Dovecot SASL with Postfix

The SMTP Authentication (SMTP Auth) is an access control mechanism which does convey that authorized users, and anyone not authenticated is denied. Since version 2.3, Postfix supports SMTP AUTH through Dovecot SASL(Dovecot introduced since 1.0). You can check if your installation of Postfix is ​​compiled with SASL support with the command:

  # Postconf-a

Configure Dovecot SASL

The server POP / IMAP Dovecot course has its own client authentication POP / IMAP. When Postfix using Dovecot SASL, it re-uses this configuration. Communication is via a Unix socket . The path to the socket and the list of authentication methods offered must be specified in dovecot.conf . Here’s what to add to Dovecot configuration file exists:

  auth default {
   MECHANISMS = plain login  
   socket listen {
     {customer
       # A socket is exported to be used by a client.
       # Here is our Postfix SMTP server
       path = / var / run / dovecot / auth-client
       mode = 0660
       user = postfix
       group = postfix
     }
   }
 }

One stimulus Dovecot:

  # Service dovecot restart

The part Postfix

Now we must tell Postfix how to use SASL. By default it runs the Cyrus SASL , we must explicitly tell him that we use the mechanism of Dovecot, information on the path to the socket and he spent a few security options. Here’s the part SASL to add to main.cf :

  # Use the Dovecot SASL
 smtpd_sasl_type = dovecot
 # Path to the Unix socket
 smtpd_sasl_path = / var / run / dovecot / auth-client
 # We activate the SASL
 smtpd_sasl_auth_enable = yes
 # Some security options enough talking
 smtpd_recipient_restrictions = permit_mynetworks,
     permit_sasl_authenticated, reject_unauth_destination
 # This ensures compatibility with older clients (eg Outlook).
 broken_sasl_auth_clients = yes
 # No anonymous logins
 smtpd_sasl_security_options = noanonymous

We re-load Postfix:

  # Postfix reload

Testing the Configuration

The configuration is complete, it is time to test the proper operation of SMTP Auth in telnet :

  $ Telnet mail.example.net 25
 Trying 90.112.151.15 ...
 Connected to mail.example.net.
 Escape character is '^]'.
 220 ESMTP Postfix mail.example.net
 EHLO localhost
 250-mail.example.net
 250 G -PIPELININ
 250-SIZE 10240000
 250-VRFY
 250-ETRN
 250-AUTH PLAIN LOGIN
 250-AUTH = PLAIN LOGIN
 250 -ENHANCEDS TATUSCODES
 250-8BITMIME
 DSN 250

We see the two lines indicating the AUTH SASL is taken into account. Why two lines? The second with the equal sign is for compatibility with older clients (optional broken_sasl_auth_clients = yes ).

  MAIL FROM: <lulu>
 250 2.1.0 Ok
 RCPT TO: fabien@feub.net
 554 5.7.1 <fabien@feub.net>: Relay access denied

The connection is denied, we must now think authenticate with the AUTH command. But beware, it is necessary to telnet to encode the pair username / password in base64 , for example with:

  $ Echo-ne '\ 000username \ 000password' | openssl base64

Which gives:

  AUTH PLAIN AGhvbnTHY3RAZmDiavVuKikI7hbm5uZVBAc3BjKXRuoJWsK
 235 2.0.0 Authentication Successful
 RCPT TO: fabien@feub.net
 250 2.1.5 Ok
 DATA
 354 End data with <CR> <LF>. <CR> <LF>
 Yes!
 .
 250 2.0.0 Ok: queued as E72163EB1E
 quit
 221 2.0.0 Bye
 Connection closed by foreign host.

The message should be issued soon.

Leave a Comment