Translation(s): English - Português Brasileiro

Simple Authentication and Security Layer (SASL) with Postfix SMTP

SASL authentication in the Postfix SMTP server

Implementation using Cyrus SASL

Using saslauthd with PAM

Setup Postfix with SMTP-AUTH over SASL2 with authentication against PAM in a chroot() environment.


  1. Install libsasl2-modules, postfix, sasl2-bin

  2. Create a file /etc/postfix/sasl/smtpd.conf:

    pwcheck_method: saslauthd
    mech_list: PLAIN LOGIN
  3. Setup a separate saslauthd process to be used from Postfix:
    • Create a copy of saslauthd's config file

      ~# cp /etc/default/saslauthd /etc/default/saslauthd-postfix

      and edit it

      START=yes
      DESC="SASL Auth. Daemon for Postfix"
      NAME="saslauthd-postf"      # max. 15 char.
      # Option -m sets working dir for saslauthd (contains socket)
      OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"        # postfix/smtp in chroot()

      (See /usr/share/doc/sasl2-bin/README.Debian.gz)

      Alternatively you can replace the directory /run/saslauthd with a symlink to /var/spool/postfix/var/run/saslauthd

      ~# rm -rf /run/saslauthd
      ~# ln -s /var/spool/postfix/var/run/saslauthd   /run/saslauthd
      This is a quick-and-dirty hack, useful only for testing purposes. After the next reboot the contents of /run will be reset.
  4. Create required subdirectories in postfix chroot directory:

    dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
  5. Add the user "postfix" to the group "sasl":

    adduser postfix sasl
  6. Restart saslauthd:

    ~# service saslauthd  restart
    [ ok ] Stopping SASL Auth. Daemon: saslauthd.
    [ ok ] Stopping SASL Auth. Daemon for Postfix: saslauthd-postf.
    [ ok ] Starting SASL Auth. Daemon: saslauthd.
    [ ok ] Starting SASL Auth. Daemon for Postfix: saslauthd-postf.
  7. Edit Postfix configuration:

    ~# postconf -e 'smtpd_sasl_local_domain = $myhostname'
    ~# postconf -e 'smtpd_sasl_auth_enable = yes'
    ~# postconf -e 'broken_sasl_auth_clients = yes'
    ~# postconf -e 'smtpd_sasl_security_options = noanonymous'
    ~# postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination'
  8. (Optionally) Create a new PAM fragment and adjust it to your needs:

    ~# cd /etc/pam.d
    ~# cp other smtp
    ~# editor /etc/pam.d/smtp
  9. Restart (reloading is not enough) postfix:

    ~# service postfix restart

That's it, you're done, everything should work fine now.

Using auxprop with sasldb

Setup Postfix with SMTP-AUTH over SASL2 with authentication against sasldb in a chroot() environment.


  1. Install libsasl2-modules, sasl2-bin

  2. Create a file /etc/postfix/sasl/smtpd.conf:

    pwcheck_method: auxprop
    auxprop_plugin: sasldb
    mech_list: plain login
  3. Add an user to sasldb2

     ~# saslpasswd2 -c -u domain user
     ~# sasldblistusers2
  4. Postfix needs /etc/sasldb2 in his chroot environment. One solution is to change init script to copy sasldb2 at startup.

    In /usr/lib/postfix/configure-instance.sh, add etc/sasldb2 in the variable FILES :

            FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
                etc/host.conf etc/nsswitch.conf etc/nss_mdns.config etc/sasldb2"
  5. Edit Postfix configuration:

    ~# postconf -e 'smtpd_sasl_local_domain = $myhostname'
    ~# postconf -e 'smtpd_sasl_auth_enable = yes'
    ~# postconf -e 'smtpd_sasl_security_options = noanonymous'
  6. Restart (reloading is not enough) postfix:

    ~# service postfix restart
    ~# systemctl daemon-reload

That's it, you're done, everything should work fine now.

Troubleshooting tip

  1. Check your configuration with saslfinger :

    ~# saslfinger -s
  2. If something goes wrong (cannot connect to server, authentification fails) try to see what is happening behind the scenes. Try to connect to your mailserver via

    ~# telnet server 25

Can smtpd be connected? If yes, enter the command "ehlo dummy". What does smtpd respond? For more information see Check for SMTP AUTH support


Implementation using Dovecot SASL

See also: http://wiki.dovecot.org/HowTo/PostfixAndDovecotSASL

SASL authentication in the Postfix SMTP client

Postfix and sbcglobal/yahoo/att

apt-get install libsasl2-modules

postconf -e "relayhost = [smtp.sbcglobal.yahoo.com]:587"
postconf -e "smtp_sasl_auth_enable = yes"
postconf -e "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd"
postconf -e "smtp_sasl_security_options = noanonymous"

[smtp.sbcglobal.yahoo.com]:587 username@sbcglobal.net:mypassword

chmod 600 /etc/postfix/sasl_passwd

postmap /etc/postfix/sasl_passwd

postfix reload


CategoryNetwork