HOWTO run SASL with postfix on debian. this authenticates using saslauthd, so it checks against your standard user/password database (aka uses PAM).
0. install some packages (apt-get install):
postfix
postfix-tls
sasl2-bin
libsasl2
libsasl-module
libsasl2-dev
1. edit /etc/group, adding posfix to the sasl group (use vigr
):
sasl:*:45:postfix
2. ensure /etc/default/saslauthd looks like this:
START=yes
MECHANISMS="pam"
3. make postfix not chroot. in /etc/postfix/master.cf, change
smtp inet n - - - - smtpd
to:
smtp inet n - n - - smtpd
4. ensure /etc/postfix/sasl/smtpd.conf looks like this:
pwcheck_method: saslauthd
mech_list: plain login
5. ensure /etc/pam.d/smtp looks like this:
auth required pam_unix.so nullok try_first_pass
6. in /etc/postfix/main.cf, add these lines for SASL:
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /etc/postfix/sasl
and these lines for TLS (SSL encryption):
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
and make sure your smtpd_recipient_restrictions
line includes permit_sasl_authenticated
.
7. start SASL: /etc/init.d/saslauthd start
8. test that SASL works:
testsaslauthd -u paul -p something
0: OK "Success."
testsaslauthd -u paul -p somethingbad
0: NO "authentication failed"
9. make a certificate:
# cd /etc/postfix
# openssl req -new -outform PEM -out smtpd.cert -newkey rsa:2048 -nodes -keyout smtpd.key -keyform PEM -days 365 -x509
(follow prompts)
# chmod o= smptd.key
10. restart postfix: postfix reload
update: to run this and leave postfix chroot:
skip step 1.
for step 2, this file should say:
PARAMS="-m /var/spool/postfix/var/run/saslauthd"
START=yes
MECHANISMS="pam"
for step 3, instead of editing master.conf:
mkdir /var/spool/postfix/var/run/saslauthd
update 2: With postfix 2.3 and dovecot, you use dovecot as an authentication server.