Inicio
Productos
Red Hat Enterprise Linux
6
Security Guide
2.2.7.5. Configuring Postfix to Use SASL

2.2.7.5. Configuring Postfix to Use SASL

The Red Hat Enterprise Linux version of Postfix can use the Dovecot or Cyrus SASL implementations for SMTP Authentication (or SMTP AUTH). SMTP Authentication is an extension of the Simple Mail Transfer Protocol. When enabled, SMTP clients are required to authenticate to the SMTP server using an authentication method supported and accepted by both the server and the client. This section describes how to configure Postfix to make use of the Dovecot SASL implementation.

To install the Dovecot POP/IMAP server, and thus make the Dovecot SASL implementation available on your system, issue the following command as the root user:

yum install dovecot

~]# yum install dovecot

Copy to Clipboard

Toggle word wrap

The Postfix SMTP server can communicate with the Dovecot SASL implementation using either a UNIX-domain socket or a TCP socket. The latter method is only needed in case the Postfix and Dovecot applications are running on separate machines. This guide gives preference to the UNIX-domain socket method, which affords better privacy.

In order to instruct Postfix to use the Dovecot SASL implementation, a number of configuration changes need to be performed for both applications. Follow the procedures below to effect these changes.

Setting Up Dovecot

Modify the main Dovecot configuration file, /etc/dovecot/conf.d/10-master.conf, to include the following lines (the default configuration file already includes most of the relevant section, and the lines just need to be uncommented):
```
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}
```
```
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    user = postfix
    group = postfix
  }
}
```
Copy to Clipboard Toggle word wrap
The above example assumes the use of UNIX-domain sockets for communication between Postfix and Dovecot. It also assumes default settings of the Postfix SMTP server, which include the mail queue located in the /var/spool/postfix/ directory, and the application running under the postfix user and group. In this way, read and write permissions are limited to the postfix user and group.
Alternatively, you can use the following configuration to set up Dovecot to listen for Postfix authentication requests via TCP:
```
service auth {
  inet_listener {
    port = 12345
  }
}
```
```
service auth {
  inet_listener {
    port = 12345
  }
}
```
Copy to Clipboard Toggle word wrap
In the above example, replace 12345 with the number of the port you want to use.
Edit the /etc/dovecot/conf.d/10-auth.conf configuration file to instruct Dovecot to provide the Postfix SMTP server with the plain and login authentication mechanisms:
```
auth_mechanisms = plain login
```
```
auth_mechanisms = plain login
```
Copy to Clipboard Toggle word wrap

Setting Up Postfix

In the case of Postfix, only the main configuration file, /etc/postfix/main.cf, needs to be modified. Add or edit the following configuration directives:

Enable SMTP Authentication in the Postfix SMTP server:
```
smtpd_sasl_auth_enable = yes
```
```
smtpd_sasl_auth_enable = yes
```
Copy to Clipboard Toggle word wrap
Instruct Postfix to use the Dovecot SASL implementation for SMTP Authentication:
```
smtpd_sasl_type = dovecot
```
```
smtpd_sasl_type = dovecot
```
Copy to Clipboard Toggle word wrap
Provide the authentication path relative to the Postfix queue directory (note that the use of a relative path ensures that the configuration works regardless of whether the Postfix server runs in a chroot or not):
```
smtpd_sasl_path = private/auth
```
```
smtpd_sasl_path = private/auth
```
Copy to Clipboard Toggle word wrap
This step assumes that you want to use UNIX-domain sockets for communication between Postfix and Dovecot. To configure Postfix to look for Dovecot on a different machine in case you use TCP sockets for communication, use configuration values similar to the following:
```
smtpd_sasl_path = inet:127.0.0.1:12345
```
```
smtpd_sasl_path = inet:127.0.0.1:12345
```
Copy to Clipboard Toggle word wrap
In the above example, 127.0.0.1 needs to be substituted by the IP address of the Dovecot machine and 12345 by the port specified in Dovecot's /etc/dovecot/conf.d/10-master.conf configuration file.
Specify SASL mechanisms that the Postfix SMTP server makes available to clients. Note that different mechanisms can be specified for encrypted and unencrypted sessions.
```
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
```
```
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
```
Copy to Clipboard Toggle word wrap
The above example specifies that during unencrypted sessions, no anonymous authentication is allowed and no mechanisms that transmit unencrypted usernames or passwords are allowed. For encrypted sessions (using TLS), only non-anonymous authentication mechanisms are allowed.
See http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options for a list of all supported policies for limiting allowed SASL mechanisms.

Additional Resources

The following online resources provide additional information useful for configuring Postfix SMTP Authentication through SASL.

http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL — Contains information on how to set up Postfix to use the Dovecot SASL implementation for SMTP Authentication.
http://www.postfix.org/SASL_README.html#server_sasl — Contains information on how to set up Postfix to use either the Dovecot or Cyrus SASL implementations for SMTP Authentication.

Volver arriba

2.2.7.5. Configuring Postfix to Use SASL

Setting Up Dovecot

Setting Up Postfix

Additional Resources

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links