Monthly Archives: February 2021

SASL authentication with Postfix (Ubuntu 18.04)

Leave a reply

If you run Postfix as a mail server to receive emails from the Internet as well as send out emails from the internal network to the Internet, you probably have the following scenario.

  1. Emails from the Internet should be received without authentication. Other mail servers should be able to deliver emails without having to login first. They most likely don’t have an internal account they could use to log into your email server.
  2. On the other hand, if users send emails from your internal network to the outside or to each other, they should authenticate first. At least they are using your domain name in their email address, and this privilege should only be available for legitimate users.

Postfix uses SASL to authenticate SMTP logins. SASL is able to use all sorts of backends for authentication. In the following example we use PAM to authenticate user logins. In larger corporate environments, you may want to connect SASL to your internal LDAP database.

These are the steps to install and configure saslauthd. Postfix should already be configured and running.

  • Install package sasl2-bin
  • Insert the follwing lines into your Postfix configuration /etc/postfix/main.cf
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_service = smtpd
    smtpd_tls_auth_only = yes
    broken_sasl_auth_clients = yes

    smtpd_recipient_restrictions =

    # The order of recipient restrictions is important, so be careful where to insert the next line
           permit_sasl_authenticated,
  • Create the following file: /etc/postfix/sasl/smtpd.conf
    pwcheck_method:saslauthd
    log_level: 10
    mech_list: PLAIN LOGIN
    saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
  • Create the following directory: /var/spool/postfix/var/run/saslauthd
    sudo mkdir -p /var/spool/postfix/var/run/saslauthd
  • Add the user postfix to the sasl group so he is able to access the socket directory:
    sudo usermod -aG sasl postfix
  • Create the following file: /etc/pam.d/smtpd
    auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/postfix/sasl-group.allowed
    @include common-auth
    @include common-account
    @include common-password
    @include common-session
  • Create the following file: /etc/postfix/sasl-group.allowed
    smtp
  • Add local user accounts that should be allowed to login via the smtpd service to the local group “smtp”:
    sudo usermod -aG smtp alice
    sudo usermod -aG smtp bob
  • Edit the following lines in /etc/default/saslauthd
    MECHANISMS=”pam”
    OPTIONS=”-m /var/spool/postfix/var/run/saslauthd”
  • Enable and start the saslauthd service:
    sudo systemctl enable saslauthd
    sudo systemctl start saslauthd
  • Reload the postfix service:
    sudo systemctl reload postfix

Important

Integrating saslauthd with the PAM module pam_listfile is crucial. Otherwise SASL authentication could be misused to guess passwords of all your local user accounts, including root. If you follow the steps above, only users that belong to the group “smtp” are allowed to login via the smtpd service.