Postfix: how to use simple file for SASL authentication?
Postfix currently supports only two SASL authentication methods. One of the is Dovecot, which you don't want. The other is Cyrus, which is about as close to what you want as it's possible to get without rewriting Postfix. It does involve running a separate authentication daemon (saslauthd
), but the authentication file is easy to edit and update.
The basics for using Cyrus SASL can be found at the postfix documentation site, but here's a short description. Please look at the link if anything's confusing in any way!
Start by installing Cyrus SASL with the plugin sasldb
. (How to do that is left as an exercise for the reader; presumably there's a package in whatever package system your brand of unix is using.) Since the communication between Postfix and SASL will take place via a unix domain socket, you may want to add postfix to the SASL group, and make sure that that group has read and execute permissions to the directory /var/run/saslauthd
.
Configure SASL
Configure SASL to use sasldb by editing /etc/sasl2/smtpd.conf:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
The sasldb plugin means that sasl will use a Berkeley DB file for usernames and passwords. You add users with the command saslpasswd2
:
$ saslpasswd2 -c -u example.com username
Password:
Again (for verification):
Note that you specify a domain together with the username, and the user will need to use "[email protected]" rather than just "username" when authenticating.
You can verify what users have been entered by running sasldblistusers2
.
Start saslauthd, and verify that the authentication works by doing
testsaslauthd -u [email protected] -p password
Configure Postfix
Once that is done, tell Postfix to use SASL and to tell Cyrus that it's SMTP that it's authenticating, by editing /etc/postfix/main.cf to contain
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
Then, reload postfix, and you should be set.
Just clarifying a few things,
Creating an account in sasldb:
% saslpasswd2 -c -u fqdn username
Testing authentication:
% testsaslauthd -u username -p password
(note: the username is not followed by the fqdn)
I would also like to add that creating a root account
% saslpasswd2 -c -u example.com root
will not let you authenticate,
% testsaslauthd -u root -p some_password
0: NO "authentication failed"
But this is not a bug. It is just a safety feature.