This will be more of a future reference than an actual howto. It’s far from feature complete but it will get you started on authenticated SMTP sessions using Postfix. Quick & dirty.
Installing Postfix and SASL on CentOS:
# yum install postfix # yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5
Let’s move on to the configuration now. Below you will find my default template
for /etc/postfix/main.cf:
# cat /etc/postfix/main.cf smtpd_banner = $myhostname ESMTP $mail_name myhostname = example.tld alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = example.tld mydestination = example.tld, localhost.localdomain, localhost transport_maps = relayhost = mynetworks = 127.0.0.1/32 #mynetworks = hash:/etc/postfix/networks smtpd_sasl_path = sasl2/smtpd.conf smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = example.tld smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes recipient_delimiter = + inet_interfaces = all smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
Use smtpd_recipient_restrictions to make sure you’re not running an Open Relay server accepting spam from anyone. It will accept unauthenticated sessions originating from localhost only. However authenticated sessions are generally allowed.
Make sure your Postfix daemon is actually able to communicate with the sasl daemon.
To accomplish this append this to /etc/postfix/master.cf:
# cat /etc/postfix/master.cf submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=example.tld -o header_checks= -o body_checks= -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous
Next up we’re going to add our users to the sasl database:
# saslpasswd2 -c -u $hostname $user
While we’re at it, it might be a good idea to fix permissions on the sasl database. Otherwise Postfix will be unable to read from it or write to it.
# chown postfix:postfix /etc/sasldb2 # chmod 660 /etc/sasldb2
We’re almost there. To configure the sasl daemon itself:
# cat /usr/lib/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
# cat /usr/lib/sasl/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
And finally restart the daemons.
# /etc/init.d/sasld restart # /etc/init.d/postfix restart
Be sure to confirm it’s working using both your default mail client and /var/log/maillog.
Enjoy!