At a very simple high level, Postfix is the Mail Transfer Agent (MTA) sends email to a users inbox (Mail User Agent) via SMTP (port 25 or 465 or 587) and Dovecot is the Mail Delivery Agent (MDA) that retrieves email from a users inbox via POP3 (port 110 or 995) or IMAP (port 143 or 993).

SASL authentication can be setup so that a username and password are required to connect to Postfix to send email to a users inbox (Mail User Agent) and to connect to Dovecot to retreive email from a users inbox.

Postfix is configured to use Dovecot and then Dovecot handles authenticating users.

Make the following adjustments to the /etc/postfix/main.cf file.

• smtpd_sasl_auth_enabled enables SASL
• smtpd_sasl_security_options no is used to refuse anonymous connection
• smtpd_sasl_type dovecot tells Postfix to use Dovecot to authenticate a connection
• smtpd_sasl_path private/auth relates to the auth_mechanism in the /etc/dovecot/conf.d/10-master.conf file (explained later in this article)

smtpd_sasl_auth_enabled = yes
smtpd_sasl_security_options = no
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

You may also want to use the following options.

broken_sasl_auth_clients     = yes
smtpd_sasl_security_options  = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination

With the following Postfix configuration, a client will be permitted access to send emails to the Postfix SMTP server if the connection is authenticated (permit_sasl_authenticated) or if the client is using a computer that is part of permit_mynetworks.

mynetworks_style             = host
smtpd_recipient_restrictions = permit_sasl_authenticated,
                               permit_mynetworks,
                               reject_unauth_destination

Set /etc/dovecot/dovecot.conf to use plain login. Plain and login are two separate authentication mechanisms, meaning that both the PLAIN and LOGIN authentication methods will be supported.

• PLAIN = plain is short for "plaintext" - Dovecot will accept plaintext username and password
• LOGIN = this is typically used by email clients (e.g. Outlook, Mozilla Thunderbird, emClient, et cetera) for allow the client to authenticate to the Postfix/Dovecot SMTP server

auth_mechanism = plain login

/etc/dovecot/conf.d/10-auth.conf should have the following, so that Dovecot uses /etc/dovecot/conf.d/auth-system.conf.ext for authentication.

!include auth-system.conf.ext

/etc/dovecot/conf.d/auth-system.conf.ext should have the following, so that users in /etc/passwd can be authenticated.

userdb {
  driver = passwd
}

The postfix user account should be in /etc/passwd, so that the postfix user account can be used for authentication between Dovecot and Postfix.

~]$ grep postfix /etc/passwd
postfix:x:89:89::/var/spool/postfix:/sbin/nologin

Update the auth function in the /etc/dovecot/conf.d/10-master.conf to have the following so that the postfix user account is used for authentication between Dovecot and Postfix.

service auth {
  unix_listener auth-userdb {}
  unix_listener /var/spool/postfix/private/auth
  {   
    mode = 0660
    user = postfix
    group = postfix
  }
}

The ps command can be used to determine if your system is using init or systemd. If PID 1 is init, then you will use the service command. If PID 1 is systemd, then you will use the systemctl command.

If your system is using systemd, use the systemctl command to restart postfix and dovecot.

systemctl restart postfix
systemctl restart dovecot

If your system is using init, use the chkconfig and service commands to restart postfix and dovecot.

service postfix restart
service dovecot restart

Postfix should now be properly configured to use SASL authentication. Because the Postfix email server is configured with mynetwork_styles = host, the Postfix email server trusts the Postfix email server itself, which means there will be not requirement to authenticate when using the Postfix email server itself. To test authentication, attempt to send and retrieve emails from another computer in the LAN.

Let's say client systems have a default SMTP username and password set in /etc/mail.rc. In this scenario, user john.doe would need to exist on the system running Postfix and Dovecot and john.doe password would need to be itsasecret.

~]$ vim /etc/mail.rc
account default {
  set smtp=smtp://smtp.example.com
  set from=john.doe@example.com
  set smtp-auth-user=john.doe
  set smtp-auth-password=itsasecret
}

And then you could send an email to John Doe using the mailx command.

~]$ echo "Example Message" | mailx -A default john.doe@example.com

And the /var/log/maillog on the Postfix / Dovecot system should have something like this.

Dec 15 13:21:53 ip-172-31-19-227 postfix/local[18952]: C64328F35E8: to=<john.doe@example.com>, relay=local, delay=0.01, delays=0/0.01/0/0, dsn=2.0.0, status=sent (delivered to maildir)

And if the Postfix / Dovecot system is setup to use Maildir instead of mailbox, /home/john.doe/Maildir/new should list the new email.

[john.doe@ip-172-31-19-227 ~]$ ll /home/john.doe/Maildir/new/
total 4
-rw------- 1 john.doe john.doe 2660 Dec 15 13:21 1671110513.Vca01I403900M825103.ip-172-31-19-227.ec2.internal