Postfix // SASL

DOVECOT

add login method and auth socket

vi /usr/local/etc/dovecot/dovecot.conf

auth_mechanisms = plain cram-md5 login

service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = wheel
  }
}

restart Dovecot and check

ls -lF /var/spool/postfix/private/auth

POSTFIX

make sure you’ve enabled a valid certificate and a decent TLS setup already

then enable submissions implicit ssl/tls (not starttls)

vi /etc/postfix/master.cf

submissions inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submissions
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_helo_restrictions=permit_sasl_authenticated,reject  
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

not sure this is required

vi /etc/postfix/main.cf

#
# SASL  
#
smtpd_sasl_type = dovecot 
smtpd_sasl_path = private/auth 
smtpd_sasl_auth_enable = yes 
smtpd_sasl_security_options = noanonymous, noplaintext 
smtpd_sasl_tls_security_options = noanonymous 
smtpd_tls_auth_only = yes 
#broken_sasl_auth_clients = yes 

there is NO NEED to add permit_sasl_authenticated, in main.cf.

ACCEPTANCE

apply and check

postfix reload
netstat -an -f inet | grep LISTEN

and remotely

openssl s_client -connect xc.nethence.com:465

RESOURCES

Postfix SASL Howto http://www.postfix.org/SASL_README.html

Enable SMTPS Port 465 in Postfix SMTP Server For Email Submission https://www.linuxbabe.com/mail-server/enable-smtps-port-465-postfix

Postfix smtps and submission confusion https://serverfault.com/questions/605715/postfix-smtps-and-submission-confusion

Enable SMTPS service (SMTP over SSL, port 465) https://docs.iredmail.org/enable.smtps.html

TRASH

submission starttls

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_helo_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Nethence | Pub | Lab | Pbraun | SNE Russia | xhtml