PostFix Howto With SASL

From ArchWiki
Jump to: navigation, search

Related articles

From Postfix's site:

People who go to the trouble of installing Postfix may have the expectation that Postfix is more secure than some other mailers. The Cyrus SASL library contains a lot of code. With this, Postfix becomes as secure as other mail systems that use the Cyrus SASL library. Dovecot provides an alternative that may be worth considering.

Introduction

In this article you will learn how to setup SASL authentication for Postfix.

Once Postfix is up and running you can add SASL authentication to avoid relaying. Only authenticated and trusted users will be able to send emails. This will avoid anonymous users to make spamming.

Since postfix package in [extra] is already compiled with SASL support, to enable SASL authentication you have two choices:

  • Use cyrus-sasl package.
  • Or enable your already configured Dovecot to handle Postfix authentication (as well as its own).

Configuration with cyrus-sasl package

Install cyrus-sasl from the official repositories.

To enable SASL for accepting mail from other users, open the "Message submission" port (TCP 587) in /etc/postfix/master.cf, by uncommenting these lines (which are there by default, just commented):

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.

The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.

Setup Postfix as you normally would and start it. If you want to start it at boot time see Daemons#Starting on boot.

SASL can use different authentication methods. The default one is PAM (as configured in /etc/conf.d/saslauthd), but to set it up properly you have to create /usr/lib/sasl2/smtpd.conf:

pwcheck_method: saslauthd
mech_list: plain
log_level: 7

Now restart postfix and saslauthd services.

Hopefully you should be able to telnet to your Postfix server with:

telnet localhost 587

You should then type:

EHLO test.com

This is roughly what you should see:

Trying 127.0.0.1...

Connected to localhost.localdomain
Escape character is '^]'

220 justin ESMTP Postfix
EHLO test.com
250-justin
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN OTP DIGEST-MD5 CRAM-MD5
250 8BITMIME

Configuration with Dovecot

If you are using Dovecot as your IMAP or POP mail server and your users already authenticate (with PAM maybe), then there is no need to configure another package.

Simply edit /etc/postfix/master.cf and add the following lines under the submission or smtp section (depending on what you are using):

  # SASL authentication with dovecot
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

Using this configuration implies that only authenticated users can send mails. You can see this from smtpd_client_restrictions option.

Now add the following to Dovecot configuration file in /etc/dovecot/dovecot.conf:

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
  user = root
}

As you can see a unix socket is created in /var/spool/postfix/private/auth, the same specified in smtpd_sasl_path option of master.cf

Finally restart both postfix and dovecot services.

See also