Postfix with SASL-Authentication in Debian – Jonas Genannt

I think SMTP-AUTH is very important! Here is a short HowTo for Postfix with sasl authentication against shadow.

First install the necessary packages:
apt-get install postfix-tls libsasl2-modules sasl2-bin

Open the /etc/default/saslauthd for the configuration.

# This needs to be uncommented before saslauthd will be run automatically
# You must specify the authentication mechanisms you wish to use.
# This defaults to « pam » for PAM support, but may also include
# « shadow » or « sasldb », like this:
MECHANISMS= »shadow »

PARAMS= »-m /var/spool/postfix/var/run/saslauthd/ »
PIDFILE= »/var/spool/postfix/var/run/${NAME}/ »

Postfix have to know which authentication mode the daemon will use.
You can define this in the /etc/postfix/sasl/smtpd.conf! (chmod 0644)

saslauthd_path: /var/run/saslauthd/mux
pwcheck_method: saslauthd
mech_list: plain login

Then configure the postfix to ask for a username and password then anybody will send a mail to the server.
Add the following lines to the /etc/postfix/main.cnf

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
smtp_sasl_auth_enable = no
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, permit_sasl_authenticated, reject_unauth_destination

For security reason you should change that postfix runs in a chroot environment. You can change that in the /etc/postfix/master.cnf

smtp inet n – y – – smtpd

(Change the – to y!)

Create now the directory for the saslauthd:
mkdir -p /var/spool/postfix/var/run/saslauthd

Set the right directory permission:
chown root.sasl -R /var/spool/postfix/var/

Instead that dpkg change the permission we have to create an override for dpkg!
dpkg-statoverride –add root sasl 710 /var/spool/postfix/var/run/saslauthd

At last postfix musst have the right permission to speak to the saslauthd daemon, add postfix to the sasl group.
adduser postfix sasl

Restart postfix and saslauthd and try to send a mail to the mailserver.

(Don’t forget to set a username and a password in your mailclient for mailsending) 🙂

Retour en haut