Postfix Authentication

Postfix handles authentication separately for sending (smtp) and receiving (smtpd) mail.

Receiving Authenticated Mail

At a minimum, install the cyrus-sasl package.

The basic configuration for incoming mail is:

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes

It may also be helpful to explicitly set the parameters for hooking into Cyrus.

cyrus_sasl_config_path = /etc/sasl2/
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
smtpd_sasl_service = smtpd

The cyrus_sasl_config_path and smtpd_sasl_path settings are used to look up the appropriate Cyrus profile, i.e. /etc/sasl2/smptd.conf. See here for details. smptd_sasl_service is a value passed into the plugin. The smtpd_sasl_local_domain is the domain name embedded in the Cyrus database, as in saslpasswd2 -c -u $mydomain USERNAME.

Sending Authenticated Mail

The basic configuration for outgoing mail is:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous

Create a SASL passwd file like:

[smtp.gmail.com]:587 [email protected]:wwwwxxxxyyyyzzzz

Note that GMail specifically provides 16-character tokens. This is not a system requirement.

Run postmap /etc/postfix/sasl/sasl_passwd and a hashed file will be produced. If your postmap(1) does not use LMDB, replace the lmdb: with whatever algorithm was compiled into the distribution.

CategoryRicottone