SMTP Authentication (SMTP Auth) provides an access control mechanism that can be used to allow legitimate users to relay mail while denying relay service to unauthorized users, such as spammers.

Thanks to the new SASL support in Dovecot 1.0 and the new Dovecot SASL support in Postfix 2.3, setting up SMTP authentication is now easier. Instead of setting up two separate authentication for Postfix and Dovecot, we can now just setup the authentication in Dovecot and just let Postfix talk to Dovecot.

Configure Postfix and Dovecot

Edit dovecot.conf
1. Edit the file /etc/dovecot.conf and make sure your auth default section has the lines below.
auth default {	
  socket listen {
    client {
	  path = /var/spool/postfix/private/auth
	  mode = 0660
	  user = postfix
	  group = postfix
    }
  }	
  mechanisms = plain login
}

NoteIf you are using Ubuntu, edit /etc/dovecot/dovecot.conf.

Edit main.cf2. Edit /etc/postfix/main.cf, find the keys below and change its values as follows or add it at the bottom of the file if the key (the word before the = sign) cannot be found.
mynetworks = 127.0.0.0/8
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =  permit_mynetworks, 
    permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes
The first line says trust only localhost, meaning only localhost can send email outside the network (relay). The last line is there to support old clients like Microsoft Outlook Express 4.0 and Microsoft Exchange 5.0 just in case someone is still using it.
 
Lines starting with # are comments. Save the file after completing your changes.
 
Service Configuration3. Restart the Dovecot and Postfix service. But if you installed MailScanner, restart MailScanner instead of Postfix.

Test Postfix

TerminalIn a Terminal window, type in the highlighted commands below.

Sample postfix session

[root@mail ~]# telnet mail smtp

ImportantReplace mail with the name of your server. We should not use localhost since localhost is a trusted client ip address. And make sure the domain name you specified does not resolve to 127.0.0.1 which is the IP address of localhost.

Trying 192.168.0.1...
Connected to mail.acme.local (192.168.0.1).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo localhost
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Note the new 250-AUTH lines. See the old SMTP Telnet Test.

mail from:<johndoe>
250 2.1.0 Ok
rcpt to:<test@example.com>
554 5.7.1 <test@example.com>: Relay access denied

It works, now to check if we can send it after authenticating.

auth plain AGpvaG5kb2UAcGFzc3dvcmQ=
235 2.0.0 Authentication successful
rcpt to:<test@example.com>
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#

NoteYou can send to email addresses belonging to your domain without authentication. This is normal as it enables you to receive mail from the outside.

The gibberish text after AUTH PLAIN is the base64 encoded value of the user name johndoe and password password. You can generate your own base64 text using the form below.








NoteIf you encounter any problems, check the log file at /var/log/maillog (mail.log in Ubuntu).

 
«« Previous: How to Setup Dovecot
 

Visit the forum to ask for help or to give a comment.

***
Posted on 4/13/2008 and last updated on 9/13/2011
Filed under CentOS 5 , Dovecot , Postfix , Red Hat Enterprise Linux 5 , SASL , Ubuntu 10.04