Authentification SASL SMTP Postfix

SMTP AUTH for Postfix

This is yet another SMTP AUTH setup guide. It is based on my experiences using Postfix 2.1.5 and CMU Cyrus SASL (saslauthd) 2.1.19 on a Debian (Sarge) system to authenticate against an OpenLDAP server. I’m assuming that Postfix and LDAP are already configured. Installing saslauthd

I installed the SASL packages in Debian by running:

Alternately, you can obain the cyrus-sasl source from and build saslauthd yourself:

Configuring saslauthd

In Debian, configuration defaults for startup scripts are often in /etc/default/. saslauthd is no exception. Edit /etc/default/saslauthd as needed, e.g.:

Then edit /etc/saslauthd.conf to specify the LDAP servers and search base:

Running saslauthd

Now you’re ready to run saslauthd. In Debian, the init script is /etc/init.d/saslauthd Start saslauthd with /etc/init.d/saslauthd start. (To stop saslauthd, run /etc/init.d/saslauthd stop.)

First verify that saslauthd is running with ps aux | grep sasl. (Note: for LDAP support the process should be running as /usr/sbin/saslauthd -a ldap.) Then use testsaslauthd to test authentication against the LDAP server. Run:

If it’s working, you should see

Configuring Postfix

In Debian postfix is run by user postfix, whose home directory is /var/spool/postfix/. The postfix user must have access to saslauthd. Use vigrp to add user postfix to the sasl group and move the saslauthd directory:

Specify the password check method by editing /etc/postfix/sasl/smtpd.conf:

Finally, edit /etc/postfix/ Add the following lines:

Additionally, you must add permit_sasl_authenticated to the smtpd_receipient_restrictions stanza. For example:

Check the postfix configuration syntax by running /etc/init.d/postfix check. If there is no output, the configuration is valid. Restart postfix with /etc/init.d/postfix restart (or reload the configuration with /etc/init.d/postfix reload and wait for the config file to be reloaded). Testing

Verify that postfix is running and has authentication enabled by telneting to port 25 on the mail server (telnet 25). You should see something like:

Once connected, type ehlo localhost You should see something like:

The important part is the AUTH lines. Use ^] to disconnect.

The last step is to test with a mail client. mutt requires a patch, so I used pine. This required me to change one line in my existing .pinerc config file:

(where username is a valid username).

While testing, use tail -f /var/log/mail.log to watch for errors. See also

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *