This will be more of a future reference than an actual howto. It’s far from feature complete but it will get you started on authenticated SMTP sessions using Postfix. Quick & dirty.
Installing Postfix and SASL on CentOS:
# yum install postfix # yum install cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5
Let’s move on to the configuration now. Below you will find my default template
for /etc/postfix/main.cf:
# cat /etc/postfix/main.cf smtpd_banner = $myhostname ESMTP $mail_name myhostname = example.tld alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = example.tld mydestination = example.tld, localhost.localdomain, localhost transport_maps = relayhost = mynetworks = 127.0.0.1/32 #mynetworks = hash:/etc/postfix/networks smtpd_sasl_path = sasl2/smtpd.conf smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = example.tld smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes recipient_delimiter = + inet_interfaces = all smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_rbl_client opm.blitzed.org, reject_rbl_client list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net
Use smtpd_recipient_restrictions to make sure you’re not running an Open Relay server accepting spam from anyone. It will accept unauthenticated sessions originating from localhost only. However authenticated sessions are generally allowed.
Make sure your Postfix daemon is actually able to communicate with the sasl daemon.
To accomplish this append this to /etc/postfix/master.cf:
# cat /etc/postfix/master.cf submission inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=example.tld -o header_checks= -o body_checks= -o smtpd_client_restrictions=permit_sasl_authenticated,reject_unauth_destination -o smtpd_sasl_security_options=noanonymous,noplaintext -o smtpd_sasl_tls_security_options=noanonymous
Next up we’re going to add our users to the sasl database:
# saslpasswd2 -c -u $hostname $user
While we’re at it, it might be a good idea to fix permissions on the sasl database. Otherwise Postfix will be unable to read from it or write to it.
# chown postfix:postfix /etc/sasldb2 # chmod 660 /etc/sasldb2
We’re almost there. To configure the sasl daemon itself:
# cat /usr/lib/sasl2/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
# cat /usr/lib/sasl/smtpd.conf pwcheck_method: auxprop auxprop_plugin: sasldb mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
And finally restart the daemons.
# /etc/init.d/sasld restart # /etc/init.d/postfix restart
Be sure to confirm it’s working using both your default mail client and /var/log/maillog.
Enjoy!
[…] post: Penumbra » Authenticated SMTP with Postfix on CentOS, the easy way Posted in Postfix | Tags: master-cf-submission, […]
But that’s not what the master.cf bit is doing. The master.cf bit is running an smtpd on the submission
port (587) forcing the use of SASL.
On an entirely different note: why do people insist on removing all the valuable comments from the
vanilla postfix main.cf file and emptying it before writing their configuration in? If you just want to see
the actual settings, use postconf. Vanilla Postfix main.cf is an example of what a well-documented
config file should look like. Please don’t empty it. Documentation considered good.
If you hadn’t deleted the comments, you would have known what the relevant bits were, and that they
were not in master.cf. 😉
Any particular reason to use cyrus sasl by the way, and not dovecot sasl? Even if you don’t use the
imap features of dovecot, it’s got a reasonably good pamsasl bridge which integrates very nicely
with postfix.
Postfix is actually the only daemon of which I clear the vanilla config. Which is due to historical reasons. I used to prefer a clean human readable config file. And for some reason with Postfix I still do.
On a Sendmail (god forbid!) or Exim box I wouldn’t dare to remove the comments because of the complexity.
The reason why I chose Cyrus is because I’ve seen it a lot more in production than Dovecot. But I’ll sure take a look at Dovecot in the future.
Shouldn’t smtpd_sasl_local_domain match between main.cf and master.cf?
You’re absolutely right.
Thanks for noticing. I’ve updated the post.
Excellent, what a web site it is! This website gives useful facts to
us, keep it up.
Hi,
Great article ! It helped me a lot.
Just a few notes to make it work on Centos 7:
– The SMTPD.CONF file must be created in the “/etc/sasl2” directory.
– SYSTEMCTL must be used to manage the SASL service: saslauthd.
[…] http://blog.penumbra.be/2010/04/authenticated-smtp-postfix/ […]
[…] http://blog.penumbra.be/2010/04/authenticated-smtp-postfix/ […]
[…] http://blog.penumbra.be/2010/04/authenticated-smtp-postfix/ […]