If you run Postfix as a mail server to receive emails from the Internet as well as send out emails from the internal network to the Internet, you probably have the following scenario.
- Emails from the Internet should be received without authentication. Other mail servers should be able to deliver emails without having to login first. They most likely don’t have an internal account they could use to log into your email server.
- On the other hand, if users send emails from your internal network to the outside or to each other, they should authenticate first. At least they are using your domain name in their email address, and this privilege should only be available for legitimate users.
Postfix uses SASL to authenticate SMTP logins. SASL is able to use all sorts of backends for authentication. In the following example we use PAM to authenticate user logins. In larger corporate environments, you may want to connect SASL to your internal LDAP database.
These are the steps to install and configure saslauthd. Postfix should already be configured and running.
- Install package sasl2-bin
- Insert the follwing lines into your Postfix configuration /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_service = smtpd
smtpd_tls_auth_only = yes
broken_sasl_auth_clients = yes
…
smtpd_recipient_restrictions =
…
# The order of recipient restrictions is important, so be careful where to insert the next line
permit_sasl_authenticated,
… - Create the following file: /etc/postfix/sasl/smtpd.conf
pwcheck_method:saslauthd
log_level: 10
mech_list: PLAIN LOGIN
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux - Create the following directory: /var/spool/postfix/var/run/saslauthd
sudo mkdir -p /var/spool/postfix/var/run/saslauthd - Add the user postfix to the sasl group so he is able to access the socket directory:
sudo usermod -aG sasl postfix - Create the following file: /etc/pam.d/smtpd
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/postfix/sasl-group.allowed
@include common-auth
@include common-account
@include common-password
@include common-session - Create the following file: /etc/postfix/sasl-group.allowed
smtp - Add local user accounts that should be allowed to login via the smtpd service to the local group “smtp”:
sudo usermod -aG smtp alice
sudo usermod -aG smtp bob
… - Edit the following lines in /etc/default/saslauthd
MECHANISMS=”pam”
OPTIONS=”-m /var/spool/postfix/var/run/saslauthd” - Enable and start the saslauthd service:
sudo systemctl enable saslauthd
sudo systemctl start saslauthd - Reload the postfix service:
sudo systemctl reload postfix
Important
Integrating saslauthd with the PAM module pam_listfile is crucial. Otherwise SASL authentication could be misused to guess passwords of all your local user accounts, including root. If you follow the steps above, only users that belong to the group “smtp” are allowed to login via the smtpd service.