Flexion.Org
Bad grammar and typos for total strangers
Wiki › Postfix SMTPAuth
Wiki Index All Recent Edit Bottom

Enabling SMTP Auth in Postfix

Postfix should only send email on behalf of the network it's serving. However, there are times when you might be working remotely and not have an SMTP server to send an email through. In times like this, it would be nice to be able to use the remote Postfix server, but you shouldn't open it up due to relaying attacks.

The fix for this is SMTP Auth. When enabled, a client can send Postfix a username and password. If the credentials are correct, Postfix will send mail on behalf of that user no matter where they are.

Recent versions of Postfix have included support for Dovecot's new SASL library. This enables Postfix to lookup the client credentials by using Dovecot as an authentication source. Basically, this allows us to use the '/etc/postfix/virtual/passwd' file for SMTP Auth.

You can check that the version of Postfix you are using supports Dovecot SASL library by running... 

 postconf -a

..and check that 'dovecot' is in the output.

Setting Up Postfix for SMTP Auth

Setting this up in Postfix involves a few extra lines in '/etc/postfix/main.cf' 

 smtpd_sasl_auth_enable = yes
 smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
 broken_sasl_auth_clients = yes
 smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
  • The first line turns SMTP Auth on.
  • The second line modifies the Recipient Restriction rules. This is now telling Postfix to accept mail on behalf of machines in its network, authenticated users, and reject anyone else.
  • Line three fixes some bugs in clients such as Outlook.
  • Line four tells Postfix to use Dovecot for SASL.
  • Line five specifies where it can find the SASL socket. In this case, the full path will be:
    • '/var/spool/postfix/private/auth'

Setting Up Dovecot for SMTP Auth

Since Dovecot will be authenticating on behalf of Postfix, some configuration needs to take place. Inside '/etc/dovecot/dovecot.conf', add the following under the auth section: 

 socket listen {
   client {
     path = /var/spool/postfix/private/auth
     mode = 0660
     user = postfix
     group = postfix
   }
 }

All this is doing is making Dovecot set up a socket called '/var/spool/postfix/private/auth' as user and group postfix and wait for requests. When the request is received, it will try to authenticate the user.

If your mail client supports SMTP Auth as well as TLS for the outbound mail server, you can test this out by sending an email with these options enabled. You can verify it works by purposely typing in the wrong password and see if you get an authentication error.

$Id: PostfixSMTPAuth,v 1.4 2008/01/04 16:32:28 martin Exp www-data $

Wiki Index All Recent Edit Top

Menu

 
© 2008 Flexion.Org. Design by Arcsin
 
Valid XHTML Valid CSS Hacker