Authenticated SMTP with Postfix and SASL

13 Jan

This works using the cyrus-sasl program.

Need to set up a few things:

1. Install cyrus-sasl
– Run:
$> saslauthd -v
This will tell you what authentication mechanisms your installation supports. We need ‘ldap’.

2. Edit (create if needed) /etc/saslauthd.conf, put in it:
ldap_servers: ldap://
ldap_version: 3
ldap_scope: one
ldap_search_base: ou=users,dc=xxx,dc=xxx,dc=xxx,dc=au
ldap_auth_method: bind
ldap_filter: (uid=%u)
ldap_start_tls: no
ldap_tls_check_peer: yes
ldap_tls_cacert_file: /etc/pki/tls/certs/xxx-mycert.crt
ldap_tls_cacert_dir: /etc/pki/tls/certs/

3. Edit (create if needed) /etc/sasl2/smtpd.conf, put in it:
pwcheck_method: saslauthd
mech_list: plain login

4. At this point you can check to see if SASL is working:
$> testsaslauthd -r -u -p xxxx
If this does not succeed, set your loglevel on your LDAP server to 256 and watch the output.

5. Now you need to set up Postfix to use SASL for its SMTP
Edit /etc/postfix/, uncomment the line:
smtps inet n – n – – smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

Edit /etc/postfix/, add the lines:
smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = no
smtpd_tls_key_file = /etc/pki/tls/private/xxx.key
smtpd_tls_cert_file = /etc/pki/tls/certs/xxx-mycert.crt
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

6. Thats it!, Reload postfix and it *should* work


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: