SMTP Authentication (SMTP Auth) in Postfix

Enabling SMTP authentication in Postfix ensures that only users with valid accounts can send email outside your network (relaying). This prevents spammers from using your SMTP server as a spam broadcast station. Here’s how to do it in Postfix.

Note If you are using Red Hat Enterprise Linux 5 or CentOS 5, please read Postfix SMTP Authentication and Dovecot SASL instead. It’s a lot easier to setup and you won’t have to duplicate your Dovecot authentication setup into SASL.

Configure SASL

1. Edit the file /usr/lib/sasl2/smtpd.conf (/usr/lib64/sasl2/smtpd.conf for 64-bit users) and add the line below to the bottom of the file

mech_list: PLAIN LOGIN

2. Start the saslauthd service.

Configure Postfix

1. Click Applications then click File Browser. This will launch the File Browser window.

2. In the Location field, type in /etc/postfix and press Enter.

3. Double click on the file main.cf to open it for editing.

Find the following keys and change its values as follows or add it at the bottom of the file if the key (the word before the = sign) cannot be found.

mynetworks = 127.0.0.0/8
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions =  permit_mynetworks, 
    permit_sasl_authenticated, reject_unauth_destination
broken_sasl_auth_clients = yes

The first line says trust only localhost, meaning only localhost can send email outside the network (relay). The last line is there to support old clients like Microsoft Outlook Express 4.0 and Microsoft Exchange 5.0 just in case someone is still using it.

Lines starting with # are comments. Save the file after completing your changes.

4. Restart the Postfix service or the MailScanner service if you have integrated MailScanner into Postfix.

Test Postfix

In a Terminal window, type in the highlighted commands below.

Sample postfix session

[root@mail ~]# telnet mail smtp

Important Replace mail with the name of your server. We should not use localhost since localhost is a trusted client ip address.

Trying 192.168.0.4...
Connected to mail.acme.local (192.168.0.4).
Escape character is '^]'.
220 mail.acme.local ESMTP Postfix
ehlo host
250-mail.acme.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Note the new 250-AUTH lines.

mail from: johndoe
250 2.1.0 Ok
rcpt to: test@domain.local
554 5.7.1 <test@domain.local>: Relay access denied

It works, now to check if we can send it after authenticating.

auth plain AGpvaG5kb2VAYWNtZS5sb2NhbABwYXNzd29yZA==
235 2.0.0 Authentication successful
rcpt to: test@domain.local
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@mail ~]#

Note Text highlighted in green only appears in Postfix version 2.3 or higher. Postfix version 2.3 is included in the standard package of Red Hat Enterprise Linux 5 or CentOS 5.

The gibberish text after AUTH PLAIN is the base64 encoded value of the user name johndoe@acme.local and password password. You can generate your own base64 text using the form below.

Note If you encounter any problems, check the log file at /var/log/maillog.

Using Active Directory Authentication in Cyrus SASL

***
Posted on 4/23/2007 and last updated on 7/12/2008
Filed under Postfix , SASL

19 Responses to “SMTP Authentication (SMTP Auth) in Postfix”

bvankuik Says:
August 15th, 2007 at 6:29 pm
To configure saslauthd on a 64-bit box, edit the file:

/usr/lib64/sasl2/smtpd.conf

instead of /usr/lib/sasl2
Juan Timana Says:
October 10th, 2007 at 1:29 am
The form to encode is not working.
consultant Says:
October 14th, 2007 at 4:22 pm
Sorry about that. It’s now working. Thank you very much Juan for reporting it.
amotaal Says:
November 3rd, 2007 at 5:53 pm
Hello there,

Thank you for your detailed instructions, I was able to setup pretty much everything in no time. However, when I attempt to test sending without authentication, or shall I say before auth, I still get an OK response and not DENIED as it shows above. I followed the instructions carefully and started twice from scratch with the same outcome. Hence I can’t put this box online as of yet.

Maybe related info: Pentium 4, Centos 5, TrixBox 2x, Latest postfix, Latest saslauthd, NO SENDMAIL, Latest yum updates.

Thank you for your efforts and your response would be highly appreciated. Keep up the good work!
consultant Says:
November 3rd, 2007 at 6:15 pm
Hi,

If you have this line
mynetworks = 127.0.0.0/8

Only localhost or 127.0.0.1 is trusted and should respond with OK. Use the hostname or the actual ip address of your server when testing since those are not trusted. You might have missed out that I’m no longer using localhost to test.
Rait Says:
November 9th, 2007 at 11:07 am
I’m having the same problem as amotaal, not getting the DENIED message. Although I noticed that after entering

“ehlo host”

I’m missing three lines:

250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
and
250 DSN

everything else is there.

Any suggestions would be welcome
Rait Says:
November 9th, 2007 at 11:08 am
oh, and I’m testing it from another machine to be 100% sure
consultant Says:
November 9th, 2007 at 1:48 pm
Hi Rait,

250-AUTH=LOGIN PLAIN should appear if you added the line

broken_sasl_auth_clients = yes

The two lines below
250-ENHANCEDSTATUSCODES
250 DSN
does not appear in RHEL/CentOS 4 which only have Postfix 2.2. Sorry for the confusion, I removed SMTP Auth for RHEL/CentOS 4 to reduce duplicate content. I’ve rewritten the text to make the differences clearer.

Can you send me your main.cf, I would like to review it. My email address is consultant at linux-mail.info
rootytoot Says:
January 12th, 2008 at 12:36 am
i also do not get the “relay denied”

[root@centaur log]# telnet myhost smtp
Trying 127.0.0.1…
Connected to localhost.localdomain (127.0.0.1).
Escape character is ‘^]’.
220 myhost.localdomain ESMTP Postfix
ehlo host
250-myhost.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: root
250 2.1.0 Ok
rcpt to: test@myhost
550 5.1.1 : Recipient address rejected: User unknown in local recipient table
rcpt to: root@myhost
250 2.1.5 Ok

??
consultant Says:
January 12th, 2008 at 12:49 am
That’s because you’re still connected to the localhost which is a trusted client ip address. Try to find out your network ip address and use that instead since myhost resolves to 127.0.0.1.
rootytoot Says:
January 12th, 2008 at 2:14 am
i’m on the server itself, if that matters. i have a private addr: 10.10.1.8. but i get an error:

rcpt to: test@10.10.1.8
501 5.1.3 Bad recipient address syntax
consultant Says:
January 12th, 2008 at 2:35 am
Oh sorry, what I meant was instead of using the command “telnet myhost smtp”, use “telnet 10.10.1.8 smtp” since myhost resolves to localhost which is trusted.
rootytoot Says:
January 12th, 2008 at 3:00 am
that did it:

rcpt to: cent50@10.10.1.8
501 5.1.3 Bad recipient address syntax

awesome site. i got squirrel mail with all the parts (postfix, dovecot, etc) up and running in less than an hour. thank you.
rootytoot Says:
January 12th, 2008 at 3:01 am
oops. i meant to paste this:

rcpt to: test@domain.local
554 5.7.1 : Relay access denied
Rick Matlock Says:
January 20th, 2008 at 7:08 am
I have tried this both ways with the actual mail.domain.tld and ip address. I made the modifications to my main.cf from another linux box at home using ssh to connect to the server at work. Here are the screens showing what the results were and also my main.cf file.

[root@localhost ~]# telnet mail.matlockford.net smtp
Trying 65.41.207.220…
Connected to mail.matlockford.net (65.41.207.220).
Escape character is ‘^]’.
220 server1.matlockford.net ESMTP Postfix (CentOS)
ehlo mail.matlockford.net
250-server1.matlockford.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: wmatlock@embarqmail.com
250 2.1.0 Ok
rcpt to: wmatlock@matlockford.net
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@localhost ~]# telnet 65.41.207.220 smtp
Trying 65.41.207.220…
Connected to oh-65-41-207-220.sta.embarqhsd.net (65.41.207.220).
Escape character is ‘^]’.
220 server1.matlockford.net ESMTP Postfix (CentOS)
ehlo 65.41.207.220
250-server1.matlockford.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: wmatlock@embarqmail.com
250 2.1.0 Ok
rcpt to: wmatlock@matlockford.net
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
[root@localhost ~]#
[root@localhost ~]#

smtpd_banner = $myhostname ESMTP $mail_name (CentOS)
#
biff = no

#
# LOCAL PATHNAME INFORMATION
#
queue_directory = /var/spool/postfix
#
command_directory = /usr/sbin
#
daemon_directory = /usr/libexec/postfix
#

#
# TLS Configuration
#
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
#
masquerade_domains = matlockford.net
#
myorigin = matlockford.net
#
mydomain = matlockford.net
#
myhostname = server1.$mydomain
#
alias_maps = hash:/etc/aliases
#
alias_database = hash:/etc/aliases
#
mydestination = mail.matlockford.net, server1.matlockford.net,
localhost.matlockford.net, localhost, $mydomain
#
relayhost =
#
mynetworks = 127.0.0.0/8
#
mailbox_size_limit = 0
#
recipient_delimiter = +
#
inet_interfaces = all
#
unknown_local_recipient_reject_code = 550
#
home_mailbox = Maildir/
#
header_checks = regexp:/etc/postfix/header_checks
#
#
header_checks = regexp:/etc/postfix/header_checks
#
#debug_peer_level = 2
#
#debugger_command =
# PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
# xxgdb $daemon_directory/$process_name $process_id & sleep 5

smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,

reject_unauth_destination
broken_sasl_auth_clients = yes

Yes, I did issue the service postfix restart command.

Thanks
Rick Matlock
consultant Says:
January 20th, 2008 at 2:44 pm
Hi Rick,

You’ve reversed the mail from and rcpt to. mail from should be wmatlock@matlockford.net and rcpt to should be anything other than matlockford.net which is an authorized destination. rcpt to could be wmatlock@embarqmail.com or test@domain.local. The point of SASL authentication is to prevent unauthorized users (like spammers) from sending emails outside your domain matlockford.net. But sending mails into your domain, like the one you’re doing above, should be accepted otherwise you won’t be able to receive any emails.
Luis Felipe Marzagao Says:
February 5th, 2008 at 6:46 pm
Hello: If I leave reject_unauth_destination in smtpd_recipient_restrictions, then I can’t send e-mail to other domains, even after auth plain ….

Instead, if I change reject_unauth_destination for check_relay_domains, then I get the desired behaviour (send mail to other domains only after authentication).

Is it correct?

Thanks a lot!
Luis Felipe Marzagao Says:
February 5th, 2008 at 7:44 pm
Forget about my comment. I was missing this part:

“smtpd_client_restrictions (default: empty) … Restrictions are applied in the order as specified; the first restriction that matches wins.”

reject_unauth_destination must come at the end of smtpd_recipient_restrictions

Thanks.
Nahum Castro Says:
March 7th, 2008 at 10:13 pm
Which is the autentification type to use on evolution?

if i have an user pepe and password jose, which one is the password combination to use in evolution, pepe or jose or both.

Thanks.

Social Web
E-mail

Linux Mail Server Setup and Howto Guide