Skip to content

Authenticated SMTP with Postfix on CentOS, the easy way

This will be more of a future reference than an actual howto. It’s far from feature complete but it will get you started on authenticated SMTP sessions using Postfix. Quick & dirty.

Installing Postfix and SASL on CentOS:

# yum install postfix
# yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5

Let’s move on to the configuration now. Below you will find my default template
for /etc/postfix/main.cf:

# cat /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name

myhostname = example.tld
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = example.tld
mydestination = example.tld, localhost.localdomain, localhost
transport_maps =
relayhost =
mynetworks = 127.0.0.1/32
#mynetworks = hash:/etc/postfix/networks

smtpd_sasl_path = sasl2/smtpd.conf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = example.tld
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

recipient_delimiter = +
inet_interfaces = all

smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_rbl_client opm.blitzed.org,
        reject_rbl_client list.dsbl.org,
        reject_rbl_client sbl.spamhaus.org,
        reject_rbl_client cbl.abuseat.org,
        reject_rbl_client dul.dnsbl.sorbs.net

Use smtpd_recipient_restrictions to make sure you’re not running an Open Relay server accepting spam from anyone. It will accept unauthenticated sessions originating from localhost only. However authenticated sessions are generally allowed.

Make sure your Postfix daemon is actually able to communicate with the sasl daemon.
To accomplish this append this to /etc/postfix/master.cf:

# cat /etc/postfix/master.cf
submission inet n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=example.tld
  -o header_checks=
  -o body_checks=
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous

Next up we’re going to add our users to the sasl database:

# saslpasswd2 -c -u $hostname $user

While we’re at it, it might be a good idea to fix permissions on the sasl database. Otherwise Postfix will be unable to read from it or write to it.

# chown postfix:postfix /etc/sasldb2
# chmod 660 /etc/sasldb2

We’re almost there. To configure the sasl daemon itself:

# cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
# cat /usr/lib/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5

And finally restart the daemons.

# /etc/init.d/sasld restart
# /etc/init.d/postfix restart

Be sure to confirm it’s working using both your default mail client and /var/log/maillog.

Enjoy!

Published inHowto'sLinuxMonitoring

10 Comments

  1. But that’s not what the master.cf bit is doing. The master.cf bit is running an smtpd on the submission
    port (587) forcing the use of SASL.

    On an entirely different note: why do people insist on removing all the valuable comments from the
    vanilla postfix main.cf file and emptying it before writing their configuration in? If you just want to see
    the actual settings, use postconf. Vanilla Postfix main.cf is an example of what a well-documented
    config file should look like. Please don’t empty it. Documentation considered good.

    If you hadn’t deleted the comments, you would have known what the relevant bits were, and that they
    were not in master.cf. 😉

    Any particular reason to use cyrus sasl by the way, and not dovecot sasl? Even if you don’t use the
    imap features of dovecot, it’s got a reasonably good pamsasl bridge which integrates very nicely
    with postfix.

  2. Tom Tom

    Postfix is actually the only daemon of which I clear the vanilla config. Which is due to historical reasons. I used to prefer a clean human readable config file. And for some reason with Postfix I still do.

    On a Sendmail (god forbid!) or Exim box I wouldn’t dare to remove the comments because of the complexity.

    The reason why I chose Cyrus is because I’ve seen it a lot more in production than Dovecot. But I’ll sure take a look at Dovecot in the future.

  3. Mookie Mookie

    Shouldn’t smtpd_sasl_local_domain match between main.cf and master.cf?

  4. Tom Tom

    You’re absolutely right.
    Thanks for noticing. I’ve updated the post.

  5. semper gestion semper gestion

    Excellent, what a web site it is! This website gives useful facts to
    us, keep it up.

  6. Hi,

    Great article ! It helped me a lot.

    Just a few notes to make it work on Centos 7:

    – The SMTPD.CONF file must be created in the “/etc/sasl2” directory.

    – SYSTEMCTL must be used to manage the SASL service: saslauthd.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.