Postfix Authentication
Postfix handles authentication separately for sending (smtp) and receiving (smtpd) mail.
Receiving Authenticated Mail
At a minimum, install the cyrus-sasl package.
The basic configuration for incoming mail is:
smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_tls_auth_only = yes
It may also be helpful to explicitly set the parameters for hooking into Cyrus.
cyrus_sasl_config_path = /etc/sasl2/ smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd smtpd_sasl_service = smtpd
The cyrus_sasl_config_path and smtpd_sasl_path settings are used to look up the appropriate Cyrus profile, i.e. /etc/sasl2/smptd.conf. See here for details. smptd_sasl_service is a value passed into the plugin. The smtpd_sasl_local_domain is the domain name embedded in the Cyrus database, as in saslpasswd2 -c -u $mydomain USERNAME.
Sending Authenticated Mail
The basic configuration for outgoing mail is:
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = lmdb:/etc/postfix/sasl/sasl_passwd smtp_sasl_security_options = noanonymous
Create a SASL passwd file like:
[smtp.gmail.com]:587 [email protected]:wwwwxxxxyyyyzzzz
Note that GMail specifically provides 16-character tokens. This is not a system requirement.
Run postmap /etc/postfix/sasl/sasl_passwd and a hashed file will be produced. If your postmap(1) does not use LMDB, replace the lmdb: with whatever algorithm was compiled into the distribution.