Dovecot SASL with Postfix
The SMTP Authentication (SMTP Auth) is an access control mechanism which does convey that authorized users, and anyone not authenticated is denied. Since version 2.3, Postfix supports SMTP AUTH through Dovecot SASL(Dovecot introduced since 1.0). You can check if your installation of Postfix is compiled with SASL support with the command:
# Postconf-a
Configure Dovecot SASL
The server POP / IMAP Dovecot course has its own client authentication POP / IMAP. When Postfix using Dovecot SASL, it re-uses this configuration. Communication is via a Unix socket . The path to the socket and the list of authentication methods offered must be specified in dovecot.conf . Here’s what to add to Dovecot configuration file exists:
auth default {
MECHANISMS = plain login
socket listen {
{customer
# A socket is exported to be used by a client.
# Here is our Postfix SMTP server
path = / var / run / dovecot / auth-client
mode = 0660
user = postfix
group = postfix
}
}
}
One stimulus Dovecot:
# Service dovecot restart
The part Postfix
Now we must tell Postfix how to use SASL. By default it runs the Cyrus SASL , we must explicitly tell him that we use the mechanism of Dovecot, information on the path to the socket and he spent a few security options. Here’s the part SASL to add to main.cf :
# Use the Dovecot SASL
smtpd_sasl_type = dovecot
# Path to the Unix socket
smtpd_sasl_path = / var / run / dovecot / auth-client
# We activate the SASL
smtpd_sasl_auth_enable = yes
# Some security options enough talking
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
# This ensures compatibility with older clients (eg Outlook).
broken_sasl_auth_clients = yes
# No anonymous logins
smtpd_sasl_security_options = noanonymous
We re-load Postfix:
# Postfix reload
Testing the Configuration
The configuration is complete, it is time to test the proper operation of SMTP Auth in telnet :
$ Telnet mail.example.net 25 Trying 90.112.151.15 ... Connected to mail.example.net. Escape character is '^]'. 220 ESMTP Postfix mail.example.net EHLO localhost 250-mail.example.net 250 G -PIPELININ 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH = PLAIN LOGIN 250 -ENHANCEDS TATUSCODES 250-8BITMIME DSN 250
We see the two lines indicating the AUTH SASL is taken into account. Why two lines? The second with the equal sign is for compatibility with older clients (optional broken_sasl_auth_clients = yes ).
MAIL FROM: <lulu> 250 2.1.0 Ok RCPT TO: fabien@feub.net 554 5.7.1 <fabien@feub.net>: Relay access denied
The connection is denied, we must now think authenticate with the AUTH command. But beware, it is necessary to telnet to encode the pair username / password in base64 , for example with:
$ Echo-ne '\ 000username \ 000password' | openssl base64
Which gives:
AUTH PLAIN AGhvbnTHY3RAZmDiavVuKikI7hbm5uZVBAc3BjKXRuoJWsK 235 2.0.0 Authentication Successful RCPT TO: fabien@feub.net 250 2.1.5 Ok DATA 354 End data with <CR> <LF>. <CR> <LF> Yes! . 250 2.0.0 Ok: queued as E72163EB1E quit 221 2.0.0 Bye Connection closed by foreign host.
The message should be issued soon.
