Enabling SMTP authentication in Postfix ensures that only users with valid accounts can send email outside your network (relaying). This prevents spammers from using your SMTP server as a spam broadcast station. Here’s how to do it in Postfix.

NoteIf you are using Red Hat Enterprise Linux 5 or CentOS 5, please read Postfix SMTP Authentication and Dovecot SASL instead. It’s a lot easier to setup and you won’t have to duplicate your Dovecot authentication setup into SASL.

Configure SASL

SASL2 Configuration
1. Edit the file /usr/lib/sasl2/smtpd.conf (/usr/lib64/sasl2/smtpd.conf for 64-bit users) and add the line below to the bottom of the file
mech_list: PLAIN LOGIN
Service Configuration2. Start the saslauthd service.

Configure Postfix

File Browser1. Click Applications then click File Browser. This will launch the File Browser window.
File Browser2. In the Location field, type in /etc/postfix and press Enter.
Edit main.cf3. Double click on the file main.cf to open it for editing.
Find the following keys and change its values as follows or add it at the bottom of the file if the key (the word before the = sign) cannot be found.
mynetworks = 127.0.0.0/8
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =  permit_mynetworks, 
    permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes
The first line says trust only localhost, meaning only localhost can send email outside the network (relay). The last line is there to support old clients like Microsoft Outlook Express 4.0 and Microsoft Exchange 5.0 just in case someone is still using it.
 
Lines starting with # are comments. Save the file after completing your changes.
 
Service Configuration4. Restart the Postfix service or the MailScanner service if you have integrated MailScanner into Postfix.

Test Postfix

TerminalIn a Terminal window, type in the highlighted commands below.

Sample postfix session

[root@mail ~]# telnet mail smtp

ImportantReplace mail with the name of your server. We should not use localhost since localhost is a trusted client ip address.

Trying 192.168.0.4...
Connected to mail.acme.local (192.168.0.4).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo host
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Note the new 250-AUTH lines.

mail from: johndoe
250 2.1.0 Ok
rcpt to: test@domain.local
554 5.7.1 <test@domain.local>: Relay access denied

It works, now to check if we can send it after authenticating.

auth plain AGpvaG5kb2UAcGFzc3dvcmQ=
235 2.0.0 Authentication successful
rcpt to: test@domain.local
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#

NoteText highlighted in green only appears in Postfix version 2.3 or higher. Postfix version 2.3 is included in Red Hat Enterprise Linux 5 or CentOS 5.

NoteYou can send to email addresses belonging to your domain without authentication. This is normal as it enables you to receive mail from the outside.

The gibberish text after AUTH PLAIN is the base64 encoded value of the user name johndoe and password password. You can generate your own base64 text using the form below.








NoteIf you encounter any problems, check the log file at /var/log/maillog.

 

Related Pages

Visit the forum to ask for help or to give a comment.

***
Posted on 4/23/2007 and last updated on 11/7/2009
Filed under Postfix , SASL