Postfix and SASL
For a new project I had to foresee an SMTP relay server that supported client authentication. I love the simplicity of Postfix but setting it up with client authentication required more than just ‘a push of a button’. Below are some -unstructured- notes on how to achieve this.
The client authentication in Postfix is handled by Cyrus SASL. The Simple Authentication and Security Layer or SASL is a specification that describes how authentication mechanisms can be plugged into an application protocol on the wire. You can instruct SASL to authenticate against LDAP and MySQL but also against PAM. That’s what I used for my setup.
The default configuration file for the SASL daemon on Ubuntu is in /etc/default/saslauthd. Change these settings
START=yes MECHANISMS="pam" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Then plug SASL authentication into the SMTP daemon. Add the file /etc/postfix/sasl/smtpd.conf
pwcheck_method: saslauthd mech_list: plain login CRAM-MD5 DIGEST-MD5
Update the Postfix master file /etc/postfix/master.cf. Note that this does not start the smtps in the Postfix chroot.
smtps inet n - n - - smtpd -v -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
… and the Postfix main file /etc/postfix/main.cf
smtpd_tls_auth_only = no smtp_use_tls = yes smtpd_use_tls = yes smtpd_sasl_auth_enable = yes smtp_sasl_mechanism_filter = !gssapi, !login, static:all smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = cyrus smtpd_sasl_path = smtpd
The next step is to add the user postfix to the group sasl. Do this by editing the groups with
vigr vigr -s
And finally restart the services.
systemctl restart postfix systemctl restart saslauthd
Test SMTP authentication via Telnet
You can test your setup via Telnet. Note that Postfix will ask you for the username and password in base64 format (actually, also the question “username:” is in base64. Convert your username and password to base64 with
echo -en 'username' | base64
Below I authenticate with the username “username” (dXNlcm5hbWU= in base64) and “password” (cGFzc3dvcmQ= in base64).
telnet localhost 25 220 mail ESMTP Postfix AUTH LOGIN 334 VXNlcm5hbWU6 dXNlcm5hbWU= 334 UGFzc3dvcmQ6 cGFzc3dvcmQ= 235 2.7.0 Authentication successful