Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

2.2.7.5. Configuring Postfix to Use SASL

The Red Hat Enterprise Linux version of Postfix can use the Dovecot or Cyrus SASL implementations for SMTP Authentication (or SMTP AUTH). SMTP Authentication is an extension of the Simple Mail Transfer Protocol. When enabled, SMTP clients are required to authenticate to the SMTP server using an authentication method supported and accepted by both the server and the client. This section describes how to configure Postfix to make use of the Dovecot SASL implementation.
To install the Dovecot POP/IMAP server, and thus make the Dovecot SASL implementation available on your system, issue the following command as the root user:
~]# yum install dovecot
The Postfix SMTP server can communicate with the Dovecot SASL implementation using either a UNIX-domain socket or a TCP socket. The latter method is only needed in case the Postfix and Dovecot applications are running on separate machines. This guide gives preference to the UNIX-domain socket method, which affords better privacy.
In order to instruct Postfix to use the Dovecot SASL implementation, a number of configuration changes need to be performed for both applications. Follow the procedures below to effect these changes.
Setting Up Dovecot
  1. Modify the main Dovecot configuration file, /etc/dovecot/conf.d/10-master.conf, to include the following lines (the default configuration file already includes most of the relevant section, and the lines just need to be uncommented):
    service auth {
      unix_listener /var/spool/postfix/private/auth {
        mode = 0660
        user = postfix
        group = postfix
      }
    }
    The above example assumes the use of UNIX-domain sockets for communication between Postfix and Dovecot. It also assumes default settings of the Postfix SMTP server, which include the mail queue located in the /var/spool/postfix/ directory, and the application running under the postfix user and group. In this way, read and write permissions are limited to the postfix user and group.
    Alternatively, you can use the following configuration to set up Dovecot to listen for Postfix authentication requests via TCP:
    service auth {
      inet_listener {
        port = 12345
      }
    }
    In the above example, replace 12345 with the number of the port you want to use.
  2. Edit the /etc/dovecot/conf.d/10-auth.conf configuration file to instruct Dovecot to provide the Postfix SMTP server with the plain and login authentication mechanisms:
    auth_mechanisms = plain login
Setting Up Postfix
In the case of Postfix, only the main configuration file, /etc/postfix/main.cf, needs to be modified. Add or edit the following configuration directives:
  1. Enable SMTP Authentication in the Postfix SMTP server:
    smtpd_sasl_auth_enable = yes
  2. Instruct Postfix to use the Dovecot SASL implementation for SMTP Authentication:
    smtpd_sasl_type = dovecot
  3. Provide the authentication path relative to the Postfix queue directory (note that the use of a relative path ensures that the configuration works regardless of whether the Postfix server runs in a chroot or not):
    smtpd_sasl_path = private/auth
    This step assumes that you want to use UNIX-domain sockets for communication between Postfix and Dovecot. To configure Postfix to look for Dovecot on a different machine in case you use TCP sockets for communication, use configuration values similar to the following:
    smtpd_sasl_path = inet:127.0.0.1:12345
    In the above example, 127.0.0.1 needs to be substituted by the IP address of the Dovecot machine and 12345 by the port specified in Dovecot's /etc/dovecot/conf.d/10-master.conf configuration file.
  4. Specify SASL mechanisms that the Postfix SMTP server makes available to clients. Note that different mechanisms can be specified for encrypted and unencrypted sessions.
    smtpd_sasl_security_options = noanonymous, noplaintext
    smtpd_sasl_tls_security_options = noanonymous
    The above example specifies that during unencrypted sessions, no anonymous authentication is allowed and no mechanisms that transmit unencrypted usernames or passwords are allowed. For encrypted sessions (using TLS), only non-anonymous authentication mechanisms are allowed.
    See http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options for a list of all supported policies for limiting allowed SASL mechanisms.
Additional Resources
The following online resources provide additional information useful for configuring Postfix SMTP Authentication through SASL.