Configure Postfix and Dovecot

1. Edit the file /etc/dovecot/conf.d/10-master.conf and make sure your service auth section has the lines below.

service auth {	
  unix_listener /var/spool/postfix/private/auth {
	mode = 0666
	user = postfix
	group = postfix
  }	
}

2. Edit the file /etc/dovecot/conf.d/10-auth.conf and update the line below.

auth_mechanisms = plain login

3. Edit /etc/postfix/main.cf, find the keys below and change its values as follows or add it at the bottom of the file if the key (the word before the = sign) cannot be found.

mynetworks = 127.0.0.0/8
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =  permit_mynetworks, 
    permit_sasl_authenticated, 
    reject_unauth_destination
broken_sasl_auth_clients = yes

4. Configure SELinux using the commands below. Here’s the content of postfixdovecotsasl.te

wget linuxmail.info/files/rhel6/postfixdovecotsasl.te
checkmodule -M -m -o postfixdovecotsasl.mod postfixdovecotsasl.te
semodule_package -o postfixdovecotsasl.pp -m postfixdovecotsasl.mod
semodule -i postfixdovecotsasl.pp

5. Restart the Dovecot and Postfix service. But if you installed MailScanner, restart MailScanner instead of Postfix. Learn how to restart services here.

Test Postfix

In a Terminal window, type in the highlighted commands below.

Sample postfix session

[root@mail ~]# telnet mail smtp

Replace mail with the name of your server. We should not use localhost since localhost is a trusted client ip address. And make sure the domain name you specified does not resolve to 127.0.0.1 which is the IP address of localhost.

Trying 192.168.0.1...
Connected to mail.acme.local (192.168.0.1).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo localhost
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Note the new 250-AUTH lines. See the old SMTP Telnet Test.

mail from:<johndoe>
250 2.1.0 Ok
rcpt to:<test@example.com>
554 5.7.1 <test@example.com>: Relay access denied

It works, now to check if we can send it after authenticating.

auth plain AGpvaG5kb2UAcGFzc3dvcmQ=
235 2.0.0 Authentication successful
rcpt to:<test@example.com>
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#

You can send to email addresses belonging to your domain without authentication. This is normal as it enables you to receive mail from the outside.

The gibberish text after AUTH PLAIN is the base64 encoded value of the user name johndoe and password password. You can generate your own base64 text using the form below.

If you encounter any problems, check the log file at /var/log/maillog.

Thanks to the new SASL support in Dovecot 1.0 and the new Dovecot SASL support in Postfix 2.3, setting up SMTP authentication is now easier. Instead of setting up two separate authentication for Postfix and Dovecot, we can now just setup the authentication in Dovecot and just let Postfix talk to Dovecot.

Configure Postfix and Dovecot

1. Edit the file /etc/dovecot.conf and make sure your auth default section has the lines below.

auth default {	
  socket listen {
    client {
	  path = /var/spool/postfix/private/auth
	  mode = 0660
	  user = postfix
	  group = postfix
    }
  }	
  mechanisms = plain login
}

If you are using Ubuntu, edit /etc/dovecot/dovecot.conf.

2. Edit /etc/postfix/main.cf, find the keys below and change its values as follows or add it at the bottom of the file if the key (the word before the = sign) cannot be found.

mynetworks = 127.0.0.0/8
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =  permit_mynetworks, 
    permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes

3. Restart the Dovecot and Postfix service. But if you installed MailScanner, restart MailScanner instead of Postfix.

Test Postfix

In a Terminal window, type in the highlighted commands below.

Sample postfix session

[root@mail ~]# telnet mail smtp

Replace mail with the name of your server. We should not use localhost since localhost is a trusted client ip address. And make sure the domain name you specified does not resolve to 127.0.0.1 which is the IP address of localhost.

Trying 192.168.0.1...
Connected to mail.acme.local (192.168.0.1).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo localhost
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Note the new 250-AUTH lines. See the old SMTP Telnet Test.

mail from:<johndoe>
250 2.1.0 Ok
rcpt to:<test@example.com>
554 5.7.1 <test@example.com>: Relay access denied

It works, now to check if we can send it after authenticating.

auth plain AGpvaG5kb2UAcGFzc3dvcmQ=
235 2.0.0 Authentication successful
rcpt to:<test@example.com>
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#

You can send to email addresses belonging to your domain without authentication. This is normal as it enables you to receive mail from the outside.

The gibberish text after AUTH PLAIN is the base64 encoded value of the user name johndoe and password password. You can generate your own base64 text using the form below.

If you encounter any problems, check the log file at /var/log/maillog (mail.log in Ubuntu).

Setup and Configure Kerberos

The steps below describes how to configure Kerberos using the GUI tool. You can apply the changes manually by editing the file /etc/krb5.conf.

The Kerberos network authentication protocol requires the clocks of the involved machines to be synchronized or at least the difference is less than 5 minutes.

1. Click System, select Administration and click Authentication. This will launch the Authentication Configuration window.

2. Click the Authentication tab and check the Enable Kerberos Support. Next, click the Configure Kerberos button.

3. In the Kerberos Settings window, fill in the Realm, clear out KDC and Admin Servers and check the Use DNS to locate KDCs for realms. Realm is usually your domain name capitalized, capitalization is important. KDC is your Active Directory server. Click Ok when you’re done.

To make sure that your KDC can be automatically located, type in the command host -t any _kerberos._tcp.acme.local in a terminal window. Replace acme.local with your own realm. If it replies “_kerberos._tcp.acme.local has SRV record …” then it works, otherwise you’ll have to fill in the KDC field above. This is how the Windows workstation is able to find the domain controller during domain logon.

4. Uncheck the Enable Kerberos Support and click Ok. We don’t actually want to use Kerberos authentication in Linux, we just want the tool to setup Kerberos for us.

5. Test Kerberos by typing in kinit username in a terminal window. If you need help in making sense of the kinit error messages, check out Test the Kerberos Authentication.

Configuring Cyrus SASL

1. Edit the file /etc/pam.d/smtp and replace the content with the lines below.

auth     sufficient pam_krb5.so no_user_check validate
account  sufficient pam_permit.so

2. Restart the saslauthd service.

3. Test saslauthd by typing in the command below in a terminal window.

testsaslauthd -u username -p password -s smtp

Cyrus SASL is now configured to authenticate against an Active Directory server. Proceed to Postfix SMTP Authentication for instructions on configuring Postfix. Or restart Postfix or MailScanner and jump directly to the Test Postfix using Telnet part if you have already done so.

If you are using Red Hat Enterprise Linux 5 or CentOS 5, please read Postfix SMTP Authentication and Dovecot SASL instead. It’s a lot easier to setup and you won’t have to duplicate your Dovecot authentication setup into SASL.

Configure SASL

1. Edit the file /usr/lib/sasl2/smtpd.conf (/usr/lib64/sasl2/smtpd.conf for 64-bit users) and add the line below to the bottom of the file

mech_list: PLAIN LOGIN

2. Start the saslauthd service.

Configure Postfix

1. Click Applications then click File Browser. This will launch the File Browser window.

2. In the Location field, type in /etc/postfix and press Enter.

3. Double click on the file main.cf to open it for editing.

mynetworks = 127.0.0.0/8
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =  permit_mynetworks, 
    permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes

4. Restart the Postfix service or the MailScanner service if you have integrated MailScanner into Postfix.

Test Postfix

In a Terminal window, type in the highlighted commands below.

Sample postfix session

[root@mail ~]# telnet mail smtp

Replace mail with the name of your server. We should not use localhost since localhost is a trusted client ip address.

Trying 192.168.0.4...
Connected to mail.acme.local (192.168.0.4).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo host
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Note the new 250-AUTH lines.

mail from: johndoe
250 2.1.0 Ok
rcpt to: test@domain.local
554 5.7.1 <test@domain.local>: Relay access denied

It works, now to check if we can send it after authenticating.

auth plain AGpvaG5kb2UAcGFzc3dvcmQ=
235 2.0.0 Authentication successful
rcpt to: test@domain.local
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#

Text highlighted in green only appears in Postfix version 2.3 or higher. Postfix version 2.3 is included in Red Hat Enterprise Linux 5 or CentOS 5.

You can send to email addresses belonging to your domain without authentication. This is normal as it enables you to receive mail from the outside.

The gibberish text after AUTH PLAIN is the base64 encoded value of the user name johndoe and password password. You can generate your own base64 text using the form below.

If you encounter any problems, check the log file at /var/log/maillog.

Related Pages

Using Active Directory Authentication in Cyrus SASL