Skip to content

Authenticated SMTP with Postfix on CentOS, the easy way

This will be more of a future reference than an actual howto. It’s far from feature complete but it will get you started on authenticated SMTP sessions using Postfix. Quick & dirty.

Installing Postfix and SASL on CentOS:

# yum install postfix
# yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5

Let’s move on to the configuration now. Below you will find my default template
for /etc/postfix/

# cat /etc/postfix/
smtpd_banner = $myhostname ESMTP $mail_name

myhostname = example.tld
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = example.tld
mydestination = example.tld, localhost.localdomain, localhost
transport_maps =
relayhost =
mynetworks =
#mynetworks = hash:/etc/postfix/networks

smtpd_sasl_path = sasl2/smtpd.conf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = example.tld
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

recipient_delimiter = +
inet_interfaces = all

smtpd_recipient_restrictions = permit_mynetworks,

Use smtpd_recipient_restrictions to make sure you’re not running an Open Relay server accepting spam from anyone. It will accept unauthenticated sessions originating from localhost only. However authenticated sessions are generally allowed.

Make sure your Postfix daemon is actually able to communicate with the sasl daemon.
To accomplish this append this to /etc/postfix/

# cat /etc/postfix/
submission inet n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=example.tld
  -o header_checks=
  -o body_checks=
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination
  -o smtpd_sasl_security_options=noanonymous,noplaintext
  -o smtpd_sasl_tls_security_options=noanonymous

Next up we’re going to add our users to the sasl database:

# saslpasswd2 -c -u $hostname $user

While we’re at it, it might be a good idea to fix permissions on the sasl database. Otherwise Postfix will be unable to read from it or write to it.

# chown postfix:postfix /etc/sasldb2
# chmod 660 /etc/sasldb2

We’re almost there. To configure the sasl daemon itself:

# cat /usr/lib/sasl2/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
# cat /usr/lib/sasl/smtpd.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb

And finally restart the daemons.

# /etc/init.d/sasld restart
# /etc/init.d/postfix restart

Be sure to confirm it’s working using both your default mail client and /var/log/maillog.


Published inHowto'sLinuxMonitoring


  1. But that’s not what the bit is doing. The bit is running an smtpd on the submission
    port (587) forcing the use of SASL.

    On an entirely different note: why do people insist on removing all the valuable comments from the
    vanilla postfix file and emptying it before writing their configuration in? If you just want to see
    the actual settings, use postconf. Vanilla Postfix is an example of what a well-documented
    config file should look like. Please don’t empty it. Documentation considered good.

    If you hadn’t deleted the comments, you would have known what the relevant bits were, and that they
    were not in 😉

    Any particular reason to use cyrus sasl by the way, and not dovecot sasl? Even if you don’t use the
    imap features of dovecot, it’s got a reasonably good pamsasl bridge which integrates very nicely
    with postfix.

  2. Tom Tom

    Postfix is actually the only daemon of which I clear the vanilla config. Which is due to historical reasons. I used to prefer a clean human readable config file. And for some reason with Postfix I still do.

    On a Sendmail (god forbid!) or Exim box I wouldn’t dare to remove the comments because of the complexity.

    The reason why I chose Cyrus is because I’ve seen it a lot more in production than Dovecot. But I’ll sure take a look at Dovecot in the future.

  3. Mookie Mookie

    Shouldn’t smtpd_sasl_local_domain match between and

  4. Tom Tom

    You’re absolutely right.
    Thanks for noticing. I’ve updated the post.

  5. semper gestion semper gestion

    Excellent, what a web site it is! This website gives useful facts to
    us, keep it up.

  6. Hi,

    Great article ! It helped me a lot.

    Just a few notes to make it work on Centos 7:

    – The SMTPD.CONF file must be created in the “/etc/sasl2” directory.

    – SYSTEMCTL must be used to manage the SASL service: saslauthd.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.