How do I configure SMTP authentication in Postfix?

Question

I'm running Postfix on Devuan and want to enable submission, so I need to configure SMTP authentication. I'm already using Cyrus as my IMAP-Server, so I think I'll have to use Cyrus-SASL. But how do I set that up and integrate it with Postfix?

Answer 1

First you need to install the required packages:

apt-get install libsasl2-modules sasl2-bin

and start saslauthd:

sed -i -e 's/^\(START=\).*/\1yes/' /etc/default/saslauthd
service saslauthd start

You also need an SSL-certificate matching your mail server hostname. If your IMAP service is being accessed under the same hostname as the SMTP service you can probably use the same certificate you already have configured in Cyrus. Otherwise you need to get a new one (self-signed, from LetsEncrypt, or from a commercial CA, depending on your requirements).

Put the certificate and key in /etc/ssl/certs and /etc/ssl/private respectively, add the user postfix to the group ssl-cert and make sure the key can be read by that group.

adduser postfix ssl-cert
chgrp ssl-cert /etc/ssl/private/mail.example.org.key
chmod g+r /etc/ssl/private/mail.example.org.key

Next add the following settings to /etc/postfix/main.cf:

# TLS
smtpd_tls_security_level = may 
smtpd_tls_auth_only = no
smtpd_tls_CAfile = /etc/ssl/certs/ca.crt
smtpd_tls_cert_file = /etc/ssl/certs/mail.example.org.crt
smtpd_tls_key_file = /etc/ssl/private/mail.example.org.key
smtpd_tls_loglevel = 3 
smtpd_tls_received_header = yes 
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# authentication (assuming $myhostname = mail.example.org)
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes 
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes 
broken_sasl_auth_clients = yes 

Create a file /etc/postfix/sasl/smtpd.conf with the following content:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

Then create your users in the SASL database (the domain name should be the same that you specified for smtpd_sasl_local_domain in main.cf):

saslpasswd2 -c -u mail.example.org username

Use sasldblistusers2 to list the existing users.

Uncomment the submission section in /etc/postfix/master.cf, then restart both postfix and saslauthd.

service saslauthd restart
service postfix restart

You can test authentication like this:

root@host:~ # telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.org ESMTP
ehlo example.org
250-mail.example.org
250-PIPELINING
250-SIZE 102400000
250-VRFY
250-ETRN
250-STARTTLS                   # ← these lines should
250-AUTH PLAIN LOGIN           # ← be present in the
250-AUTH=PLAIN LOGIN           # ← output
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
auth login
334 VXNlcm5hbWU6
dXNlcm5hbWU=
334 UGFzc3dvcmQ6
UGFzc3cwcmQ=
235 2.7.0 Authentication successful
quit
Connection closed by foreign host.

The line 334 VXNlcm5hbWU6 is the prompt to enter the username, the line 334 UGFzc3dvcmQ6 is the prompt to enter the password. The two bold lines dXNlcm5hbWU= and UGFzc3cwcmQ= are the base64-encoded username and password. You can generate the encoded values e.g. like this:

root@host:~ # echo -n 'username' | base64
dXNlcm5hbWU=
root@host:~ # echo -n 'Passw0rd' | base64
UGFzc3cwcmQ=

Replace "username" and "Passw0rd" with the actual username and password.