Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Postfix Documentation
Previous Page Home Next Page

Cyrus SASL configuration for the Postfix SMTP server

In /usr/local/lib/sasl/smtpd.conf (Cyrus SASL version 1.5.5) or /usr/local/lib/sasl2/smtpd.conf (Cyrus SASL version 2.1.1) you need to specify how the server should validate client passwords.

Note: some Postfix distributions are modified and look for the smtpd.conf file in /etc/postfix.

Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.

  • To authenticate against the UNIX password database, try:

    (Cyrus SASL version 1.5.5)
    /usr/local/lib/sasl/smtpd.conf:
        pwcheck_method: pwcheck
    
    
    (Cyrus SASL version 2.1.1)
    /usr/local/lib/sasl2/smtpd.conf:
        pwcheck_method: pwcheck
    

    The name of the file in /usr/local/lib/sasl (Cyrus SASL version 1.5.5) or /usr/local/lib/sasl2 (Cyrus SASL version 2.1.1) used by the SASL library for configuration can be set with:

    /etc/postfix/
    main.cf:
        smtpd_sasl_application_name = smtpd (Postfix < 2.3)
        
    smtpd_sasl_path = smtpd (Postfix 2.3 and later)
    

    The pwcheck daemon is contained in the cyrus-sasl source tarball.

    IMPORTANT: postfix processes need to have group read+execute permission for the /var/pwcheck directory, otherwise authentication attempts will fail.

  • Alternately, in Cyrus SASL 1.5.26 and later (including 2.1.1), try:

    (Cyrus SASL version 1.5.26)
    /usr/local/lib/sasl/smtpd.conf:
        pwcheck_method: saslauthd
    
    (Cyrus SASL version 2.1.1)
    /usr/local/lib/sasl2/smtpd.conf:
        pwcheck_method: saslauthd
    

    The saslauthd daemon is also contained in the cyrus-sasl source tarball. It is more flexible than the pwcheck daemon, in that it can authenticate against PAM and various other sources. To use PAM, start saslauthd with "-a pam".

  • To authenticate against Cyrus SASL's own password database:

    (Cyrus SASL version 1.5.5)
    /usr/local/lib/sasl/smtpd.conf:
        pwcheck_method:  sasldb
    
    (Cyrus SASL version 2.1.1)
    /usr/local/lib/sasl2/smtpd.conf:
        pwcheck_method:  auxprop
    

    This will use the Cyrus SASL password file (default: /etc/sasldb in version 1.5.5, or /etc/sasldb2 in version 2.1.1), which is maintained with the saslpasswd or saslpasswd2 command (part of the Cyrus SASL software). On some poorly-supported systems the saslpasswd command needs to be run multiple times before it stops complaining. The Postfix SMTP server needs read access to the sasldb file - you may have to play games with group access permissions. With the OTP authentication mechanism, the SMTP server also needs WRITE access to /etc/sasldb2 or /etc/sasldb (or the back end SQL database, if used).

    IMPORTANT: To get sasldb running, make sure that you set the SASL domain (realm) to a fully qualified domain name.

    EXAMPLE:

    (Cyrus SASL version 1.5.5)
    % saslpasswd -c -u `postconf -h 
    myhostname` exampleuser
    
    (Cyrus SASL version 2.1.1)
    % saslpasswd2 -c -u `postconf -h 
    myhostname` exampleuser
    

    You can find out SASL's idea about the realms of the users in sasldb with sasldblistusers (Cyrus SASL version 1.5.5) or sasldblistusers2 (Cyrus SASL version 2.1.1).

    On the Postfix side, you can have only one realm per smtpd instance, and only the users belonging to that realm would be able to authenticate. The Postfix variable smtpd_sasl_local_domain controls the realm used by smtpd:

    /etc/postfix/
    main.cf:
        
    smtpd_sasl_local_domain = $
    myhostname
    

IMPORTANT: all users must be able to authenticate using ALL authentication mechanisms advertised by Postfix, otherwise the negotiation might end up with an unsupported mechanism, and authentication would fail. For example if you configure SASL to use saslauthd for authentication against PAM (pluggable authentication modules), only the PLAIN and LOGIN mechanisms are supported and stand a chance to succeed, yet the SASL library would also advertise other mechanisms, such as DIGEST-MD5. This happens because those mechanisms are made available by other plugins, and the SASL library have no way to know that your only valid authentication source is PAM. Thus you might need to limit the list of mechanisms advertised by Postfix.

  • With older Cyrus SASL versions you remove the corresponding library files from the SASL plug-in directory (and again whenever the system is updated).

  • With Cyrus SASL version 2.1.1 or later:

    /usr/local/lib/sasl2/smtpd.conf:
        mech_list: plain login
    

For the same reasons you might want to limit the list of plugins used for authentication.

  • With Cyrus SASL version 1.5.5 your only choice is to delete the corresponding library files from the SASL plug-in directory.

  • With SASL version 2.1.1:

    /usr/local/lib/sasl2/smtpd.conf:
        pwcheck_method:  auxprop
        auxprop_plugin:  sql
    

To run software chrooted with SASL support is an interesting exercise. It probably is not worth the trouble.

Postfix Documentation
Previous Page Home Next Page