Postfix with SASL

From ArchWiki
Jump to: navigation, search

From Postfix's site:

People who go to the trouble of installing Postfix may have the expectation that Postfix is more secure than some other mailers. The Cyrus SASL library contains a lot of code. With this, Postfix becomes as secure as other mail systems that use the Cyrus SASL library. Dovecot provides an alternative that may be worth considering.


In this article you will learn how to setup SASL authentication for Postfix.

Once Postfix is up and running you can add SASL authentication to avoid relaying. Only authenticated and trusted users will be able to send emails. This will avoid anonymous users to make spamming.

Since postfix package in [extra] is already compiled with SASL support, to enable SASL authentication you have two choices:

  • Use cyrus-sasl package.
  • Or enable your already configured Dovecot to handle Postfix authentication (as well as its own).

Configuration with cyrus-sasl package

Install the cyrus-sasl package.

To enable SASL for accepting mail from other users, open the "Message submission" port (TCP 587) in /etc/postfix/, by uncommenting these lines (which are there by default, just commented):

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Note that this also enables SSL, so if you do not have a SSL certificate, keep the "smtpd_tls_security_level" option commented out.

The three restriction options (client, helo, sender) can also be left commented out, since smtpd_recipient_restrictions already handles SASL users.

SASL can use different authentication methods. The default one is PAM (as configured in /etc/conf.d/saslauthd), but to set it up properly you have to create /etc/sasl2/smtpd.conf:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
log_level: 7

Start/enable the saslauthd.service.

Restart the postfix.service.

Hopefully you should be able to telnet to your Postfix server with:

telnet localhost 587

You should then type:


This is roughly what you should see:


Connected to localhost.localdomain
Escape character is '^]'

220 justin ESMTP Postfix
250-SIZE 10240000

Configuration with Dovecot

If you are using Dovecot as your IMAP or POP mail server and your users already authenticate (with PAM maybe), then there is no need to configure another package.

Simply edit /etc/postfix/ and add the following lines under the submission or smtp section (depending on what you are using):

  # SASL authentication with dovecot
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

Using this configuration implies that only authenticated users can send mails. You can see this from smtpd_client_restrictions option.

Now add the following to Dovecot configuration file in /etc/dovecot/dovecot.conf:

service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  user = root

As you can see a unix socket is created in /var/spool/postfix/private/auth, the same specified in smtpd_sasl_path option of

Finally restart both postfix and dovecot services.

See also