Postfix SMTP Authentication and Dovecot SASL

SMTP Authentication (SMTP Auth) provides an access control mechanism that can be used to allow legitimate users to relay mail while denying relay service to unauthorized users, such as spammers.

Thanks to the new SASL support in Dovecot 1.0 and the new Dovecot SASL support in Postfix 2.3, setting up SMTP authentication is now easier. Instead of setting up two separate authentication for Postfix and Dovecot, we can now just setup the authentication in Dovecot and just let Postfix talk to Dovecot.

Configure Postfix and Dovecot

1. Edit the file /etc/dovecot.conf and make sure your auth default section has the lines below.

auth default {	
  socket listen {
    client {
	  path = /var/spool/postfix/private/auth
	  mode = 0660
	  user = postfix
	  group = postfix
    }
  }	
  mechanisms = plain login
}

2. Edit /etc/postfix/main.cf, find the keys below and change its values as follows or add it at the bottom of the file if the key (the word before the = sign) cannot be found.

mynetworks = 127.0.0.0/8
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =  permit_mynetworks, 
    permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes

The first line says trust only localhost, meaning only localhost can send email outside the network (relay). The last line is there to support old clients like Microsoft Outlook Express 4.0 and Microsoft Exchange 5.0 just in case someone is still using it.

Lines starting with # are comments. Save the file after completing your changes.

3. Restart the Dovecot and Postfix service. But if you installed MailScanner, restart MailScanner instead of Postfix.

Test Postfix

In a Terminal window, type in the highlighted commands below.

Sample postfix session

[root@mail ~]# telnet mail smtp

Important Replace mail with the name of your server. We should not use localhost since localhost is a trusted client ip address.

Trying 192.168.0.1...
Connected to mail.acme.local (192.168.0.1).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo host
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Note the new 250-AUTH lines. See the old SMTP Telnet Test.

mail from: johndoe
250 2.1.0 Ok
rcpt to: test@domain.local
554 5.7.1 <test@domain.local>: Relay access denied

It works, now to check if we can send it after authenticating.

auth plain AGpvaG5kb2VAYWNtZS5sb2NhbABwYXNzd29yZA==
235 2.0.0 Authentication successful
rcpt to: test@domain.local
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#

The gibberish text after AUTH PLAIN is the base64 encoded value of the user name johndoe@acme.local and password password. You can generate your own base64 text using the form below.

Note If you encounter any problems, check the log file at /var/log/maillog.

«« Previous: How to Setup Dovecot

Next: How to Install SquirrelMail »»

***
Posted on 4/13/2008 and last updated on 7/12/2008
Filed under CentOS 5 , Dovecot , Postfix , Red Hat Enterprise Linux 5 , SASL

50 Responses to “Postfix SMTP Authentication and Dovecot SASL”

Francis Says:
April 16th, 2008 at 4:12 pm
Hi,

Is this a new addition to the guide? I didn’t encounter this in the original article I followed. Anyway, I encountered a problem. My logs show this:

Apr 16 23:58:36 mail2 postfix/smtpd[7419]: warning: SASL: Connect to private/auth failed: No such file or directory
Apr 16 23:58:36 mail2 postfix/smtpd[7419]: fatal: no SASL authentication mechanisms
Apr 16 23:58:37 mail2 postfix/master[7345]: warning: process /usr/libexec/postfix/smtpd pid 7419 exit status 1
Apr 16 23:58:37 mail2 postfix/master[7345]: warning: /usr/libexec/postfix/smtpd: bad command startup — throttling

I think this has something to do with missing SASL Libraries perhaps?

By the way, using CentOS 5.1
Francis Says:
April 16th, 2008 at 4:36 pm
Here are my packages after doing rpm -qa | grep sasl:

cyrus-sasl-ldap-2.1.22-4
cyrus-sasl-plain-2.1.22-4
gnu-crypto-sasl-jdk1.4-2.1.0-2jpp.1
cyrus-sasl-lib-2.1.22-4
cyrus-sasl-2.1.22-4
cyrus-sasl-devel-2.1.22-4
cyrus-sasl-ntlm-2.1.22-4

Is there anything that I missed to install?
consultant Says:
April 17th, 2008 at 4:32 am
It looks like your Postfix does not have SASL capabilities compiled in it. Make sure you include SASL in your build option or download my prebuilt Postfix RPM packages.
Francis Says:
April 17th, 2008 at 9:53 am
I downloaded the package but still no go. How will I know if the postfix version I installed has the SASL capabilities?
consultant Says:
April 17th, 2008 at 3:06 pm
Type in postcont -a in a terminal window. It will return the SASL support compiled in it.
Leon Says:
April 25th, 2008 at 7:34 am
Hi,
Im following your guide and installed postix,dovecot but when testing I encountered the following error:
#telnet localhost smtp
#Trying 127.0.0.1…
#Connected to localhost.localdomain (127.0.0.1).
#Escape character is ‘^]’.
#Connection closed by foreign host.
This is after I configured postfix and dovecot for SMTP and SASL.
Any clue on what is the problem?
consultant Says:
April 25th, 2008 at 8:05 am
Please check the log file at /var/log/maillog. It will show you why it terminated immediately.
Leon Says:
April 25th, 2008 at 8:34 am
Thanks for the reply…
It logged the following errors:
warning: SASL: Connect to private/auth failed: No such file or directory
fatal: no SASL authentication mechanisms
warning: process /usr/libexec/postfix/smtpd pid 25194 exit status 1
warning: /usr/libexec/postfix/smtpd: bad command startup — throttling
Does this mean I don’t have SASL installed?
Leon Says:
April 25th, 2008 at 8:45 am
I have postfix 2.3.3-2 package installed and it seemed that this version has SMTP AUTH (SASL) support.
Im using Centos 5.1
consultant Says:
April 25th, 2008 at 2:25 pm
1. In your dovecot.conf, make sure you have the lines below.
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}

2. Restart dovecot

3. Check if /var/spool/postfix/private/auth is created
type in ls -l /var/spool/postfix/private/auth to confirm.

Dovecot is the one that creates this file

4. Did you touch the queue_directory in Postfix?
queue_directory = /var/spool/postfix
If yes, update the path in dovecot.conf and try again.
Leon Says:
April 28th, 2008 at 1:04 am
Hi there,
I followed the steps you suggested above but /var/spool/postfix/private/auth is not created… I also did not touch the queue_directory in postfix…
Thanks for the reply…
Leon Says:
April 28th, 2008 at 1:15 am
Just got it working… It seemed that I was missing a bracket in my dovecot config… Thanks for the help…
Leon Says:
April 28th, 2008 at 1:39 am
There is still a problem in connecting to localhost… It will just return an error:
#telnet localhost smtp
#trying 127.0.0.1…
#Connected to localhost.localdomain(127.0.0.1).
#Escape character is ‘^]’
#421 4.4.2 localhost.localdomain Error: Timeout exceeded..
My maillog says:
#warning: database /etc/aliases.db is older than source file /etc/aliases
#localhost postfix/smtpd[3469]: connect from #localhost.localdomain[127.0.0.1]
#localhost postfix/smtpd[3469]: timeout after CONNECT from localhost.localdomain[127.0.0.1]
#localhost postfix/smtpd[3469]: disconnect from #localhost.localdomain[127.0.0.1]
consultant Says:
April 28th, 2008 at 6:06 am
Type in newaliases to recreate the aliases.db file
elizalde Says:
April 30th, 2008 at 9:50 am
Why is it that I can’t connect to my machine if I use
the name of my machine instead of localhost on this command.

#telnet mymachine smtp

It says:
telnet: Connect to address x.x.x.x: Connection Refused
telnet: Unable to connect to remote host: Connection Refused
elizalde Says:
April 30th, 2008 at 9:59 am
Why is it that i can’t connect to my machine when i use the name of my machine.

#telnet mymachine smtp

It says:

telnet: Unable to connect to address x.x.x.x: Connection Refused
telnet: Unable to connect to remote host: Connection Refused
consultant Says:
April 30th, 2008 at 11:23 am
1. Are you sure Postfix is running? Try service postfix status

2. Can you connect to the localhost? Try telnet localhost smtp

3. Is Postfix listening to all available network interfaces? Check the /etc/postfix/main.cf and make sure inet_interfaces = all
Tony Says:
May 5th, 2008 at 2:04 am
Hi,

So far so good except when I get to:
——
rcpt to: test@domain.local
554 5.7.1 : Relay access denied
——
I get a 250 2.1.5 Ok instead if Relay access denied.

What am I missing? Thanks!
Tony Says:
May 5th, 2008 at 2:09 am
This is I get when I type in “ehlo host”

——
250-mbox.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
——
I noticed that I only have:
250-AUTH PLAIN
250-AUTH=PLAIN
instead of
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
Could this be an issue?
consultant Says:
May 5th, 2008 at 2:09 am
Double check that you are not connecting to localhost or 127.0.0.1. localhost is a trusted IP so the test will not fail.
consultant Says:
May 5th, 2008 at 2:25 am
> I noticed that I only have:
> 250-AUTH PLAIN
> 250-AUTH=PLAIN
> Could this be an issue?

Yes if you will be using Outlook/Outlook Express since either one does not support plain authentication. I’ve discovered that the dovecot.conf in CentOS 5.1 is different from CentOS 5.0. Please review my guide above, I’ve revised the instructions for 5.1 users.
Douglas Wagner Says:
May 24th, 2008 at 8:24 am
I have the “missing auth” figured out. The problem isn’t that the correct support is missing (it’s all there), the problem is that the based upon the installation instructions above the dovecot socket for authentication can’t be created.

The /var/spool/postfix/private directory is owned by postfix with 700 permissions. Dovecot does NOT run as postfix. Thus, when dovecot tries to startup, it cannot create the auth socket you’re telling it to and thus postfix has no where to auth.

At this point i’ve gone in and made the private diretory 777 permissions. It’s a cheap way for me to test it out and it works (the socket gets created). Anyone have a more creative way to fix the permisions issue?

–Doug
consultant Says:
May 24th, 2008 at 8:50 am
auth default {
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
mechanisms = plain login
}

The highlighted lines above enables dovecot to write to the /var/spool/postfix directory. My guess is that your dovecot is not running as root which prevents it from becoming the user postfix. Check which user is used for the dovecot process, the default is root.

auth default {
.
.
.
user = root
.
.
.
}
Erik Says:
May 30th, 2008 at 4:05 am
[root@orion etc]# /etc/init.d/dovecot restart
Stopping Dovecot Imap: [FAILED]
Starting Dovecot Imap: Error: Error in configuration file /etc/dovecot.conf line 736: Unknown setting: mechanisms
consultant Says:
May 30th, 2008 at 1:12 pm
Please ensure that mechanism is inside auth default

auth default {
mechanisms = plain login
.
.
.
}
Froylan Says:
May 31st, 2008 at 4:30 am
hi, how can i configure a localhost can send email outside the network…thnx
consultant Says:
May 31st, 2008 at 4:55 am
The IP address of localhost is 127.0.0.1 which is a trusted address so it should be able to send outside the network.
Erik Says:
May 31st, 2008 at 5:39 am
Starting Dovecot Imap: Error: Error in configuration file /etc/dovecot.conf line 773: Unknown section type

Line 773 = passdb pam {

consultant Says:
May 31st, 2008 at 5:47 am

Check the open and closing brackets, there could be an unpaired bracket.

auth default {
.
.
.
  socket listen {
    client {
	  path = /var/spool/postfix/private/auth
	  mode = 0660
	  user = postfix
	  group = postfix
    }
  }
  mechanisms = plain login
.
.
.
  passdb pam {
  .
  .
  .
  }
}

Kevin Says:
June 15th, 2008 at 10:36 pm
Went through all of the instructions but cannot get one email address to work. Sales sends all mail to root. How would i fix this issue?
consultant Says:
June 15th, 2008 at 11:56 pm
There is a default set of predefined email addresses required by RFC 822 and RFC 2124. These email addresses are defined in /etc/aliases. Edit the aliases file then type in newaliases to update the aliases database file then restart Postfix or MailScanner to immediately effect the changes.
colombo Says:
July 9th, 2008 at 4:21 pm
i did as your instructions in setting up postfix smtp authentication and devcot sasl, when testing the postfix the auth plain and base64 encode value i get 535 5.7.0 Error: authentication failed:

maillog shows this:
Jul 9 04:08:53 afl postfix/smtpd[21802]: NOQUEUE: reject: RCPT from unknown[10.1.0.1]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=
Jul 9 04:09:33 afl postfix/smtpd[21802]: warning: unknown[10.1.0.1]: SASL plain authentication failed:

Please advise……

thanks
Rob Says:
July 10th, 2008 at 3:28 pm
I followed the directions and have the two new 250-AUTH lines but when I test the authentication, I never get the Relay access denied. I get the following

mail from: johndoe
250 2.1.0 Ok
rcpt to: test@domain.local
250 2.1.5 Ok

ANy ideas as to what I am doing wrong?
consultant Says:
July 10th, 2008 at 3:38 pm
That usually happens when you connect to 127.0.0.1 or localhost which is a trusted connection.
Colombo Says:
July 10th, 2008 at 3:45 pm
Jul 9 04:09:33 afl postfix/smtpd[21802]: warning: unknown[10.1.0.1]: SASL plain authentication failed:
consultant Says:
July 10th, 2008 at 4:09 pm
Can you login into dovecot? If yes, try using a real mail client.
Rob Says:
July 10th, 2008 at 4:19 pm
I am definitely not using 127.0.0.1 or localhost but instead the name of the server which is mail.marketing.com and never get the relay access denied.
Rob Says:
July 10th, 2008 at 5:54 pm
Any Ideas? Should I send you the dovecot or postfix config files?
consultant Says:
July 10th, 2008 at 6:13 pm
Even if you use mail.marketing.com, if the network is not properly configured, it still resolves to 127.0.0.1. After issuing the telnet command, check what IP it actually connects to.
```
Trying 192.168.0.1...
Connected to mail.acme.local (192.168.0.1).
```
If it really isn’t 127.0.0.1, send your main.cf to consultant(at)linuxmail.info
Rob Says:
July 10th, 2008 at 6:55 pm
Being fairly new to Linux, I must have the network configured improperly. It is seeing 127.0.0.1 instead of the ip address assigned to the server. I added the server name and IP adress to the host file, but when I run a ping it still comes back with the 127.0.0.1, could you tell me what I am doing wrong?
Rob Says:
July 10th, 2008 at 7:21 pm
Finally figured it out. Thanks for all your help. You have been an invalueable resource.
Londo Says:
August 20th, 2008 at 9:14 pm
Rob,
you took the trouble to respond,
and say thank you (which is commendable),
tell us figured it out (which is great for you),
but you dont tell us how you did it (which is frustrating for those of us who still cant get it working)
Rob Says:
August 21st, 2008 at 2:34 pm
Londo,

My appologies. After contemplating the possible network configuration issue I could have missed, I realized that I had the host file incorrect. I had pointed 127.0.0.1 to the correct server name but this was incorrect see my example of what I did wrong and the correct host config:

Wrong -
I changed the following

127.0.0.1 localhost.localdomain localhost

to

127.0.0.1 name.domain.com localhost

Correct -

I left

127.0.0.1 localhost.localdomain localhost

and then added

xxx.xxx.xxx.xxx name.domain.com mail

where xxx.xxx.xxx.xxx is the correct IP of the system and name.domain.com is the real name of the box (i.e., test.success.com; the mail after the hostname defines the server type.

Hope this helpd. Good luck.
Turtle Says:
September 16th, 2008 at 11:07 pm
Hello everyone,

I followed the directions but i have a problem. i have “Authentification successful” but just after i have “Relay access denied”.
Con you help me ?
consultant Says:
September 23rd, 2008 at 1:47 pm
It looks like your configuration is missing the setting “permit_sasl_authenticated”. If you placed the setting in a new line, make sure you have a few whitespace in front so that Postfix will know that the setting is a continuation of the previous line.
bugz Says:
October 2nd, 2008 at 11:01 pm
Do you think there will be an issue to setup smtp authentication for postfix if we have barracuda spam filter as a main smtp server. i just don’t have a machine to test it and don’t have chance to test it in a live busy mail server. hope you can answer. thanks.
consultant Says:
October 2nd, 2008 at 11:57 pm
Hi bugz,

The barracuda spam filter is only that, a spam filter. Barracuda will forward mails to your main smtp server after it has performed its checkings.
Dmitry Nosov Says:
November 1st, 2008 at 6:35 am
Thanks for info. It works
Glo Says:
November 19th, 2008 at 6:39 am
Hi,

I’m totally new to Linux but I really wanted to learn and create my own mail server.
Gloria Says:
November 19th, 2008 at 6:47 am
Hi,

I’m totally new to Linux but I really wanted to learn and create my own mail server.

Could somebody please tell me how to do the advice of Rob in #43.

Thanks in advance.

Social Web
E-mail

Linux Mail Server Setup and Howto Guide