it):
postconf -e "relayhost = [smtp.sbcglobal.yahoo.com]:587" postconf -e "smtp_sasl_auth_enable = yes" postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" postconf -e "smtp_sasl_security_options = noanonymous"
Create a file called sasl_passwd in /etc/postfix/sasl_passwd. Inside type in
[smtp.sbcglobal.yahoo.com]:587 username@sbcglobal.net:mypassword
- Now change permissions so others can't read it:
chmod 600 /etc/postfix/sasl_passwd
- Now postmap it. (It creates a database-like file so postfix can read it.)
postmap /etc/postfix/sasl_passwd
- Restart postfix
postfix reload
Done. You can use "mutt" to send emails outside. Check /var/log/mail.log to see if everything is working.
- After a switch from sbcglobal to att you need to verify you email address in your yahoo email options. If you have 100s of mailing lists you will need to unblock your port 25 since it is impossible to use att yahoo smtp servers without verifying each email address.
To opt out of your port 25 (get it unfiltered) leave a request here:Unfilter port 25 on smtp.att.yahoo.com