How to to implement SASL authentication in Postfix and Dovecot

Home > Search > How-to
  by

SASL authentication secures Postfix, so that a username and password are required to send emails through Postfix. Make the following adjustments to the /etc/postfix/main.cf file.

Configure Postfix to use SASL authentication.

smtpd_sasl_auth_enabled = yes

 

Configure Postfix to refuse anonymous connection.

smtpd_sasl_security_options = no

 

Configure Postfix to use the Dovecot or Cyrud daemon to authenticate a connection.

smtpd_sasl_type = dovecot

 

Configure Postfix authentication function. This relates to the auth function in the /etc/dovecot/conf.d/10-master.conf file (explained later in this article)

smtpd_sasl-path= private/auth

 

You may also want to use the following options.

broken_sasl_auth_clients     = yes
smtpd_sasl_security_options  = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination

 

With the following Postfix configuration, a client will be permitted access to send emails to the Postfix SMTP server if the connection is authenticated (permit_sasl_authenticated) or if the client is using a computer that is part of permit_mynetworks.  If mynetworks_style is host, only the Postfix server itself would be permitted to connect to Postfix without SASL authentication. If mynetworks_style is subnet, every computer in the subnet would be allowed to connect to the Postifx server without SASL authentication. It is best to keep mynetworks_style at host to simulate and understand how authentication works with Postfix.

mynetworks_style             = host
smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination

 

Ensure Dovecot is configured to use plain login. Plain and login are two separate authentication mechanisms. Later we will provide steps on how to securely send emails to remote recipients over the Internet. For now, we just want to ensure we can still connect after making the SASL changes to the Postifx configuration file. View the Dovecot configuration file, and ensure /etc/dovecot/dovecot.conf is configured to use plain login.

auth default {
  mechanisms = plain login
}

 

Update the auth function in the /etc/dovecot/conf.d/10-master.conf to have the following:

service auth {
  unix_listener auth-userdb {}
  unix_listener /var/spool/postfix/private/auth
  {   
    mode = 0660
    user = postfix
    group = postfix
  }
}

 

Restart Postfix and Dovecot.

~]# systemctl restart postfix
~]# systemctl restart dovecot

 

Ensure Postfix and Dovecot are active and running.

~]# systemctl status postfix
~]# systemctl status dovecot

 

Postfix should now be properly configured to use SASL authentication. Because the Postfix email server is configured with mynetwork_styles = host, the Postfix email server trusts the Postfix email server itself, which means there will be not requirement to authenticate when using the Postfix email server itself. To test authentication, attempt to send and retrieve emails from another computer in the LAN.



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter in the box below so that we can be sure you are a human.




Comments