Postfix with client authentication

Postfix and SASL

For a new project I had to foresee an SMTP relay server that supported client authentication. I love the simplicity of Postfix but setting it up with client authentication required more than just ‘a push of a button’. Below are some -unstructured- notes on how to achieve this.

The client authentication in Postfix is handled by Cyrus SASL. The Simple Authentication and Security Layer or SASL is a specification that describes how authentication mechanisms can be plugged into an application protocol on the wire. You can instruct SASL to authenticate against LDAP and MySQL but also against PAM. That’s what I used for my setup.

The default configuration file for the SASL daemon on Ubuntu is in /etc/default/saslauthd. Change these settings

START=yes
MECHANISMS="pam"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Then plug SASL authentication into the SMTP daemon. Add the file /etc/postfix/sasl/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login CRAM-MD5 DIGEST-MD5

Update the Postfix master file /etc/postfix/master.cf. Note that this does not start the smtps in the Postfix chroot.

smtps     inet  n       -       n       -       -       smtpd -v
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

… and the Postfix main file /etc/postfix/main.cf

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtpd_use_tls = yes
smtpd_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = !gssapi, !login, static:all
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd

The next step is to add the user postfix to the group sasl. Do this by editing the groups with

vigr
vigr -s

And finally restart the services.

systemctl restart postfix
systemctl restart saslauthd

Test SMTP authentication via Telnet

You can test your setup via Telnet. Note that Postfix will ask you for the username and password in base64 format (actually, also the question “username:” is in base64. Convert your username and password to base64 with

echo -en 'username' | base64

Below I authenticate with the username “username” (dXNlcm5hbWU= in base64) and “password” (cGFzc3dvcmQ= in base64).

telnet localhost 25
220 mail ESMTP Postfix
AUTH LOGIN
334 VXNlcm5hbWU6
dXNlcm5hbWU=
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 2.7.0 Authentication successful

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.